Submit RFP

      October 2025

      On 25 July 2025 the ECB published its revised Guide to Internal Models: the latest version of a document first released in 2017.

      To complement our previous article, here we discuss three key elements of the new guide:

      • Incorporation of the requirements of the new EU Capital Requirements Regulation (CRR 3);
      • New guidance on the use of machine learning (ML) models; and
      • Updated requirements on model governance and applications supervisory approval.

      1. CRR 3 alignment

      CRR 3, which entered into force on 1 January 2025, introduced important new provisions on the use of internal models to calculate risk weights and own funds (capital) requirements.

      IRB strategy and PPU

      A key change introduced by CRR 3 concerns the scope of application of the IRB approach. Institutions are no longer required to apply IRB to their entire portfolio, but can choose between IRB and the Standardised Approach (SA) for each exposure class, subject to supervisory approval. Within a class, all exposures must be covered by IRB unless Permanent Partial Use of SA (PPU) is approved.

      This creates an opportunity for banks to revisit their existing model strategies, to identify the portfolios for which IRB or SA is more appropriate. In the process, they can also simplify their model landscape by reducing the number of IRB models they employ and ensure greater consistency of approach across business lines.

      To do this, banks will need to establish clear and objective criteria for applying IRB. Key considerations will be the costs and benefits of developing rating systems for each portfolio; operational capacity, including the need for adjustments to IT systems; and above data availability and quality. A coherent model strategy will then allow banks to explain and justify their choices between IRB and SA to supervisors as required.

      Technical model adjustments

      In addition, the new guide also sets out more detailed ECB expectations for several technical aspects of internal models. These include, for example, the interpretation of the representativeness of default rates, the aggregation of components for risk quantification purposes in LGD models, as well as clarifications relating to counterparty credit risk. The market risk chapter has also been updated, with separate sections covering CRR 2 and CRR 3 to reflect the phased implementation of the Basel standards. For banks, these updates mean closer alignment with applicable regulation, requiring more rigorous procedures, documentation and justification of their methodological choices.

      2. Use of Machine Learning techniques in Internal Models

      An important innovation in the guide is the inclusion for the first time of ECB expectations for the use of machine learning (ML) models. The ECB defines ML as highly complex modelling techniques relying on many parameters, capable of capturing non-linearity, needing large datasets for training and sometimes processing unstructured data. Importantly, the ECB clarifies that models based on linear or logistic regression do not qualify as ML for the purposes of the guide. This aligns the ECB with the European Commission’s approach to the definition of artificial intelligence (AI) under the EU AI Act. In practice, this means that only a few existing models will be covered by the new ML rules, which are rather designed for the next generation of risk models.

      This new section of the guide sets out the ECB’s expectations for the governance, internal controls and data and methodology used for ML models.

      • Governance: banks should integrate ML-specific risks into their model governance frameworks and processes, across the three lines of defence. Staff dealing with ML-based models should have sufficient training and expertise to interpret model outputs correctly and understand risks.
      • Internal controls: ML-based models are inherently more complex than existing internal models. Banks should be able to justify the additional complexity of using ML-based models by reference to the benefits. Internal validation should ensure ML models are thoroughly tested for accuracy, robustness and potential bias. Banks should ensure ML model explainability, for example through the use of specific explainability tools, and Internal Audit plans and methodology should explicitly cover ML-based internal models, ensuring higher frequency and deep dives for complex models.
      • Data and methodology: banks should ensure robust data governance for ML models. They should define clear data quality criteria and processes, including for model training data. Additional checks are required for unstructured or synthetic data to address missing values or potential bias. IT infrastructure should also be capable of handling higher computational demands from more complex models.

      Taken together, these requirements will require significant investments in systems, policies and people from banks wishing to use ML-based models. This emphasizes the importance of careful assessment of where there is a strong business case for ML deployment within appropriate risk management frameworks.

      3. Model Governance

      The new guide also reinforces supervisory expectations on certain aspects of model governance.

      First, the ECB reiterates that approval applications for new, updated or extended models will only be considered ready for supervisory review once the models are fully implemented in a bank’s IT systems and any deficiencies previously identified have been remedied. The ECB is thus not retreating from the requirements of the previous version of the guide, even though IT implementation in particular continues to be a challenge for many banks. Supervisors also expect senior management (up to management body level) to take responsibility for the quality and timeliness of model approval applications, instead of delegating this entirely to technical teams.

      Finally the guide reiterates ECB expectations that banks improve their risk data aggregation and risk reporting capabilities to meet the BCBS 239 standards, and that they ensure robust operational resilience in line with the requirements of the Digital Operational Resilience Act (DORA). Data quality and security should thus be embedded throughout the model lifecycle.

      Conclusion

      The revised guide represents the latest evolution in ECB thinking on internal models –  and the ECB has highlighted that it might issue further updates in the light of future regulatory developments.

      It highlights the ECB’s continuing focus on robust governance frameworks and ensuring high quality of data. Meeting ECB expectations in these areas may require significant investment from banks in their internal processes and IT systems, especially for institutions wishing to make use of machine learning technology. On the other hand, better data will both enable banks to capture more fully the benefits of new modelling techniques and, couple with the increased flexibility in CRR 3 over the use of IRB, to optimize their internal model strategies. Both could yield substantial efficiency benefits in the longer term.

      Related content

      KPMG European Central Bank Office

      Read our latest perspectives and insights on pressing ECB priority areas

      Read more

      Our people

      Omar Mauri
      Omar Mauri

      Manager, KPMG ECB Office

      KPMG in Germany

      Benedict Wagner-Rundell
      Benedict Wagner-Rundell

      Senior Manager

      KPMG in Germany

      Juan Antonio De Juan Herrero,
      Director,
      KPMG in Spain
      juanantoniodejuan@kpmg.es