Pillar 2 and Beyond: Issues for Supervisors in Implementing Basel II and Basel III
Tuesday, Jun 30, 2020

Pillar 2 and Beyond: Issues for Supervisors in Implementing Basel II and Basel III


Many banking supervisory authorities in emerging economies are in the process of transitioning from Basel I to Basel II or Basel III.

To a large extent this is a regulatory issue – choosing which parts of Basel II or Basel III to incorporate in national legislation and regulatory rulebooks; choosing where to diverge from Basel II or Basel III to reflect national circumstances; and choosing which banks to apply the new framework to.

This Toronto Centre Note focuses on the main supervisory issues arising from the implementation of Basel II or Basel III. It offers guidance on the choices that supervisors need to make on supervisory intensity and proportionality, Pillar 2, model approval, impact assessment, and resourcing.

Basel II and Basel III

The Basel I standards (Basel Committee 1988) covered the definition of capital, a simple set of standardized risk weights for on- and off-balance sheet credit exposures, and a minimum capital ratio standard. This was extended in 1996 (Basel Committee 1996) to cover market risks (asset price risks arising from banks’ trading portfolios).

The Basel II standards (Basel Committee 2004) introduced a three-pillar approach to the oversight of internationally active banks. Pillar 1 introduced a more sophisticated set of standardized risk weights for both credit and market risk; an internal ratings-based (IRB) approach under which banks could apply to use their own models to calculate credit risk weights; and capital charges for operational risk. Pillar 2 established a supervisory review process under which supervisors reviewed banks’ own assessments of their capital adequacy. Pillar 3 required banks to make public disclosures of their capital positions and their credit, market, and operational risk exposures.

The Basel III standards (Basel Committee 2010 and 2019b) were introduced following the global financial crisis. These imposed higher capital requirements, with a greater emphasis on higher-quality (common equity tier 1) capital; more sophisticated standardized risk weights for credit, market, and operational risk; restrictions on the extent to which banks could use their own models to calculate capital requirements; new requirements on leverage and liquidity; capital buffers for systemically-important banks; and a counter-cyclical capital buffer to address macro-prudential risks.

Pillar 2 was unaffected by Basel III, while Pillar 3 disclosure requirements were expanded to cover the new elements in Basel III.

The Basel Committee publishes detailed assessments of the extent to which its own members are implementing Basel III, while the Financial Stability Institute has published regular surveys of the implementation of Basel II and Basel III by non-members.[2] These assessments and surveys focus primarily on regulatory issues – the setting of prudential requirements for capital and liquidity under Pillar 1.

Proportionality in regulation and supervision

Many supervisory authorities tailor their regulatory and supervisory requirements for different types of banks. So, while preserving a reasonably level playing field for all banks, supervisory authorities may apply proportionality in order to:

  • reduce unnecessary compliance costs and unnecessary complexity for smaller, simpler, and non-internationally active banks
  • implement simpler and less complex ways of achieving similar supervisory outcomes
  • avoid unnecessary or unwarranted use of supervisory resources
  • reflect the social role of some smaller banks (for example mutuals and regionally-based banks) in promoting financial inclusion and gender equality, for example by providing products and services to the otherwise financially excluded
  • reduce incentives for greater concentration in the banking system (for example, larger banks may be able to use internal model approaches to gain a competitive advantage where these approaches drive down risk weightings)
  • reflect specific characteristics of some banks (for example those having insignificant trading books or strong foreign parent support)
  • reflect the system-wide infrastructural role of some smaller banks (for example operators of key settlement or payment system processes).

In terms of regulation, the Basel standards already include some proportionality – the standards are specifically designed for internationally active banks, and Basel III introduced tougher capital, leverage, large exposures, recovery, and resolution standards for global systemically-important banks (G-SIBs), with an expectation that national authorities would apply at least some of these to domestic systemically-important banks (D-SIBs).  

In practice, countries have applied additional proportionality in regulation through some combination of three main approaches. First, by deciding whether to move to Basel II or to the more complicated Basel III, and over what time period. This depends on the policy objectives of the supervisory authority, which components of which framework are most suitable for their jurisdiction given the risks taken by supervised banks, and the capacity of the supervisory authority and of supervised banks to implement a revised framework. Second, by modifying Basel II or Basel III to reflect national characteristics. And third, by applying these (modified) Basel standards only to a specified set of large (and/or internationally active) banks, while applying different standards (usually simpler national versions of market risk, liquidity, regulatory reporting, and Pillar 3 disclosure requirements) to other banks.[3]

There is also a supervisory dimension here. The Basel III approach to G-SIBs also includes more intensive supervision of these banks, and a recognition that larger and more complex banks should be expected to have stronger risk governance and risk management capabilities. Meanwhile, one central tenet of risk-based supervision is that the intensity of supervision should differ for different types of bank, depending on their risk profile and systemic importance.[4]

Pillar 2 supervisory review process

Basel II introduced the supervisory review process (SRP) under Pillar 2 of the Basel framework. The SRP is intended to:

  • ensure that banks have adequate capital to support all the risks in their business,
  • encourage banks to develop and use better risk management techniques in monitoring and managing their risks, and
  • provide useful information to the supervisor, including on the quality of a bank’s risk management.

The four key principles underlying the SRP are shown in Box 1.

Responsibilities of banks

The first principle makes it clear that banks have a responsibility to develop an internal capital adequacy assessment process (ICAAP) and to set capital targets that are commensurate with the bank’s risk profile and control environment. A bank should have the ability to identify risks, assess their potential impact (including through stress testing), and put in place governance, risk management, and other controls to mitigate or control the risks (or indeed for the bank to change its business activities to lower the risks).

There are five main elements of this:  

Board and senior management oversight – a bank’s board and senior management should understand the nature and level of risk being taken by the bank, and ensure that the bank holds sufficient capital to meet these risks and has an adequate risk management framework. Capital planning should take into account the bank’s strategy and business plans. The bank’s board has responsibility for setting the bank’s risk appetite. 

Comprehensive assessment of risks – a bank should address all the material risks it faces in its ICAAP, including credit, market, liquidity, operational, and other risks, and interest rate risk in the banking book.

Stress testing – a bank should use stress tests as part of its assessment of its risks and of the amount of capital that it should hold.

Monitoring and reporting – a bank should establish an adequate system internally for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile may affect the adequacy of its capital. Regular reports should allow the bank’s senior management to evaluate the level and trend of material risks and their effect on capital levels; evaluate the sensitivity and reasonableness of key assumptions used to assess capital adequacy; determine that the bank holds sufficient capital against the various risks; and assess its future capital requirements and make necessary adjustments to the bank’s strategic plan accordingly.

Internal control review – a bank’s board has a responsibility to ensure that management establishes a system for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. The board should regularly verify whether the bank’s internal controls are adequate.

A bank’s ICAAP should be conducted on a consolidated basis and, when deemed necessary by the appropriate supervisors, at the legal entity level for each bank in the group.

Box 1: Basel Committee Four Key Principles on the Supervisory Review Process

Principle 1: Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

Principle 2: Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.

Principle 3: Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.

Principle 4: Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

Source: Basel Committee (2019d)

Role of supervisors

Supervisors should evaluate how well a bank is assessing its capital adequacy relative to its risks and intervene where appropriate.

Supervisors should assess the quality of a bank’s ICAAP, including whether the bank’s internal processes incorporate adequate and prudent models that respond to the prevailing business and risk environments; how well the bank identifies, measures, monitors, and controls its risks; how well the bank performs stress tests and how the results of these stress tests feed into the bank’s own assessment of the adequacy of its capital; and how well the results of such processes are understood and can be justified by the senior management and board of the bank.

This evaluation should not be based on a bank’s ICAAP alone but also on information from the supervisor’s risk assessment of the bank (whether under risk-based supervision, CAMEL, or otherwise), supervisory stress testing, and other sources. This additional information will provide a supervisory view of a bank’s business model, risks, governance, and controls, against which the bank’s ICAAP can be compared.  

The supervisory review process should be applied proportionately, taking into account the size, nature, and complexity of each bank.

Pillar 2 coverage

The Pillar 1 capital charges under Basel II and Basel III for credit, market, and operational risk may not capture fully the risks being run by a bank.  

Some risks are not covered by Pillar 1 capital charges – for example interest rate risk in the banking book (IRRBB); governance, management, and controls weaknesses; strategic, business model and corporate change risks; reputational risks; and weaknesses arising from the position of a bank within a wider group.

Other risks may not be captured fully under Pillar 1 – for example concentration risks (concentrated credit, market or funding exposures); stress test results; unusual types or mixes of business (for example, a bank may specialize in high-risk lending, where the risk is not captured adequately in the standardized risk weights); and external factors such as the economic environment and macro-prudential concerns.

Banks and their supervisors should therefore consider whether additional capital is required to compensate for any inadequacy in the Pillar 1 capital charges.   

Concentration risk

The Pillar 1 capital charges for credit and market risk assume that a bank has a reasonably well-diversified portfolio. Concentrated exposures may create higher risks, for example from large or concentrated exposures to:

  • single counterparties, borrowers, or groups of connected counterparties or borrowers
  • industry, economic sectors, countries, and geographical regions
  • collateral or guarantees used for credit risk mitigation
  • off balance sheet exposures
  • trading exposures
  • the execution or processing of transactions
  • funding sources.

Banks and their supervisors need to consider how to limit such exposures and how to assess concentration risk. Standard (Pillar 1) limits on exposures are provided by the Basel Committee (2019e) large exposure rules. But these only limit the size of exposures to single counterparties, not the number of large exposures that a bank may have, and not other types of concentration risk such as exposures to specific industries, economic sectors, countries, or geographical regions.  

Various methods can be used to calculate the extent of concentration risk, but each method may not capture all aspects of concentration risk, so a combination of methods may need to be used. For example, a statistical measure such as the Herfindahl-Hirschman Index (HHI) can be used to measure the extent of concentration of exposures to individual counterparties, while simpler “scores” can be calculated for the number of large exposures of more than 10% of a bank’s capital, the proportion of a bank’s assets accounted for by the bank’s five or ten largest exposures, and the proportion of a bank’s lending concentrated in the industries, sectors, countries, or regions to which it is most exposed. These methods may give very different results – for example a bank may have multiple small individual exposures (to individuals or small firms) but these may be heavily concentrated in a particular geographical region or sector, or backed by the same type of collateral (for example, residential property).

Other credit risk considerations

Other factors may also make a bank’s credit portfolio riskier in ways not captured by Pillar 1 capital charges. For example, a bank may specialize in high loan-to-value residential or commercial property lending (or in lending to customers with high debt-to-income ratios); infrastructure investment at the pre-development stage, without security, or to riskier and more speculative projects; riskier lending to corporates; or lending that may be exposed to unhedged foreign exchange risk[5] or climate change-related risks.[6]

Supervisors therefore need to pay close attention to a bank’s lending strategy, business model, target market, risk appetite, and risk-rating systems. Rapid loan growth can be a warning sign that a bank is attracting business by lowering its credit underwriting standards – so even for an apparently similar portfolio, one bank may have higher rates of impairment and default and higher loss rates than other banks.   

Interest rate risk in the banking book (IRRBB)

Although the Basel Committee has discussed bringing interest rate risk in the banking book (IRRBB) into Pillar 1 of the Basel framework, it currently remains outside Pillar 1. Banks and their supervisors therefore need to cover under Pillar 2 the current or prospective risks to a bank’s capital and earnings arising from adverse movements in interest rates that affect the bank’s banking book positions.

Changes in interest rates change the present value and timing of a bank’s future cash flows, with an impact on the underlying value of the bank’s assets, liabilities, and off balance sheet items, and thus its economic value. Changes in interest rates also affect a bank’s earnings by altering interest rate-sensitive income and expenses, affecting its net interest income (NII). For example, if a bank’s assets are primarily repriced (for example every three months) at floating rates while its deposits and other liabilities are mostly at fixed rate, then the bank’s net interest income will decline when interest rates fall.  

The Basel Committee’s (2019f) IRRBB principles for banks and their supervisors are set out in Box 2.

There are also various sub-types of IRRBB[7], including:

  • Gap risk from the term structure of banking book instruments – the extent of gap risk depends on whether changes to the term structure of interest rates occur consistently across the yield curve (parallel risk) or differentially by period (non-parallel risk).
  • Basis risk – the impact of relative changes in interest rates for financial instruments that have similar maturities but are priced using different interest rate indices.
  • Option risk from derivatives and other options where the bank or its customer can alter the level and timing of their cash flows (for example, the early withdrawal of a term or fixed deposit).
  • Credit spread risk in the banking book – any asset/liability spread risk of credit-risky instruments that is not explained by IRRBB and by the expected credit adjustment as interest rates change.

Box 2: IRRBB Principles (Basel Framework)

  1. IRRBB is an important risk for all banks that must be specifically identified, measured, monitored, and controlled. In addition, banks should monitor and assess credit risk spread in the banking book.
  2. Banks must have an adequate IRRBB management framework, involving regular independent reviews and evaluations of the effectiveness of the system. The governing body of each bank is responsible for oversight of the IRRBB management framework, and the bank’s risk appetite for IRRBB.
  3. A bank’s risk appetite for IRRBB should be articulated in terms of the risk to both economic value and earnings. Banks must implement policy limits that maintain IRRBB exposures consistent with their risk appetite.
  4. Measurement of IRRBB should be based on outcomes of both economic value and earnings-based measures, arising from a wide and appropriate range of interest rate shock and stress scenarios.
  5. In measuring IRRBB, key behavioural and modelling assumptions should be fully understood, conceptually sound, and documented. Such assumptions should be rigorously tested and aligned with the bank’s business strategies.
  6. Measurement systems and models used for IRRBB should be based on accurate data, and subject to appropriate documentation, testing, and controls to give assurance on the accuracy of calculations. Models used to measure IRRBB should be comprehensive and covered by governance processes for model risk management, including a validation function that is independent of the development process.
  7. Measurement outcomes of IRRBB and hedging strategies should be reported to the governing body or its delegates on a regular basis, at relevant levels of aggregation (by consolidation level and currency).
  8. Information on the level of IRRBB exposure and practices for measuring and controlling IRRBB must be disclosed to the public on a regular basis.
  9. Capital adequacy for IRRBB must be specifically considered as part of the ICAAP approved by the governing body, in line with the bank’s risk appetite on IRRBB.
  10. Supervisors should, on a regular basis, collect sufficient information from banks to be able to monitor trends in banks’ IRRBB exposures, assess the soundness of banks’ IRRBB management, and identify outlier banks that should be subject to review and/or should be expected to hold additional regulatory capital.
  11. Supervisors should regularly assess banks’ IRRBB and the effectiveness of the approaches that banks use to identify, measure, monitor, and control IRRBB. Supervisory authorities should employ specialist resources to assist with such assessments.

Source: Basel Committee (2019f)

Governance, management, and controls

Two interrelated aspects of a bank’s governance, management, and controls are of particular relevance to the SRP. The first is the governance and processes under which a bank formulates its ICAAP. Strong governance and processes should provide grounds for supervisors to place greater reliance on a bank’s own assessment of its capital adequacy. Weak governance and processes would not only reduce supervisory reliance on the bank’s own assessment but should also feed into the supervisory assessment of a bank’s governance, management, and controls more generally.

Second, the Pillar 1 capital charges assume that a bank is reasonably well-governed, managed, and controlled.[8] Supervisors should intervene to remedy weaknesses here. But since this may take time, and banks may look for ways to avoid or delay making improvements, there is also good reason for supervisors to impose higher capital requirements – both as a temporary measure to provide a buffer until the weaknesses are corrected and as an incentive to the bank to make the necessary improvements.

Economic models

In assessing the adequacy of its capital, a bank might begin with the capital required under Pillar 1 and then consider the extent to which additional capital might be required to cover risks not covered – or not covered fully – under Pillar 1. For some banks, the Pillar 1 capital requirement will be based in part on the use of supervisor-approved internal rating models or other advanced measurement approaches for credit, market, and operational risk.

Alternatively, or in addition, a bank might use an economic capital model to calculate its total capital requirements, in particular for credit risk. These models typically generate capital calculations that are below the Pillar 1 requirements and may suffer from a number of weaknesses in terms of the quality of data inputs; the absence of data from stressed periods; model specification; the lack of independent validation and back-testing of the model by the bank's risk management function; the limited understanding of the model by the bank's senior management; the limited use of the model by the bank in decision-making, pricing and capital allocation; and an insufficiently robust approach to the level of protection a bank's capital should be providing. Supervisors should therefore be cautious in the extent to which they place reliance on the results of a bank’s own economic models.   

Systemic risk

Systemic risk can arise from financial cycles (booms and busts in asset prices, credit, or commodity prices), or from vulnerabilities within the financial sector (perverse incentives, inter-connectedness, externalities arising from systemically-important banks).

Basel III includes a range of Pillar 1 standards intended to address systemic risk, including the counter-cyclical capital buffer, capital surcharges on global systemically-important banks (G-SIBs), and large exposure limits between G-SIBs. National authorities may also apply additional measures to address systemic risk, such as systemic risk buffers and time-varying sectoral risk weights.   

However, Basel II did not contain any of these standards, so supervisors that remain on the Basel II framework should consider whether to adopt these standards as a supplement to Basel II, or to take a bank-by-bank approach to applying additional requirements to address systemic risk. Indeed, even some countries that have adopted the Basel III framework apply additional bank-by-bank measures to address systemic risk, where they judge that the Basel III standards relating to systemic risk are not sufficient for some of their banks.   

Stress testing

Stress testing should be an integral part of a bank’s own risk management. It should highlight the potential adverse outcomes arising from a range of severe but plausible scenarios and thereby help a bank to understand better the risks it faces and the financial resources that it might need to absorb losses should large shocks occur.[9] Stress tests conducted by a bank that are reported in the bank’s ICAAP and used by the bank as an input to its own assessment of its capital requirements should provide useful information for supervisors.

In addition, supervisors can use standard stress tests (with the scenario set by the supervisor) as part of the assessment of each bank’s capital adequacy. At a minimum, supervisors can use the results of such a stress test to provide information on the capital strength of each bank. Some supervisors around the world, including in the US and the European Union, have gone further than this, using the results of their stress tests as a basis from which to require some banks to hold additional capital.[10] This works as follows:

  • A severe but plausible stress scenario is designed by the supervisor.
  • This stress test is run for major banks,[11] either by the banks themselves or by the supervisor, to calculate the impact this would have on each bank’s capital ratio (taking account of the impact of the stress on the bank’s provisions, losses, changes in risk weights arising from downward shifts in ratings, etc).
  • A lower bound is set by the supervisor for the post-stress minimum capital ratio that each bank should meet once the stress test has been run. The US and EU have used figures of around 5-6 percent here (based on the 4.5 percent minimum common equity tier 1 ratio under Basel III, plus any bank-specific G-SIB or D-SIB buffer), on the basis that some capital buffers (such as the capital conservation buffer under Basel III) are intended to absorb the impact of adverse shocks, and that if a bank can maintain a post-stress capital ratio of around 5-6 percent then it would have an opportunity to recover and rebuild its capital after a stress event.
  • If the impact of the stress test takes a bank to below this post-stress minimum capital ratio, then the bank should hold additional capital up-front to protect itself from the potential stress. For example, if a bank starts with a capital ratio of 14 percent, but the stress test would reduce this to 4 percent against a lower bound of 6 percent, then the bank would have to increase its pre-stress capital ratio by 2 percentage points to 16 percent.

When Pillar 2 was introduced under Basel II, the emphasis was very much on the capital adequacy of banks. There was a reference to liquidity in Basel II, recognizing that liquidity is crucial to the continuing viability of a bank, and that each bank should therefore have adequate systems for measuring, monitoring, and controlling liquidity risk. But the main liquidity related requirement on banks under Pillar 2 was that a bank should evaluate the adequacy of its capital given its liquidity profile and the liquidity of the markets in which it operates, because its capital position could have an impact on its ability to obtain funding, especially in a crisis.

Basel III added minimum quantitative liquidity standards (the Liquidity Coverage Ratio (LCR) and the Net Stable Funding Ratio (NSFR)) and the scope of the SRP was widened accordingly. The SRP is now intended to ensure that banks have adequate capital and liquidity to support all the risks in their business, and to encourage banks to develop and use better risk management techniques in monitoring and managing their risks.[12]

Supervisors have responded to this by requiring banks to cover liquidity risks and liquidity risk management in more detail – either within their ICAAPs, or through the parallel preparation of an Individual Liquidity Adequacy Assessment Process (ILAAP) that assesses whether a bank has adequate liquidity. 

There is also a clear carry-across here to concentration risk (concentration of sources of funding), and to governance and risk management, liquidity risk management for the banking book, and stress testing (see Box 3).

Box 3: Liquidity risk management – key issues





Limits and controls

Contingency funding plan

Stress testing

Clear board-level articulation of overall liquidity risk appetite

Effective information systems with active and timely identification, aggregation, monitoring, and control of liquidity risk exposures and funding needs

Effective implementation of policies and procedures

Regular reviews of the risk profile, external market developments, and macroeconomic conditions

Cash flow maturity mismatch profile

Contractual vs. behavioural forecast

Ability to withdraw or repay early

Analysis of funding requirements under alternative scenarios

Diversification in sources and maturity of funding

Concentrations and correlations of funding

Sound day-to-day and intra-day liquidity risk management practices

Liquidity limits and ratios

Funds transfer pricing

Collateral management

Regular assessment of capacity to sell assets

Cushion of high-quality liquid assets to obtain funding in times of stress

Maintain relationships with liquidity providers

Formally articulated and documented

Link to recovery planning

Set out strategy for addressing liquidity shortfalls

Range of stress environments

No reliance on lender of last resort

Clear lines of responsibility and communications

Regularly tested and updated to be operationally robust

Periodic and ad hoc

Short-term vs. protracted stress environment

Institution-specific and market-wide stress scenarios

Individual and combined stress events

Conservative assumptions

Reverse stress test

Feedback loop into strategies and contingency plans

Supervisory review

The main purposes of the supervisory review and evaluation process are for the supervisor to:

  • decide (on a bank-by-bank basis) how much capital and liquidity each bank should hold to support the risk characteristics of the bank;
  • set these minimum levels through Pillar 2 add-ons to Pillar 1 capital and liquidity requirements as necessary;
  • monitor whether each bank is complying with these supervisory requirements; and
  • intervene at an early stage to prevent capital or liquidity from falling below these required levels.

Most supervisors undertake this setting of Pillar 2 requirements by reviewing and evaluating a range of Pillar 2 elements,[14] including:

  • inadequacies in Pillar 1 risk weightings that fail to reflect accurately the risks that a bank is facing, for example because the bank’s credit or market exposures are unbalanced towards the riskier end of the spectrum within a specific risk weighting
  • concentration risks
  • interest rate risk in the banking book (IRRBB)
  • the quality of a bank’s governance, senior management, systems, and controls
  • a bank’s business model, for example where the bank is expanding rapidly and may require additional capital and liquidity to be held in advance to support the bank’s growth plans and the risks that it is taking on
  • a bank’s strategic and reputational risk, for example where the bank is entering new markets or where the bank is undertaking a major acquisition or merger, which may change the bank’s risk profile
  • group-wide strengths and weaknesses, where a bank’s position within a wider group may be a source of strength (a strong and supportive parent) or weakness (other companies in the group that might strain the bank’s resources)
  • the quality of a bank’s recovery plan – a bank may be required to hold more capital and/or liquidity up-front if it does not have credible options for raising new capital or funding in stressed circumstances
  • a lack of compliance with the full set of approval criteria for the use of the more advanced methods in Pillar 1, for example where a bank has been given approval to use more advanced methods while still bringing its data, models, or governance up to the required standards.

Supervisory review and evaluation of a bank’s ICAAP (and ILAAP where applicable) forms an important input to the supervisory setting of minimum capital and liquidity requirements.  The review and evaluation of a bank’s ICAAP should include a consideration of the key assumptions, components, methodology, coverage, and outcome of the bank's ICAAP.  

This review and evaluation should be informed to a significant extent by the supervisor’s knowledge of the bank's risks and risk management capabilities gained from other supervisory work, in particular the information and judgements from supervisory risk assessments. These risk assessments should include an assessment of the bank’s inherent risks, of its governance, management, systems, and controls, and of the adequacy of its financial resources (capital, liquidity, and earnings). This should help to inform the supervisor about the way the bank’s ICAAP is structured; the assumptions that are used by the bank to determine underlying risks across different sectors and risk types; risk sensitivity and confidence levels; and how risks are aggregated by the bank.

This should be a two-way process for the supervisor – other supervisory work feeds into the review and evaluation of a bank’s ICAAP (ILAAP), and the information in the bank’s ICAAP helps to inform the overall risk assessment of the bank.

Supervisory interventions

Supervisory interventions resulting from the SRP fall into three main categories – improving a bank’s ICAAP (ILAAP), improving a bank’s risk profile and controls, and requiring a bank to hold additional capital and/or liquidity.

Improving a bank’s ICAAP (ILAAP) – it is not necessary for a bank’s ICAAP (ILAAP) to be revised until the bank’s own assessment matches that of the supervisor. Nor is it necessary for a supervisor to approve or disapprove the use of any economic model by a bank, or to review in detail every assumption and model used by a bank. However, if there are material deficiencies in an ICAAP submitted by a bank – for example in the coverage of risks or in the quality of the bank’s analysis – then the bank should be asked to resubmit its ICAAP in a form that meets the supervisor’s guidelines.

Improving a bank’s risk profile and controls – a bank’s ICAAP (ILAAP) may reveal weaknesses in governance, senior management, internal controls, business model, or strategy. The first-best response to this is to correct these weaknesses at the source by addressing the weaknesses. A supervisor may therefore require a bank to improve its governance, management, or internal controls, to adjust its business model and strategy, or to limit its business activities.

Requiring a bank to hold additional capital and/or liquidity – supervisors may require a bank to hold additional capital or liquidity to compensate for inadequacies in the Pillar 1 capital and liquidity requirements; to provide a buffer to protect against weaknesses in a bank’s governance, management, or controls; or to provide an incentive for a bank to take remedial actions.

Supervisors take different approaches to the SRP assessment of a bank’s capital and liquidity requirements. Some supervisors try to make this assessment as quantitative as possible, using a range of metrics to assess each component of potential Pillar 2 add-ons.[15] This approach may be more straightforward to operate and may provide a more level playing field in the treatment of individual banks. This is most effective where the available metrics capture Pillar 2 elements reasonably well, for example:

  • concentration risk measures and data on large exposures and on sectoral and geographical concentrations of credit, market, and funding risks
  • the results of applying a standard set of interest rate shifts (under IRRBB) to evaluate their impact on a bank’s capital or earnings
  • using a range of liquidity metrics to supplement the LCR and NSFR
  • using standard stress tests to evaluate their potential impact on each bank’s capital and liquidity positions.

Some of these metrics and calculations may translate more or less directly into specific capital and/or liquidity add-ons (in particular the IRRBB and stress test results), while the others require a method for translating a metric (for example a concentration risk score, or a liquidity maturity mismatch) into a capital or liquidity add-on. Here, for example, a supervisor might use a sliding scale under which higher concentration scores and similar metrics are translated into higher capital (or liquidity) add-ons.

For other elements of the SRP, supervisors need to rely more on a judgement of qualitative indicators, for example in assessing the extent to which a bank’s risks are not well captured by the Pillar 1 capital charges and liquidity ratios, or the extent to which a bank’s business model, growth strategy, group structure, or recovery plan increases its risks and therefore requires additional capital and liquidity (above the Pillar 1 requirements) to support the bank.

A supervisory assessment of a bank’s governance, management, and controls is also highly judgemental, and the quality of these elements needs to be proportionate to the size, nature, and complexity of a bank’s activities. Although the first-best outcome here would be for a bank to make any necessary improvements, a supervisor can usefully impose a capital add-on until these improvements are delivered and validated.

To some extent these judgements may usefully be informed by a supervisory risk assessment of a bank, since this assessment will already have focused on inherent risks (where high inherent risks may not be captured fully through Pillar 1 capital and liquidity requirements); governance, management, systems, and controls; and the adequacy of the bank’s capital, liquidity, and earnings. Capital and liquidity add-ons should reflect, and be consistent with, the supervisory risk assessment of a bank.

Supervisory process

Supervisors should have a clear process for assessing each bank’s capital and liquidity, and for determining whether any Pillar 2 add-ons are required. This should:

  • cover all the components of a Pillar 2 assessment, as discussed above;
  • set out the quantitative metrics for each component, where applicable;
  • set out the qualitative considerations for each component – for example by categorizing each component as strong, acceptable, needs improvement, or weak;
  • include a process for converting the metrics and judgements on each component into an overall score for each component, and then converting this score into a Pillar 2 add-on;
  • aggregate the individual component scores or add-ons into an overall Pillar 2 add-on for capital and liquidity; and
  • add these add-ons to the Pillar 1 capital and liquidity requirements for each bank.

This process might usefully include the use of a standard spreadsheet to capture the supervisory assessment of each individual bank. A simplified version of such a spreadsheet is presented in Annex A.[16]

Supervisors need to consider a range of issues here:

  1. Whether they have a clear legal basis – set out in legislation or in regulatory rules – to apply Pillar 2 capital and liquidity add-ons, and whether these can be applied on a bank-by-bank basis (so different add-ons for each bank).
  2. Which Pillar 2 elements to include in their evaluation – the example in Annex A covers the main elements, but there may be others that should be added for individual banks or to reflect country-specific characteristics.
  3. The level of detail at which each element should be analysed – long lists of sub-elements (specific metrics, or judgement-based considerations) could be constructed as contributors to the overall “score” for each element.
  4. The read-across from metrics and judgements to the Pillar 2 add-ons for capital and/or liquidity – this could be determined by assigning specific add-ons against specific metrics (for example each range of scores from a credit concentration index could equate to different amounts of capital add-on), or by assigning a more judgmental score (for example high, medium-high, medium-low, or low) to a Pillar 2 element and then equating each score to a specific Pillar 2 add-on. The range of add-ons could vary across each element – for example, high levels of concentration risk could equate to a capital add-on of up to 4 percentage points, while weak governance could equate to a capital add-on of up to 2 percentage points.
  5. Whether to impose a maximum limit on the total add-on for capital or liquidity – for example, the total capital add-on could be limited to, say, 8 percentage points.
  6. Avoid double counting – the results of a supervisory stress test might already reflect some aspects of sector or geographical concentration, interest rate risk and inadequate Pillar 1 risk weights.
  7. Whether to allow offsets where the Pillar 1 risk weights or liquidity ratio calculations are judged to be too high for a specific bank. Pillar 1 capital and liquidity ratios are absolute minimum requirements, so Pillar 2 add-ons cannot be negative overall. But supervisors could allow some trade-off within the Pillar 2 assessment.
  8. Proportionality – it is costly for banks to prepare ICAAPs (and ILAAPs), and it is resource-intensive for supervisors to review and evaluate them. Supervisors can exercise proportionality by not requiring all banks to submit an ICAAP, by differentiating across different types and sizes of bank in terms of the length and detail required in their ICAAPs and the frequency of their submission, and in how much time and resource is spent by supervisors on the SRP for each bank.[17]
  9. The link between the SRP and risk-based supervision – Basel II and Basel III do not require a supervisor to undertake risk-based supervision, although a risk-based approach to supervision is encouraged in the Basel Core Principles (2012). Risk-based supervision is consistent with the emphasis of Basel II and especially Basel III on the wide range of risks to be considered (credit, market, operational, liquidity, macro-prudential), the emphasis on governance and risk management, and the judgement-based nature of the SRP. The information in a bank’s ICAAP (and ILAAP) should feed into and enhance the supervisory risk assessment of that bank, while the risk assessment informs the SRP and the setting of Pillar 2 add-ons.
  10. The scope for integrating supervisory tasks and processes – the close links between the SRP, risk-based supervision, stress testing, and recovery planning suggest that supervisors should integrate these tasks as closely as possible. For example, it should be beneficial to ask for a bank’s ICAAP (ILAAP) at the same time as the supervisor is beginning its risk assessment of that bank;[18] to undertake the SRP in parallel with the risk assessment; to integrate the risk assessment and SRP as closely as possible with stress testing and the assessment of each bank’s recovery plan; to include Pillar 2 add-ons within the supervisory action plan (mitigation program) arising from the risk assessment of each bank;[19] and to communicate Pillar 2 requirements clearly to each bank at the same time as the supervisor communicates and explains the risk assessment and risk mitigation program to the bank.


Supervisors need to do more than simply copy Basel II or Basel III (including any national variants and proportionality) into their legislation or regulatory rule book. Supervisors need to monitor whether their banks are complying with all the additional requirements introduced by Basel II and Basel III, across Pillars 1, 2 and 3.

Pillar 1 requirements under Basel II – and considerably more so under Basel III – require a long list of detailed calculations requiring considerable data input and system processing by banks. Supervisors may require banks to report either the “end results” or also at least some of the data inputs so that the supervisor can replicate some or all of a bank’s calculations; or supervisors may require some of the data and calculations to be verified by external auditors.

In addition, if a supervisor allows banks to apply for model approval for the use of internal ratings-based methods for determining credit risk weightings, internal models for market risk weightings and (under Basel II but not Basel III) advanced model approaches for operational risk, then the supervisor will need to establish a model approval process under which banks can apply for model approval subject to them meeting the long list of conditions set out in the Basel II and Basel III standards. The supervisor will then need to determine whether a bank meets the relevant conditions, not only at the time of approval but on a continuous basis thereafter.

The list of model approval conditions includes:

  • risk rating and measurement systems to estimate probability of default (all IRB), exposure at default and loss given default (for A-IRB) and stressed VaR (IMA)
  • data adequacy and quality
  • IT quality
  • internal use
  • loan loss classification
  • credit risk mitigation
  • risk management
  • governance and oversight
  • stress testing
  • validation and back-testing.

Supervisory involvement in Pillar 2 is covered extensively earlier in this Note.

Pillar 3 requirements on public disclosure by banks are onerous for banks, especially with the additional requirements under Basel III for banks to disclose details of their leverage and liquidity ratios. Supervisors have discretion here to decide whether to (a) require banks to have some or all of their Pillar 3 disclosures signed off by their external auditors, (b) not require external audit sign-off, but for the external auditors to check that relevant disclosures are capable of being reconciled to a bank’s published accounts, or (c) for the supervisor to undertake some checking of Pillar 3 disclosures, for example on the basis of occasional spot checks of specific disclosures.

International cooperation

Basel II and Basel III require more cooperation and coordination between home country and host country supervisors, especially for complex international banking groups.  This is in addition to the usual good reasons for international supervisory cooperation – the alignment of interests between home and host supervisors, the shared agenda to address risks and vulnerabilities, more effective supervision of a financial group, better capability to handle crises, and contributing to regional or global financial stability.[20]

The Basel II and Basel III standards need to be applied at each level of a banking group, both legal entity and consolidated. Home and host supervisors are each required to set Pillar 1 and Pillar 3 requirements, and to undertake a Pillar 2 assessment. They are also required to cooperate in the initial approval and validation and continuing monitoring of the use of advanced modelling approaches under Pillar 1, and to avoid performing redundant and uncoordinated approval and validation work in order to reduce the implementation burden on the banks and conserve supervisory resources. This requires good information flows between home and host supervisors.[21]

The degree and nature of cross-border supervisory arrangements is likely to depend on the extent to which an international banking group uses a common approach in applying Basel II or Basel III and in constructing its ICAAPs (and ILAAPs) at all levels of the group; the degree of integration in the group’s risk management; and the extent to which the group’s “mind and management” are centralized.

The more common and centralized that these approaches are, the more that the home country supervisor will probably be better placed to take the lead on supervisory and model approval work. In practice, however, and in particular across emerging economies (or between emerging and more developed economies), cross-border cooperation may be made more difficult when different supervisory authorities are at different stages of the Basel framework, or have adopted different approaches to the adoption of Basel II or Basel III.

Impact assessment

As with the implementation of any regulation, supervisors should assess the impact of Basel II or Basel III. This could include a review of:

Ex ante and ex post impact – using data from the banks on the impact of implementing new capital, leverage, and liquidity frameworks.

Intended and unintended consequences – assessing whether Basel II or Basel III has delivered the intended benefits in terms of the safety and soundness of banks and of the banking system more generally, and improvements in banks’ risk management practices. Equally, supervisors should assess whether there have been any unintended consequences. For example, at the international level there have been concerns about the impact of Basel III on the cost and availability of infrastructure finance, “green” finance, and lending to SMEs; on the growth of alternative (non-bank) channels of intermediation; on the impact on competition, new entrants, and market structure; and on market fragmentation on jurisdictional lines.

Consistency of implementation – across countries when dealing with international banking groups.  

Overall impact of multiple reforms – Basel II and Basel III are not the only regulatory reforms that have been introduced. Other major reforms have included recovery and resolution planning for banks, macro-prudential policy, revised anti-money laundering requirements, and tougher conduct of business regimes (for retail and wholesale markets).


The supervisory implementation of Basel II and Basel III will clearly be resource-intensive and may require additional staff numbers, skills, and expertise. Key areas for resourcing include:

Legal – supervisors need to ensure that they have the necessary powers (through legislation or regulatory rules) to implement all of Pillars 1, 2, and 3 under Basel II or Basel III.

Pillar 1 – legislation or regulatory requirements covering the Pillar 1 requirements; powers to apply national discretion and proportionality; powers to operate the model approval process; and – where necessary – powers to support the cross-border supervisory exchange of information.

Pillar 2 – powers to enforce the four principles of Pillar 2, including the ability to impose higher capital and liquidity ratios on a bank-by-bank basis. Supervisors in some countries do not have this power, or are reluctant to use it because it involves reaching and applying judgements on individual banks. This also relates to the importance of supervisors being independent and autonomous and having legal protection (against lawsuits for actions taken and/or omissions made while discharging their duties in good faith).

Pillar 3 – ensuring that Pillar 3 disclosures do not conflict with any bank confidentiality rules, and that supervisors will be able to impose verification requirements on banks.

More generally, the broader legal framework should support the preconditions for effective supervision as set out in the Basel Committee (2012) Core Principles, in particular those relating to the public infrastructure:

  • a system of business laws, including corporate, bankruptcy, contract, consumer protection, and private property laws, which is consistently enforced and provides a mechanism for the robustness of collateral and for the fair resolution of disputes;
  • an efficient and independent judiciary;
  • comprehensive and well-defined accounting principles and rules, including for loan classification and provisioning;
  • a system of independent external audits, to ensure that users of financial statements, including banks, have independent assurance that the accounts provide a true and fair view of the financial position of the company and are prepared according to established accounting principles, with auditors held accountable for their work; and
  • the availability of competent, independent, and experienced professionals (e.g. accountants, auditors, and lawyers), whose work complies with transparent technical and ethical standards.

Staffing – many supervisors have found that moving to Basel II or Basel III has required additional staff and higher levels of skill and expertise, in particular to enable supervisors to understand banks’ rating systems, models, and capital and liquidity assessments. In many cases this has led to a shift to recruiting (and training and developing) more specialist staff, who specialize in areas such as credit, market, operational, or liquidity risk, and who provide specialist input to a number of supervisory relationship teams.

As an alternative or an addition to more specialist in-house staff, some supervisors make regular use of third-party expertise (external audit, internal audit, consultants) to provide specialist resources. Supervisors can outsource some of their work, but they retain responsibility and accountability, and they need to ensure that they retain the capability to understand and act upon any third-party findings.

A combination of the supervisory review and evaluation process under Pillar 2 and moves towards risk-based supervision have also required supervisory staff to become more adept and comfortable with on-site visits to banks, discussions with the senior management and directors of banks, and making judgements in areas where they may previously have relied on purely quantitative measures.

Operations – supervisors will need to handle large amounts of data from banks, and to have the capacity to undertake their own calculations of banks’ capital, leverage, liquidity, and other ratios. This has implications for regulatory reporting and for supervisory authorities’ IT systems and data handling. 

Organizational – supervisors would benefit from integrating the implementation of Basel II or Basel III with their approaches to risk-based supervision, stress testing, consolidated supervision, and macro-prudential oversight.

Leadership – Basel II or Basel III implementation requires a strong focus from the board and senior management of the supervisory authority.

Stakeholder management – the implementation of Basel II or Basel III requires interactions with banks and other stakeholders (external auditors, international bodies), and generally enhanced relations with other authorities, nationally and internationally, both for supervisory cooperation and to provide various types of external support.

These factors all imply that designing and adopting a national regulatory framework based on Basel II or Basel III is one thing, but making the shift in supervisory mindset, processes, and practices that need to go with it may take a lot more time. There could be a false sense of hope that the transition to Basel II or Basel III has strengthened the banking sector although the underlying supervisory skills and processes have not caught up.


This Note has covered the issues that supervisors face when supervising banks under the Basel II and Basel III frameworks, including supervisory intensity and proportionality; Pillar 2; model approval; impact assessment; and the resourcing of a supervisory authority.

For many supervisory authorities, the most challenging of these issues may be the implementation of the Pillar 2 framework. Specific challenges include:

  • Whether the supervisory authority has sufficient legal powers to implement Pillar 2 and to apply capital and liquidity add-ons on a bank-by-bank basis;
  • Establishing the processes and procedures to receive ICAAPs and ILAAPs from banks, and undertaking supervisory review and evaluation;
  • Covering all the relevant aspects of Pillar 2 assessments;
  • Making supervisory judgements and basing bank-by-bank capital and liquidity add-ons on these judgements; and
  • Integrating the Pillar 2 framework with risk-based supervision, stress testing, and other related supervisory activities.


Basel Committee on Banking Supervision. International convergence of capital measurement and capital standards. July 1988. https://www.bis.org/publ/bcbs04a.pdf

Basel Committee on Banking Supervision. Amendment to the capital accord to incorporate market risks. January 1996. https://www.bis.org/publ/bcbs24.pdf

Basel Committee on Banking Supervision. High-level principles for the cross-border implementation of the New Accord. August 2003. http://www.bis.org/publ/bcbs100.htm

Basel Committee on Banking Supervision. International convergence of capital measurement and capital standards. June 2004. https://www.bis.org/publ/bcbs107.pdf

Basel Committee on Banking Supervision. Home-host information sharing for effective Basel II implementation. June 2006.  http://www.bis.org/publ/bcbs125.htm

Basel Committee on Banking Supervision. Basel III: A global regulatory framework for more resilient banks and banking systems. December 2010. https://www.bis.org/publ/bcbs189_dec2010.pdf

Basel Committee on Banking Supervision. Core principles for effective banking supervision. September 2012. http://www.bis.org/publ/bcbs230.htm

Basel Committee on Banking Supervision. Principles for effective supervisory colleges. June 2014. http://www.bis.org/publ/bcbs287.htm

Basel Committee on Banking Supervision. Stress testing principles. October 2018. www.bis.org/bcbs/publ/d450.htm

Basel Committee on Banking Supervision. Proportionality in bank regulation and supervision – a survey on current practices. March 2019a. https://www.bis.org/bcbs/publ/d460.pdf

Basel Committee on Banking Supervision. The Basel Framework. December 2019b. https://www.bis.org/basel_framework/

Basel Committee on Banking Supervision. Supervisory review process. December 2019c. https://www.bis.org/basel_framework/chapter/SRP/10.htm

Basel Committee on Banking Supervision. Supervisory review process: Four key principles. December 2019d. https://www.bis.org/basel_framework/chapter/SRP/20.htm

Basel Committee on Banking Supervision. Large exposures. December 2019e. https://www.bis.org/basel_framework/standard/LEX.htm

Basel Committee on Banking Supervision. Interest rate risk in the banking book. December 2019f. https://www.bis.org/basel_framework/chapter/SRP/31.htm

Basel Committee on Banking Supervision. Application guidance on interest rate risk in the banking book. December 2019g. https://www.bis.org/basel_framework/chapter/SRP/98.htm

Basel Committee on Banking Supervision. Liquidity monitoring metrics. December 2019h. https://www.bis.org/basel_framework/chapter/SRP/50.htm

Board of Governors of the Federal Reserve System. Comprehensive Capital Analysis and Review 2019: Assessment Framework and Results. June 2019 https://www.federalreserve.gov/publications/files/2019-ccar-assessment-framework-results-20190627.pdf

European Banking Authority. Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP). December 2014. https://eba.europa.eu/sites/default/documents/files/documents/10180/935249/4b842c7e-3294-4947-94cd-ad7f94405d66/EBA-GL-2014-13%20(Guidelines%20on%20SREP%20methodologies%20and%20processes).pdf

European Banking Authority. 2018 EU-wide stress test results. November 2018. https://eba.europa.eu/sites/default/documents/files/documents/10180/2419200/126521e6-613f-45e4-af84-cbd3b854afc5/2018-EU-wide-stress-test-Results.pdf

Financial Stability Institute. The Basel framework in 100 jurisdictions: implementation status and proportionality practices. November 2018. https://www.bis.org/fsi/publ/insights11.pdf

Financial Stability Institute. Proportionality under Pillar 2 of the Basel framework. July 2019. https://www.bis.org/fsi/publ/insights16.htm

Hong Kong Monetary Authority. Supervisory Policy Manual: Supervisory Review Process. January 2020. https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/CA-G-5.pdf

Toronto Centre. Improving Corporate Governance in Regulated Firms. January 2016. https://www.torontocentre.org/index.php?option=com_content&view=article&id=64:improving-corporate-governance-in-regulated-firms&catid=9&Itemid=99

Toronto Centre. Risk-Based Supervision. March 2018. https://www.torontocentre.org/index.php?option=com_content&view=article&id=82:risk-based-supervision&catid=10&Itemid=101

Toronto Centre. Climate Change: Issues for Banking Supervisors. July 2019. https://www.torontocentre.org/index.php?option=com_content&view=article&id=91:climate-change-issues-for-banking-supervisors&catid=14&Itemid=99

Toronto Centre. Risk-Based Supervision for Securities Supervisors (and Other Supervisors of Small Firms). February 2020. https://www.torontocentre.org/index.php?option=com_content&view=article&id=96:risk-based-supervision-for-securities-supervisors-and-other-supervisors-of-small-firms&catid=10&Itemid=99

Annex A: Simplified scorecard matrix for determining Pillar 2 add-ons



Not captured, or not captured fully, by Pillar 1 minimum ratios



Quantitative factors



Qualitative considerations

Score for each risk element


Could be a numeric score (e.g. 1-4) or a descriptive range (from weak to strong)

Add-on to minimum Pillar 1 ratio


Conversion of each score into a percentage point add-on



Credit concentration risk

Concentration indices for:

  • single counterparties
  • product, industry, economic sectors, country and geographical regions
  • collateral or guarantees used for credit risk mitigation
  • trading book exposures

Vulnerability to economic environment



Other credit risk considerations

Pace of loan growth

Higher-risk business lines not fully reflected in risk weights


Lending strategy





Impact of standard interest rate shift (parallel 200 basis point shift) on earnings and economic value, expressed as a percentage of capital


Results of other interest rate movements to which banks in the country may be vulnerable


A bank’s own ICAAP calculations, where these show a specific vulnerability


Ability of the bank to identify, monitor, and control IRRBB



Governance, management, and controls


Weaknesses revealed by a bank’s own ICAAP or by supervisory risk assessments of the bank’s:


  • corporate governance
  • senior management
  • risk governance and risk management
  • internal controls


(These judgements should be similar to the judgements reached in completing a risk assessment matrix for the bank)


Compliance record


Openness and constructiveness of relationship with the supervisor




Model risk


Where applicable, there may be a need to apply a Pillar 2 adjustment where a bank has been granted model approval but does not yet meet fully all the relevant criteria for approval




Systemic risk

Systemic risks of the bank not captured by Pillar 1 capital charges (the G-SIB capital surcharges and any national equivalent for D-SIBs), national macro-prudential capital buffers, or other adjustments applied to all banks





Stress testing

Shortfall (if any) against minimum capital ratio threshold as a result of the imposition by the supervisor of a standard stress test





Strategic, business model, and corporate change risks


Reputation risks


Weaknesses arising from the position of a bank within a wider group

Pace of growth (absolutely, and relative to peer banks)


Merger or major acquisition


Large-scale internal change projects


Litigation outstanding against the bank


Claims against the bank for mis-selling

Unclear and unsuccessful strategy and business model


Inconsistency of strategy with risk appetite, financial goals, values, and culture


Insufficient management, staff, and other resources to support the strategy


Lack of responsiveness to changes in business environment


Track record of unsuccessful strategic decisions, and launching unsuccessful products


Position of the bank within a wider group, weak prospect of parental support




Operational risk

Operational losses

Weaknesses in infrastructure and systems that make the bank more vulnerable to operational risk losses


High levels of IT and other system failures, cyber attacks, internal and external fraud


Weaknesses in the ability of the bank to respond and recover if a disruptive event did occur


Shortages of staff, high staff turnover









Total capital add-on












Quantitative metrics in addition to the LCR and NSFR

Loan to deposit ratio


Contractual maturity mismatch


Committed funding facilities


Concentration of customer funding (individual corporates, other banks)


Quality of HQLA compared with criteria in Pillar 1 minimum LCR


Available unencumbered assets


Stability of funding compared with LCR minimum ratio assumptions (in effect, adjusting the LCR stress tests)


Shortfall (if any) against minimum liquidity ratio threshold as a result of the imposition by the supervisor of a standard stress test


Liquidity positions in different currencies


Changes in the cost of funding





Qualitative considerations


Access to market funding


Potential availability of parent support (or bank providing funding to rest of the group)


Intra-day liquidity monitoring and management


Market-wide funding pressures




Liquidity risk management


Weaknesses revealed by a bank’s own ILAAP or by supervisory risk assessments of the bank’s:


  • corporate governance
  • senior management
  • risk governance and risk management
  • internal controls









Total liquidity add-on (to Liquidity Coverage Ratio)









[1] This Note was prepared by Clive Briault.

[2] Financial Stability Institute (2018).

[3] Modified or simplified standards may be less complicated to apply, but do not necessarily imply less stringent requirements. National variants may be intended to be tougher, similar to, or less demanding than the Basel standards (for example, simpler calculations may be combined with higher minimum regulatory capital ratios).

[4] Risk-based supervision is discussed in more detail in Toronto Centre (2018) and Toronto Centre (2020).

[5] One example of this would be currency induced credit risk, where a bank lends in a foreign currency to local borrowers who have no source of foreign currency income.  A depreciation of the domestic currency would then make it more expensive for these borrowers to service and repay their debt.

[6] See Toronto Centre (2019).

[7] See Basel Committee (2019g).

[8] Toronto Centre (2016) sets out the key elements of good corporate governance.

[9] The Basel Committee (2018) principles for stress testing set out guidance on the core elements of stress testing by banks, including objectives, governance, policies, processes, methodology, resources, and documentation.

[10] See, for example, Board of Governors of the Federal Reserve System (2019) and European Banking Authority (2018).

[11] It may be disproportionate and too resource-intensive to run the stress test for all banks in a jurisdiction.

[12] Basel Committee (2019c).

[13] Basel Committee (2019h) discusses a wide range of liquidity metrics that banks should monitor, in addition to the LCR and NSFR.

[14] See, for example, the detailed and comprehensive list of elements in European Banking Authority (2014).

[15] See, for example, Annex C of Hong Kong Monetary Authority (2020).

[16] For a more complicated and comprehensive version, see Hong Kong (2020), pages 116-139.

[17] Financial Stability Institute (2019).

[18] This implies that banks should be asked to submit their ICAAPs (ILAAPs) at different times during the year, and that some banks should be asked to submit them less frequently than others to reflect how often supervisors undertake risk assessments for different types and sizes of banks.

[19] As with the risk assessment, the Pillar 2 requirement may be varied at any time in response to new information and events.

[20] Basel Committee (2003) and (2006).

[21] Basel Committee (2014).