Feature Operational Risk
Basel III Endgame's Operational Risk Capital Overhaul: What the Business Indicator Formula Means for Your Loss Data Program
The March 2026 Basel III endgame re-proposals replace the Advanced Measurement Approach with a standardized formula for all Category I-IV banks — subjecting Category III-IV institutions to operational risk capital requirements for the first time. Here's what op risk teams need to understand and track.
Table of Contents
TL;DR
- The March 2026 Basel III endgame re-proposals replace the model-based Advanced Measurement Approach (AMA) with a Standardized Approach for Operational Risk (SA-OR) using a Business Indicator Component
- Category III and IV banks ($100B–$700B in assets) face operational risk capital requirements for the first time under this framework — roughly $550B in additional RWA combined
- The 2026 re-proposal eliminated the Internal Loss Multiplier from the 2023 version, but loss history is still factored in as a direct dollar-for-dollar additive
- Comment period closed June 18, 2026; final rule expected late 2026 with a 2027 implementation start and 3–5 year phase-in
- Op risk teams at $100B+ banks should begin mapping their loss data collection, business indicator metrics, and category definitions to the new framework now
The Basel III endgame comment period just closed June 18. The capital planning conversation at most large banks has focused on credit risk RWA, the market risk revisions, and the aggregate capital impact. The piece that’s getting less attention from op risk teams — who are often not in the capital planning meetings — is the operational risk overhaul. And that piece introduces requirements that have never applied to a large swath of the banking system before.
The Context: Why the AMA Is Being Replaced
The Advanced Measurement Approach (AMA) for operational risk capital was introduced as part of Basel II, giving large banks the ability to use their own internal models to calculate operational risk capital requirements. In theory, bank-specific models should produce more accurate and risk-sensitive capital requirements. In practice, the AMA created a system where similar institutions could hold dramatically different operational risk capital based on modeling choices, not actual risk differences.
The Basel Committee on Banking Supervision identified three problems with the AMA that the standardized approach resolves:
First, excessive variability. Independent studies found that identical operational risk profiles at different banks produced capital charges that varied by a factor of several times depending on which modeling assumptions the bank used. Capital requirements that diverge that widely from any common benchmark aren’t measuring risk — they’re measuring model choice.
Second, limited comparability. Regulators and investors couldn’t meaningfully compare operational risk capital adequacy across institutions because the inputs weren’t standardized. A bank with $2B in operational risk capital under AMA and a bank with $1.5B might not reflect any real difference in underlying operational risk exposure.
Third, complexity without benefit. The AMA required significant investment in model infrastructure, documentation, and validation that didn’t demonstrably improve risk measurement accuracy relative to simpler approaches.
The Standardized Approach for Operational Risk (SA-OR) replaces this with a formula-based capital requirement that uses publicly available financial data — income components — rather than internal models.
The March 2026 Re-Proposal: What Changed from 2023
The federal banking agencies issued their original Basel III endgame NPR in July 2023. Significant industry pushback resulted in the March 19, 2026 re-proposals — three separate NPRs from the Federal Reserve, OCC, and FDIC that represent what the agencies describe as “the most significant reset to the capital framework in more than a decade.”
For operational risk specifically, the key change between 2023 and 2026 is the treatment of loss history:
2023 proposal: Included an Internal Loss Multiplier (ILM) that adjusted the entire operational risk capital charge up or down based on a bank’s historical loss ratio versus a modeled expected loss benchmark. A bank with bad loss history relative to peers could see its ORC roughly double.
2026 re-proposal: Eliminated the ILM as a separate multiplier. Instead, a bank’s three-year average operational losses are added directly to the Business Indicator’s noninterest component as a dollar-for-dollar additive input.
The practical effect: loss history still matters, and banks with significant historical losses still face higher capital requirements. But the capital impact is now capped at a direct additive rather than a multiplicative factor applied to the entire charge. For most banks, this produces a more predictable capital calculation.
Two other notable changes in the re-proposal:
Fee income calculation shifted from gross to net basis. Under the 2023 proposal, fee and commission income was measured on a gross basis. The re-proposal moves to a net basis — income minus expenses associated with fee activities. This meaningfully reduces ORC for banks with significant fee-based businesses where gross revenues substantially exceed net margins.
Investment management carve-down. The agencies specifically reduced operational risk capital requirements for investment management activities, citing evidence that investment management has historically experienced “noticeably low operational losses relative to income produced.” This benefits trust banks, custody banks, and large asset managers that were disproportionately penalized under the gross fee income approach.
The Business Indicator Component: How It Works
The Business Indicator Component (BIC) is the foundational element of the SA-OR calculation. It’s a proxy for bank business volume — similar in concept to a revenue-based approximation of operational risk exposure.
The BIC is calculated as the three-year rolling average of three income measures:
| Component | What It Captures | Examples |
|---|---|---|
| Interest, Lease, and Dividend Component | Lending and investment activities | Loan interest, investment income, lease payments received |
| Services Component | Fee and commission-based activities | Transaction fees, advisory fees, custody fees, payment processing fees |
| Financial Component | Trading and treasury activities | Trading gains/losses, net FX, net derivatives |
Under the re-proposal, the BIC is then adjusted by adding the bank’s average annual net operational losses over a three-year period. The result is the Operational Risk Capital (ORC) requirement.
The formula produces a number that increases when:
- Business volume grows (larger BIC)
- Historical operational losses increase (higher additive)
And decreases when:
- Fee income is measured net rather than gross (smaller Services Component)
- Investment management activity is discounted (category-specific reduction)
Which Banks Are Affected — and Who Faces This for the First Time
The operational risk capital requirements apply to Category I through Category IV banking organizations. The categories are defined by the Federal Reserve’s tailoring rule:
- Category I: The eight U.S. global systemically important banks (G-SIBs), including JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Bank of New York Mellon, and State Street
- Category II: Large firms with $700 billion or more in total assets, or $75 billion or more in cross-jurisdictional activity
- Category III: Firms with $250 billion to $700 billion in total assets or $75 billion or more in certain risk indicators
- Category IV: Firms with $100 billion to $250 billion in total assets
The critical point for op risk teams: Category III and IV banks face operational risk capital requirements for the first time under this framework. Under current rules, these banks are not subject to AMA or any standardized operational risk capital charge — they hold operational risk capital only to the extent their internal risk appetite or regulatory requirements otherwise compel it. The SA-OR changes that.
The regulatory estimates for the capital impact:
| Category | Estimated RWA Increase |
|---|---|
| Category I and II | ~$1.4 trillion |
| Category III and IV | ~$550 billion |
Category III-IV banks have more prep work to do, not less. They’re building ORC compliance from scratch rather than transitioning from an existing AMA infrastructure.
What This Means for Your Op Risk Data Program
If you’re at a bank in the Category I-IV range, the SA-OR calculation depends on data your op risk team may or may not be collecting systematically today.
Business indicator data. The BIC calculation requires clean, consistently categorized income data across the three components: interest/lease/dividend, services (net fee income), and financial (trading). Most large banks track this through their financial reporting infrastructure. But if your income categorization doesn’t map cleanly to the SA-OR component definitions, that translation work needs to happen now — not when you’re implementing the final rule.
Operational loss data. The direct additive for loss history requires three years of operational loss data, categorized by the seven Basel loss event types:
- Internal fraud
- External fraud
- Employment practices and workplace safety
- Clients, products, and business practices
- Damage to physical assets
- Business disruption and system failures
- Execution, delivery, and process management
Banks that already have a mature operational loss event database aligned to Basel categories are in good shape. Banks that have been tracking operational losses in an ad hoc or inconsistently categorized way — which includes many Category III-IV institutions that weren’t previously subject to AMA capital requirements — have remediation work to do before the phase-in begins.
Minimum data thresholds. The final rule will include minimum thresholds for what counts as a reportable operational loss event. Ensuring your loss data collection process captures events at (and below) the applicable threshold, with consistent documentation of event type, date, gross loss, and net recovery, is foundational to a credible capital calculation.
Loss recovery tracking. The additive is based on net operational losses — gross losses minus recoveries (including insurance recoveries). This means your loss event database needs to capture recoveries, including insurance payouts, as updates to individual loss events. If your current loss event tracking closes the event at gross loss and doesn’t systematically update for recoveries, that’s a data quality gap.
One practical approach: use your existing KRI framework to monitor the operational risk indicators that connect to your loss data program — incident frequency, loss event severity, recovery rates, and loss event categorization quality. A pre-built KRI library that includes operational risk metrics can accelerate this work. The KRI Library (132 Key Risk Indicators) includes operational loss KRIs calibrated for financial services teams, including frequency, severity, and root-cause distribution metrics that connect to Basel categorization. Get it here: buy.stripe.com/eVq5kw2cPcNZazP6uW6J209.
Connecting ORC to Your Risk Management Infrastructure
The SA-OR is a capital calculation — it tells you how much capital to hold, not how to manage operational risk. But the two aren’t separate.
The inputs to the SA-OR (income components and loss history) should be the same data your op risk program uses for risk identification and trend analysis. If your internal op risk processes are tracking a different set of loss events than what you’ll need for the capital calculation, or if your loss categorization doesn’t align to Basel event types, you’re building two parallel systems that will diverge.
The better approach: align your loss event database, your RCSA, and your KRI framework now so that the data needed for capital calculation is a byproduct of your regular risk management processes — not a separate annual data-gathering exercise.
For the full Basel III endgame context for regional banks, including credit risk and overall capital impact, see this earlier post. For the operational loss data collection fundamentals that feed into this calculation, see the operational loss data collection framework here.
Timeline: What Happens After June 18
The comment period closed June 18, 2026. The three Basel III endgame re-proposals — covering the Basel III standardized approach, the G-SIB surcharge, and the standalone standardized approach — are now in the review and finalization phase.
Current industry expectation:
- Final rule: Late 2026
- Implementation start: 2027, with a three-to-five year phase-in period
- Phase-in structure: Capital requirements expected to ramp incrementally over the phase-in period rather than applying fully on day one
For Category I-II banks that already have AMA infrastructure, the transition involves converting existing models and data to SA-OR compliance. For Category III-IV banks that are building from scratch, the effective runway is shorter than it looks — three years of loss data means you need clean data from 2024, 2025, and 2026 when the first calculation year arrives.
So What?
The Basel III endgame operational risk capital changes are going to require more from op risk teams than the credit risk and market risk revisions — partly because the data infrastructure requirements are different, and partly because Category III-IV institutions have never built this before.
If you’re at a bank in the $100B–$700B range, this is the moment to:
- Map your existing income data to the BIC’s three components and identify classification gaps
- Assess your operational loss event database against Basel’s seven loss type categories
- Confirm your loss recovery tracking captures insurance and other recoveries as event-level updates
- Identify which of your existing KRIs connect to loss data quality and business indicator accuracy
The comment period is closed. The final rule is coming. The institutions that start the data infrastructure work now will have optionality when the final rule publishes — institutions that wait won’t.
Sources:
- Federal Reserve Board: Agencies Request Comment on Proposals to Modernize the Regulatory Capital Framework (March 19, 2026)
- Deloitte: Basel III Endgame & Operational Risk Capital Standard
- Freshfields: Basel III Endgame, Take Two — 8 Key Takeaways from the Federal Banking Agencies’ Capital Re-Proposals
- ABA Banking Journal: Rethinking Operational Risk in the Basel III Endgame
- American Bankers Association: Over-Estimation of the Basel III Endgame Operational Risk Capital Requirements
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What's the difference between the 2023 Basel III endgame proposal and the March 2026 re-proposal for operational risk?
How is the Business Indicator Component calculated?
Are community banks or Category V banks affected by the new ORC requirements?
What operational loss data does my team need to collect for the new framework?
What's the expected implementation timeline after the June 18 comment period closed?
Does the new operational risk capital framework replace RCSA?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Keep reading
Related posts.
Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Jul 8, 2026
Operational Risk
KRI Library vs. Building Your KRIs From Scratch: An Honest Comparison
Buy a pre-built KRI library or derive key risk indicators internally? Real thresholds, real trade-offs, and where each approach actually wins.
Jul 8, 2026
Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Jul 7, 2026