Skip to content
RiskTemplates · The Daily Brief Friday, July 10, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

Basel III Endgame's Operational Risk Capital Overhaul: What the Business Indicator Formula Means for Your Loss Data Program

The March 2026 Basel III endgame re-proposals replace the Advanced Measurement Approach with a standardized formula for all Category I-IV banks — subjecting Category III-IV institutions to operational risk capital requirements for the first time. Here's what op risk teams need to understand and track.

By Rebecca Leung · June 23, 2026 ·
Table of Contents

TL;DR

  • The March 2026 Basel III endgame re-proposals replace the model-based Advanced Measurement Approach (AMA) with a Standardized Approach for Operational Risk (SA-OR) using a Business Indicator Component
  • Category III and IV banks ($100B–$700B in assets) face operational risk capital requirements for the first time under this framework — roughly $550B in additional RWA combined
  • The 2026 re-proposal eliminated the Internal Loss Multiplier from the 2023 version, but loss history is still factored in as a direct dollar-for-dollar additive
  • Comment period closed June 18, 2026; final rule expected late 2026 with a 2027 implementation start and 3–5 year phase-in
  • Op risk teams at $100B+ banks should begin mapping their loss data collection, business indicator metrics, and category definitions to the new framework now

The Basel III endgame comment period just closed June 18. The capital planning conversation at most large banks has focused on credit risk RWA, the market risk revisions, and the aggregate capital impact. The piece that’s getting less attention from op risk teams — who are often not in the capital planning meetings — is the operational risk overhaul. And that piece introduces requirements that have never applied to a large swath of the banking system before.

The Context: Why the AMA Is Being Replaced

The Advanced Measurement Approach (AMA) for operational risk capital was introduced as part of Basel II, giving large banks the ability to use their own internal models to calculate operational risk capital requirements. In theory, bank-specific models should produce more accurate and risk-sensitive capital requirements. In practice, the AMA created a system where similar institutions could hold dramatically different operational risk capital based on modeling choices, not actual risk differences.

The Basel Committee on Banking Supervision identified three problems with the AMA that the standardized approach resolves:

First, excessive variability. Independent studies found that identical operational risk profiles at different banks produced capital charges that varied by a factor of several times depending on which modeling assumptions the bank used. Capital requirements that diverge that widely from any common benchmark aren’t measuring risk — they’re measuring model choice.

Second, limited comparability. Regulators and investors couldn’t meaningfully compare operational risk capital adequacy across institutions because the inputs weren’t standardized. A bank with $2B in operational risk capital under AMA and a bank with $1.5B might not reflect any real difference in underlying operational risk exposure.

Third, complexity without benefit. The AMA required significant investment in model infrastructure, documentation, and validation that didn’t demonstrably improve risk measurement accuracy relative to simpler approaches.

The Standardized Approach for Operational Risk (SA-OR) replaces this with a formula-based capital requirement that uses publicly available financial data — income components — rather than internal models.

The March 2026 Re-Proposal: What Changed from 2023

The federal banking agencies issued their original Basel III endgame NPR in July 2023. Significant industry pushback resulted in the March 19, 2026 re-proposals — three separate NPRs from the Federal Reserve, OCC, and FDIC that represent what the agencies describe as “the most significant reset to the capital framework in more than a decade.”

For operational risk specifically, the key change between 2023 and 2026 is the treatment of loss history:

2023 proposal: Included an Internal Loss Multiplier (ILM) that adjusted the entire operational risk capital charge up or down based on a bank’s historical loss ratio versus a modeled expected loss benchmark. A bank with bad loss history relative to peers could see its ORC roughly double.

2026 re-proposal: Eliminated the ILM as a separate multiplier. Instead, a bank’s three-year average operational losses are added directly to the Business Indicator’s noninterest component as a dollar-for-dollar additive input.

The practical effect: loss history still matters, and banks with significant historical losses still face higher capital requirements. But the capital impact is now capped at a direct additive rather than a multiplicative factor applied to the entire charge. For most banks, this produces a more predictable capital calculation.

Two other notable changes in the re-proposal:

Fee income calculation shifted from gross to net basis. Under the 2023 proposal, fee and commission income was measured on a gross basis. The re-proposal moves to a net basis — income minus expenses associated with fee activities. This meaningfully reduces ORC for banks with significant fee-based businesses where gross revenues substantially exceed net margins.

Investment management carve-down. The agencies specifically reduced operational risk capital requirements for investment management activities, citing evidence that investment management has historically experienced “noticeably low operational losses relative to income produced.” This benefits trust banks, custody banks, and large asset managers that were disproportionately penalized under the gross fee income approach.

The Business Indicator Component: How It Works

The Business Indicator Component (BIC) is the foundational element of the SA-OR calculation. It’s a proxy for bank business volume — similar in concept to a revenue-based approximation of operational risk exposure.

The BIC is calculated as the three-year rolling average of three income measures:

ComponentWhat It CapturesExamples
Interest, Lease, and Dividend ComponentLending and investment activitiesLoan interest, investment income, lease payments received
Services ComponentFee and commission-based activitiesTransaction fees, advisory fees, custody fees, payment processing fees
Financial ComponentTrading and treasury activitiesTrading gains/losses, net FX, net derivatives

Under the re-proposal, the BIC is then adjusted by adding the bank’s average annual net operational losses over a three-year period. The result is the Operational Risk Capital (ORC) requirement.

The formula produces a number that increases when:

  • Business volume grows (larger BIC)
  • Historical operational losses increase (higher additive)

And decreases when:

  • Fee income is measured net rather than gross (smaller Services Component)
  • Investment management activity is discounted (category-specific reduction)

Which Banks Are Affected — and Who Faces This for the First Time

The operational risk capital requirements apply to Category I through Category IV banking organizations. The categories are defined by the Federal Reserve’s tailoring rule:

  • Category I: The eight U.S. global systemically important banks (G-SIBs), including JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Bank of New York Mellon, and State Street
  • Category II: Large firms with $700 billion or more in total assets, or $75 billion or more in cross-jurisdictional activity
  • Category III: Firms with $250 billion to $700 billion in total assets or $75 billion or more in certain risk indicators
  • Category IV: Firms with $100 billion to $250 billion in total assets

The critical point for op risk teams: Category III and IV banks face operational risk capital requirements for the first time under this framework. Under current rules, these banks are not subject to AMA or any standardized operational risk capital charge — they hold operational risk capital only to the extent their internal risk appetite or regulatory requirements otherwise compel it. The SA-OR changes that.

The regulatory estimates for the capital impact:

CategoryEstimated RWA Increase
Category I and II~$1.4 trillion
Category III and IV~$550 billion

Category III-IV banks have more prep work to do, not less. They’re building ORC compliance from scratch rather than transitioning from an existing AMA infrastructure.

What This Means for Your Op Risk Data Program

If you’re at a bank in the Category I-IV range, the SA-OR calculation depends on data your op risk team may or may not be collecting systematically today.

Business indicator data. The BIC calculation requires clean, consistently categorized income data across the three components: interest/lease/dividend, services (net fee income), and financial (trading). Most large banks track this through their financial reporting infrastructure. But if your income categorization doesn’t map cleanly to the SA-OR component definitions, that translation work needs to happen now — not when you’re implementing the final rule.

Operational loss data. The direct additive for loss history requires three years of operational loss data, categorized by the seven Basel loss event types:

  1. Internal fraud
  2. External fraud
  3. Employment practices and workplace safety
  4. Clients, products, and business practices
  5. Damage to physical assets
  6. Business disruption and system failures
  7. Execution, delivery, and process management

Banks that already have a mature operational loss event database aligned to Basel categories are in good shape. Banks that have been tracking operational losses in an ad hoc or inconsistently categorized way — which includes many Category III-IV institutions that weren’t previously subject to AMA capital requirements — have remediation work to do before the phase-in begins.

Minimum data thresholds. The final rule will include minimum thresholds for what counts as a reportable operational loss event. Ensuring your loss data collection process captures events at (and below) the applicable threshold, with consistent documentation of event type, date, gross loss, and net recovery, is foundational to a credible capital calculation.

Loss recovery tracking. The additive is based on net operational losses — gross losses minus recoveries (including insurance recoveries). This means your loss event database needs to capture recoveries, including insurance payouts, as updates to individual loss events. If your current loss event tracking closes the event at gross loss and doesn’t systematically update for recoveries, that’s a data quality gap.

One practical approach: use your existing KRI framework to monitor the operational risk indicators that connect to your loss data program — incident frequency, loss event severity, recovery rates, and loss event categorization quality. A pre-built KRI library that includes operational risk metrics can accelerate this work. The KRI Library (132 Key Risk Indicators) includes operational loss KRIs calibrated for financial services teams, including frequency, severity, and root-cause distribution metrics that connect to Basel categorization. Get it here: buy.stripe.com/eVq5kw2cPcNZazP6uW6J209.

Connecting ORC to Your Risk Management Infrastructure

The SA-OR is a capital calculation — it tells you how much capital to hold, not how to manage operational risk. But the two aren’t separate.

The inputs to the SA-OR (income components and loss history) should be the same data your op risk program uses for risk identification and trend analysis. If your internal op risk processes are tracking a different set of loss events than what you’ll need for the capital calculation, or if your loss categorization doesn’t align to Basel event types, you’re building two parallel systems that will diverge.

The better approach: align your loss event database, your RCSA, and your KRI framework now so that the data needed for capital calculation is a byproduct of your regular risk management processes — not a separate annual data-gathering exercise.

For the full Basel III endgame context for regional banks, including credit risk and overall capital impact, see this earlier post. For the operational loss data collection fundamentals that feed into this calculation, see the operational loss data collection framework here.

Timeline: What Happens After June 18

The comment period closed June 18, 2026. The three Basel III endgame re-proposals — covering the Basel III standardized approach, the G-SIB surcharge, and the standalone standardized approach — are now in the review and finalization phase.

Current industry expectation:

  • Final rule: Late 2026
  • Implementation start: 2027, with a three-to-five year phase-in period
  • Phase-in structure: Capital requirements expected to ramp incrementally over the phase-in period rather than applying fully on day one

For Category I-II banks that already have AMA infrastructure, the transition involves converting existing models and data to SA-OR compliance. For Category III-IV banks that are building from scratch, the effective runway is shorter than it looks — three years of loss data means you need clean data from 2024, 2025, and 2026 when the first calculation year arrives.

So What?

The Basel III endgame operational risk capital changes are going to require more from op risk teams than the credit risk and market risk revisions — partly because the data infrastructure requirements are different, and partly because Category III-IV institutions have never built this before.

If you’re at a bank in the $100B–$700B range, this is the moment to:

  1. Map your existing income data to the BIC’s three components and identify classification gaps
  2. Assess your operational loss event database against Basel’s seven loss type categories
  3. Confirm your loss recovery tracking captures insurance and other recoveries as event-level updates
  4. Identify which of your existing KRIs connect to loss data quality and business indicator accuracy

The comment period is closed. The final rule is coming. The institutions that start the data infrastructure work now will have optionality when the final rule publishes — institutions that wait won’t.


Sources:

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What's the difference between the 2023 Basel III endgame proposal and the March 2026 re-proposal for operational risk?
The 2023 proposal included an Internal Loss Multiplier (ILM) that adjusted operational risk capital based on a bank's historical loss ratio relative to peers. The March 2026 re-proposal eliminated the ILM as a multiplier — but operational loss history still matters. Under the 2026 version, a bank's average three-year operational losses are added directly to the Business Indicator's noninterest component as a dollar-for-dollar additive input, rather than applied as a multiplier to the entire capital charge.
How is the Business Indicator Component calculated?
The Business Indicator Component (BIC) is derived from the three-year rolling average of three income measures: (1) interest, lease, and dividend income from lending and investment activities; (2) services income from fee and commission-based activities; and (3) financial income from trading activities. The BIC is then used to determine the base Operational Risk Capital (ORC) charge before loss history adjustments.
Are community banks or Category V banks affected by the new ORC requirements?
No. The operational risk capital requirements under Basel III endgame apply only to Category I through IV banking organizations — those with $100 billion or more in total assets. Community banks, smaller regional banks, and Category V institutions are not subject to these requirements.
What operational loss data does my team need to collect for the new framework?
The 2026 re-proposal ties loss history directly to the capital calculation as a direct additive. Banks need three years of operational loss data that captures the size and frequency of individual loss events. The key categories under the Basel framework include internal fraud, external fraud, employment practices, clients/products/business practices, damage to physical assets, business disruption/system failures, and execution/delivery/process management.
What's the expected implementation timeline after the June 18 comment period closed?
The agencies issued three re-proposals in March 2026 with comments due June 18, 2026. The current trajectory is a final rule in late 2026, with implementation beginning in 2027 and a three-to-five year phase-in period. Category III-IV banks facing ORC requirements for the first time have the most prep work to do before the phase-in starts.
Does the new operational risk capital framework replace RCSA?
No. The Standardized Approach for Operational Risk (SA-OR) is a capital calculation methodology — it determines how much capital the bank holds against operational risk. RCSA (Risk and Control Self-Assessment) is a risk identification and control evaluation tool. They serve different purposes and the SA-OR doesn't eliminate the need for a sound RCSA and op risk management program. If anything, better loss data collection from a strong RCSA feeds more accurate inputs into the capital calculation.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.