ECB-Guide to Internal Models: Strategic Orientation for Banks in the New Regulatory Landscape

TheEuropean Central Bank(ECB) published a significant revision of its guidance on internal models on July 28, 2025. This revision not only reflects the regulatory changesCRR3but also establishes new standards for the use of artificial intelligence (AI) in risk modeling and significantly strengthens governance requirements.

Central innovations at a glance

Approval of AI models:AI and machine learning methods are officially permitted. However, explainable models (Explainable AI) are mandatory.

Increased governance requirements:Top management now bears explicit responsibility for the quality, risk control and compliance of the models.

CRR3 and climate risks become mandatory: Basel III-Rules andESG-Risks must be proactively integrated into risk models.

Faster operational implementation:Approved model changes must be implemented within three months.

Key changes in the July 2025 revision

Official approval and regulation ofMachine learning

For the first time, the revision contains a separate chapter on machine learning techniques. In it, the ECB defines fundamental principles for ML-based models: In particular, the explainability of such models must be guaranteed and the performance must be proportionate to the complexity. In practical terms, this means that banks must have robust validation measures and transparent model documentation for AI models. Internal validation and internal auditing are required to check ML models particularly strictly - the guidelines expect, for example, that for highly complex or dynamic ML models, in-depth audits are carried out in addition to the regular testing cycle. Overall, the ECB is creating a supervisory framework that steers the previously often experimental use of AI into an orderly direction.

Consequence:All three lines of defense (risk control, compliance, internal audit) must develop appropriate ML know-how.

Increased governance responsibilities

Section 5 of the guide makes it clear that the board and supervisory body are directly responsible for the application readiness, implementation and ongoing monitoring of internal models. Specifically, the ECB expects that a model will only be submitted for approval if the internal control functions (validation and auditing) have previously examined it comprehensively and all identified deficiencies have been corrected. This increases the pressure on management to ensure strong internal model governance. The guidelines also require the roles and responsibilities surrounding model risk management to be clearly defined and appropriate committees to be set up (e.g. a model risk committee at management level) to oversee the life cycle of the models.

Consequence:Senior management and governing body responsibility for internal models drives the urgency for clearer internal model governance.

CRR3 integration and Basel III finalization

The adjustments to CRR3 and the finalization of the Basel III standards require banks not only to revise their methodology, but also to have a clearly structured implementation program. The following points show the essential to-dos for each risk category:

Credit risk (IRBapproaches)

Review and adjust roll-out strategy:Existing roll-out plans need to be revised in light of the new Permanent Partial Use (PPU) requirements. Banks must ensure that only those parts of the standardized approach permitted by the regulator are used in parallel.

Revalidate rating systems:Internal validation must check and document all rating systems in accordance with the stricter EBA requirements. In particular, the new definitions of default events (default definition) and the adapted methods for estimating PD (Probability of Default) and LGD (Loss Given Default) parameters must be taken into account.

Clearly define roles:Management and the supervisory body must explicitly assume their responsibility when submitting model applications. This requires clear processes, approval stages and complete documentation before every submission.

Ensuring data quality:Since CRR3 places higher demands on the data basis (e.g. more granular failure data), existing data sets and processes should be checked for gaps and cleaned up at an early stage.

Market risk (FRTB and CRR2 models)

Organize double model world:In the short term, banks need to ensure that both existing models (under CRR2) and future FRTB-compliant models are maintained. This means parallel reporting and backtesting processes.

Early FRTB Preparation:Even if the introduction does not become mandatory until 2027, institutions should start preparing now: classifying risk factors into modelable/non-modelable, building the required expected shortfall metrics and expanding data histories.

Perform gap analysis:A structured gap analysis shows where the current models deviate from the FRTB requirements. Prioritized roadmaps for model changes and system adjustments should be derived from this.

Counterparty risk (CCR)

Dynamically model exposure changes:Institutions must adapt their internal models so that changes in business volume, term changes and other structural changes are reflected promptly and correctly.

Extend margining and collateralization logic:The new CRR3 requirements require more precise modeling of margin calls and collateral values. Here the parameter and simulation methods must be checked for their suitability and, if necessary, sharpened.

Introduce processes for regular recalibrations:In order to absorb the greater volatility in exposure profiles, recalibrations should be carried out in tighter cycles, ideally with automated control routines.

Climate risk integration as a regulatory obligation

A key new element of the 2025 revision is the anchoring of climate risks in the guidelines. For the first time, the ECB explicitly requires that institutions include climate and environmental factors in their model framework. Specifically, banks should first check all relevant risks – including climate-related risks – for their materiality. If a climate risk driver is classified as material, it must be integrated into the internal model. This requirement applies across all Pillar 1 risk models, i.e. in credit risk (e.g. influence of flood risks on default probabilities), in counterparty risk and in the market risk model. This means that the supervisory authority is effectively elevating climate risks to the same group of obligations as traditional financial risk drivers. For many institutes, this means that they still have to develop the necessary data and methods to quantitatively map climate influences. The ECB is giving a clear mandate for action here: ESG risks are no longer just part of Pillar 2 considerations, but are now becoming a mandatory part of the banks' model landscape.

Operational challenges and implementation requirements

Stricter implementation deadlines

From an operational perspective, the new 3-month rule represents a significant streamlining. Approved model changes must generally be implemented within three months. In the past, model adjustments from approval to implementation often took significantly longer, which is no longer tolerated. Only in exceptional cases - such as staggered roll-outs or jointly coordinated changes - may the three-month deadline be deviated from, and only with prior agreement from the supervisory authority. For banks, this means that development, testing and release processes must be significantly accelerated and parallelized. Agile methods in model IT and flexible data infrastructures become essential in order to make changes productive on time. Institutes that already use DevOps-like approaches have an advantage. Others need to adapt their release processes and governance to avoid creating a bottleneck between model approval and implementation.

ML-specific governance requirements

The use of machine learning creates dynamic models that can be subject to constant adaptation (e.g. through regular re-training). The guide responds to this with stricter monitoring and validation requirements for ML models. Highly complex or dynamic ML models should be tested more frequently and more intensively than conventional models. In particular, the ECB expects the internal audit department to adjust the audit frequency in accordance with the increased model risk. For very complex/dynamic ML models, a deep dive is typically required in the annual test plan, and in the event of unexpected events or new weaknesses, the ECB even recommends unscheduled additional tests.

Model validation also needs to master new tools: AI models require the use of explainability techniques in order to make results plausible. The guidelines require that institutions use a set of such explainability tools and evaluate them regularly. The XAI methods and tools used should be tested for their suitability and effectiveness at least once a year. This annual explainability “audit” is new and underlines the high value that the regulator places on the transparency of AI models. Banks must therefore ensure that they have the personnel and technical ability to manage the black box problem of ML models - be it through increased training, the use of appropriate software or the involvement of experts who can interpret these explainability reports.

Strategic implications for banks

Technology transformation required

The integration of AI and accelerated processes makes modernizing the technology landscape essential. Banks should in particular:

• Establishing Explainable AI Competence Centers
• Definition of clear criteria for AI use and model complexity
• Introduction of automated, continuous validation processes

ESG data infrastructures

In addition to the technical infrastructure, the data infrastructure is coming to the fore for ESG risks. Overall, banks must significantly expand their data warehouses in order to adequately quantify climate and environmental risks. Particularly in the credit risk area, it is important to feed in relevant climate data throughout the entire modeling process (from data preparation through development to calibration and validation). For example, climate risk indicators such as flood risk scores, geographical location data, greenhouse gas emissions, energy efficiency (e.g. in real estate financing), probability of stranded assets (for industries with high transition risk), ESG ratings or industry types should be systematically recorded in an internal database.

Building on this, the following steps are central:

• Development of comprehensive ESG databases
• Carrying out scenario analyzes and climate stress tests
• Integration of climate-related risk drivers into credit and market risk models

Governance professionalization

Increasing demands make an upgrade of model governance inevitable. Organizational and personnel measures are required to implement the guidelines efficiently:

• Establishment of an executive-level model governance body
• Regular top management training on risk assessment and model validation
• Foster interdisciplinary teams that quickly operationalize regulatory changes

International coordination and competition aspects

Level playing field challenges and harmonization

The non-simultaneous implementation ofBasel III, particularly the FRTB standard, raises global competition issues. While some Asian countries have already introduced the new market risk rules, the EU has postponed their mandatory implementation until 2027 in order to avoid competitive disadvantages compared to the USA and UK. This may provide short-term relief for European banks, but also carries the risk of falling behind compared to early implementation jurisdictions. The time gained should therefore be used to prepare trading book models and FRTB requirements.

At the same time, the ECB's strict AI standards (e.g. explainability requirement and annual ML tool validations) set new standards. Although European institutions are currently investing more resources than competitors in less regulated regions, this could be an advantage in the long term: banks that create transparency and reliability early on will enjoy greater trust from investors and customers. It is conceivable that international supervisory authorities will adopt parts of these standards - as well as ESG requirements.

Within Europe, the revised ECB guidelines ensure greater harmonization in the Single Supervisory Mechanism (SSM). Uniform and detailed specifications reduce the scope for interpretation, prevent regulatory arbitrage and ensure greater predictability. Less significant institutions (LSIs) are also likely to increasingly follow the ECB standards, as national supervisory authorities use their guidelines as a reference. Uniform standards thus strengthen the stability of the system and prevent “downward outliers”.

Practical implementation steps

Short to medium term priorities

Start pilot projects for Explainable AI:Banks should set up their first projects in the short term in which AI models with explainable methods (XAI) are used. The aim is to meet not only technical feasibility but also supervisory requirements for traceability and documentation. It is advisable to closely integrate model validation and compliance in order to identify weak points and regulatory gaps at an early stage.

Perform parallel calculations with AI and traditional models for performance comparisons:For selected portfolios, banks should introduce parallel operations in which AI-based models run alongside existing processes. This allows differences in risk assessment, stability and capital requirements to be quantified. This creates transparency towards the supervisory authority and provides well-founded arguments for later productive use.

Immediate expansion of ESG data capabilities and scenario analysis:Since integrating climate risks is a regulatory obligation, banks will need to expand their ESG data portfolios in the short term. This includes closing data gaps (e.g. missing environmental data from customers) and building powerful data infrastructures. In parallel, climate risk scenario analyzes should be carried out to understand the potential impacts on credit, market and counterparty risks and to incorporate the results into model development.

Long-term strategic adjustments

Establish modular, cloud-native IT architectures with CI/CD pipelines:In order to meet the stricter deadlines and increasing model complexity, banks must make their IT landscape fit for the future. Cloud-native platforms with continuous integration and continuous delivery processes enable faster development, automated validation and more efficient deployment of models. This drastically reduces implementation times and increases flexibility when making changes.

Increase human capital investments in technology, risk and regulatory expertise:The interaction of data science, risk and compliance know-how becomes a crucial success factor. Banks should invest specifically in training programs and develop specialists who understand the regulatory requirements as well as modern modeling and IT methods. Rotation-based training programs between departments as well as the targeted recruitment of experts in ESG, AI governance and IT architecture are particularly important.

Outlook and development trends

The revision of the ECB guidelines from July 2025 marks a clear paradigm shift towards technology-oriented banking supervision. Future updates are likely to continue on this path and address topics such as generative AI, large language models and the further integration of climate risks even more. For banks this means: Model development is a continuous process – standing still is not an option. Institutions that already use AI in a targeted and manageable manner, measurably integrate ESG risks and strengthen governance structures will secure a competitive advantage in the long term.

The ECB emphasizes that the guidance revision supports other initiatives such as model simplification. Compliance can thus become a strategic driver: Anyone who not only meets the new standards but exceeds them - for example through explainable AI and exemplary climate management - sends a strong signal to the market and supervisory authorities. The revision is therefore more than a regulatory adjustment: it offers banks the opportunity to sustainably professionalize internal models, technology and governance and thereby gain real resilience and competitive strength.

Next step: Free initial consultation

Do you want to meet compliance requirements efficiently? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

Do you want to meet compliance requirements efficiently? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

Do you want to meet compliance requirements efficiently? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →