RWA accuracy: what recent ECB fines mean for Basel 3.1

In early 2026, the European Central Bank (ECB) published two enforcement decisions against major banking subsidiaries for breaches of Risk Weighted Assets (RWA) reporting requirements under the Capital Requirements Regulation. While one centred on misclassification of exposures and in incorrect eligibility assessment, that wrongly excluded certain transactions from RWA calculations, the other involved the use of internal models beyond their approved supervisory scope. The supervisory message, however, is the same.

Where model governance, interpretive discipline and internal oversight fall short, supervisors are prevented from forming an accurate view of prudential positions and capital ratios are misstated across multiple reporting periods. In both cases that meant extended periods of inaccurate reporting going undetected before regulatory action followed.

For firms currently working through the Basel 3.1 RWA exercise, which requires independent assurance of RWA calculations to be presented to the board, the timing and substance of both decisions are worth examining carefully.

What the ECB enforcement decisions found 

In the first case, the ECB imposed penalties totalling EUR 12.18 million across two separate reporting breaches. The first related to the misclassification of corporate exposures into incorrect exposure classes, resulting in understated RWAs for credit risk across 15 quarterly reporting periods spanning nearly four years. The second arose from the wrongful exclusion of certain counterparty transactions from CVA risk RWA calculations on the basis that they qualified as pension scheme arrangements when they did not, affecting 21 reporting periods over five years. Both breaches were deemed to involve serious negligence and were not detected by internal controls. Mitigating factors included self-identification of the breaches, cooperation with the ECB and remedial action taken to prevent recurrence.

In the second case, a penalty of EUR 6.2 million was imposed for a single breach covering six consecutive quarterly periods. The entity calculated own funds requirements for sovereign bond options using an internal model for which it did not have supervisory permission, despite being aware that the instruments fell outside its approved scope. Rather than seeking the necessary extension of its permissions, it proceeded regardless. The misconduct was assessed as intentional and the severity as high, with limited mitigation available given the entity had not self-identified the issue.

Model governance, interpretation risk and Basel 3.1

The cases illustrate two distinct dimensions of model risk that are directly relevant to the Basel 3.1 transition. The first is permissions risk: the risk that a model is applied to instruments or exposures that fall outside its supervisory approval. As Basel 3.1 reshapes the methodologies available to firms and, in some cases, restricts the use of internal models, ensuring that each model operates within its approved scope becomes increasingly critical. Model permission registers need to be current, and the boundary between approved and unapproved usage needs to be actively managed rather than assumed to be stable.

The second is interpretation risk: the risk that classification decisions or eligibility assessments embedded in RWA calculations are based on an incorrect reading of the regulatory requirements. This kind of error is particularly difficult to detect through standard internal review processes because those conducting the review often share the same understanding as those who established the approach in the first place. Independent challenge from outside the process is the mechanism most likely to surface it — and it is precisely what the Basel 3.1 assurance requirement is designed to provide. Firms that treat the assurance exercise as a box to be ticked, rather than a genuine test of whether the right methodology is being applied correctly, risk missing the point of the requirement entirely.

Basel 3.1 and SDDT regimes – PRA issues final rules

Read this article

What firms should do now

With Basel 3.1 now in implementation, firms are required to calculate RWAs under the revised framework and to present independent assurance of those calculations to the board  Both ECB decisions point to a risk that is easy to underestimate: that errors in RWA calculations often in the assumptions, classifications and model applications in the mechanics of the calculation itself. Independent assurance scoped only around calculation accuracy, whether the methodology has been applied correctly within an assumed set of inputs, will not catch the kinds of failures these cases illustrate.

Boards receiving assurance over their Basel 3.1 RWA calculations should satisfy themselves that the scope extends to the interpretive and governance layer - that classification decisions have been independently reviewed, model permissions verified against actual usage, and that the methodology being assured is the right one, not just one that has been consistently applied. With that in mind, firms should consider:

• Confirming that model permission registers are current and that internal models are not being applied to instruments or exposures that fall outside their approved scope, particularly as Basel 3.1 changes what is and is not permissible.
• Reviewing the interpretive basis for key classification and eligibility decisions in RWA calculations and ensuring those decisions have been subject to independent review rather than internal validation alone.
• Ensuring the scope of independent assurance for the Basel 3.1 rebasing exercise covers methodology selection, classification judgements and model permissions.
• Assessing whether internal controls over RWA reporting are calibrated to catch interpretation errors as well as arithmetic ones, and whether review processes are genuinely independent of those who established the methodology being reviewed.
• Where issues are identified through the assurance process, ensuring they are documented, escalated and addressed in a way that would withstand regulatory scrutiny. Both cases demonstrate that self‑identification and timely remediation are treated as meaningful mitigating factors by the ECB.

Transition to Basel 3.1 with the right approach and scope, is an opportunity to surface and address the kinds of issues these cases highlight, before they become a regulatory matter rather than an internal one.

To find out more about how to support your RWA assurance or Basel 3.1 rebasing exercise, contact Vivian Lagan, Kantilal Pithia and Paul Young.