At its core, this is about the question of when a loan portfolio under the Standardised Approach is considered “sufficiently granular” in order to benefit from the privileged risk weight of 75% (instead of 100%). While the draft phase was still characterised by a bureaucratic “iterative procedure” that would have posed operational hurdles for many institutions, the EBA has now established the one-step approach .

This simplification, coupled with raising the tolerance threshold to 10%, is a win for proportionality. Institutions thus gain planning certainty for their RWA calculation (Risk Weighted Assets).
The guidelines harmonise the application of Art. 123 CRR across the EU and close the gap to the Basel III framework. For banks, this means: the hurdles for capital relief in the retail business are lowered, while the requirements for data quality and the identification of connected clients (Art. 4 CRR) remain measurable. An important step to strengthen the competitiveness of European retail banking.

The timing of the EBA could hardly be more relevant: with the final guidelines on proportional diversification of retail exposures published on 13 February 2026, the supervisor finally provides the urgently needed clarity for the application of Art. 123 CRR. While the consultation draft still threatened with a complicated iterative procedure, the EBA has now shown an understanding of institutions’ operational reality. By switching to a one-step approach and raising the tolerance limit to 10% the administrative effort is significantly reduced without jeopardising regulatory certainty.

For banks, this means a more stable basis for making use of the privileged risk weight of 75%. The guidelines harmonise the assessment of granularity across the EU and thus consistently implement the Basel III framework. This is not just about technical details, but about optimising capital requirements under the Standardised Approach—a lever that is crucial for the profitability of the retail business in the current market environment.

• The 0.2% basic criterion (Art. 123(1)(c) CRR): To ensure granularity, the total risk vis-à-vis a single client (or a group of connected clients) may not exceed 0.2% of the total retail portfolio. This remains the “gold standard” of diversification.
• The 10% tolerance threshold: Institutions may apply the 75% risk weight even if individual positions breach the 0.2% hurdle—provided that these “outliers” in total account for no more than 10% of the portfolio value. This is a doubling compared to the original draft.
• One step instead of iteration: The EBA dispenses with the originally planned multi-stage calculation procedure. This makes the calculation of RWAs (Risk Weighted Assets) less prone to errors and easier for internal audit to review.
• Differentiation for securitisations: The guidelines introduce specific review mechanisms for originators and investors. This clarifies how securitised retail receivables are to be included in the granularity test.
• Data safe harbour for investors: For investors in securitisations, there is a temporary exemption if obligor data are not immediately available due to missing transparency templates—a pragmatic bridge for the secondary market.
• Harmonisation of the “group of connected clients” (Art. 4(1)(39) CRR): The guidelines sharpen the need to identify client connections precisely, as faulty aggregation can violate the 0.2% criterion unnoticed.
• II. Strategic relevance: Compliance, AML & C-level
• Compliance & data quality: Monitoring the 10% ratio requires robust reporting. Compliance departments must ensure that thresholds are not gradually exceeded, as this would have immediate effects on capital requirements.
• Anti-money laundering (AML) & KYC: Identifying “groups of connected clients” is a prime example of synergies. The data AML teams collect to identify beneficial owners are the foundation for correct risk weighting. No clean KYC, no 75% privilege.
• C-level (capital efficiency): For CFOs and CROs, the rule is a lever for return on equity (RoE). The difference of 25 percentage points in risk weight can free up millions in CET1 for large portfolios, which can be used for new business or dividends.

• 13 February 2026: Official publication of the final guidelines (starting signal for the gap analysis).
• Q2/Q3 2026: Completion of the translation phase into all EU official languages and subsequent adoption into national supervisory practice.
• 1 January 2027: Expected date for full operational application in line with the final Basel 3.1 / CRR III package.

1. Compliance (Monitoring & governance)

The compliance function is responsible for compliance with the regulatory framework.

Monitoring duty: monitoring of the 10% ratio to prevent “threshold creep” (gradual exceedance), which would lead to sudden additional capital requirements.

Process audit: ensuring that the one-step approach is consistently and audit-proof embedded in the documentation.

Normative reference: Art. 123 CRR in conjunction with MaRisk (AT 4.4.2).

2. AML officer / AML (data synergies)

Although primarily responsible for AML, these data are now worth “hard capital”.

KYC data quality: Identifying beneficial owners and interconnections is the foundation for forming the “group of connected clients”. AML data must flow precisely into risk management.

Identification duty: Without seamless KYC, the 75% privilege may be withdrawn during an audit, because granularity cannot be demonstrated.

Normative reference: Art. 4(1)(39) CRR & GwG.

3. C-level (strategy & capital efficiency)

For CFOs and CROs this is a question of profitability.

Capital planning: The difference between 75% and 100% risk weight is a lever for return on equity (RoE). Management must define risk appetite with regard to the 10% tolerance.

Resource allocation: Ensuring that IT and risk reporting can implement the new data requirements in time (by 1 January 2027).

Normative reference: Strategic responsibility pursuant to KWG / CRD.

The publication of the final EBA guidelines on 13 February 2026 marks a turning point for the regulatory treatment of retail portfolios. While raising the tolerance ratio to 10% and dispensing with the iterative procedure may sound like relief on the surface, the devil is in the detail for the various function holders.

Here is an analysis of the specific challenges for the roles involved:

1. C-level (CEO, CRO, CFO)

For executive management and the management board, capital costs and strategic direction are the focus.

• RWA volatility & capital planning: If a portfolio fails to meet the granularity criteria (0.2% threshold incl. 10% tolerance), the risk weight jumps from 75% to 100%. This has immediate effects on the Common Equity Tier 1 (CET1) ratio. Management must decide whether buffers should be held or whether riskier large retail loans should be reduced.
• IT investment backlog: The “one-step approach” sounds simple, but it requires precise, automated data aggregation. The C-level must approve budget for adapting core banking systems to ensure daily or monthly monitoring.
• Competitiveness: Institutions that can efficiently utilise the 10% ratio can price more aggressively than those that remain conservatively below 5% to keep buffers.

2. Compliance function

Compliance faces the task of guaranteeing adherence to rules in a complex data environment.

• Delineation of the “group of connected clients” (GCC): This is the biggest operational hurdle. The 0.2% threshold does not apply per individual contract, but per group of connected clients. Compliance must ensure that the linking logic (control and economic dependency) meets CRR requirements.
• Monitoring the 10% ratio: Monitoring the exceedance ratio is a “moving target”. Since the total volume of the portfolio is constantly changing, repayment of a large loan or new business can cause other loans to suddenly breach the 10% limit.
• Documentation duties: Particularly when relying on the “temporary exemption” for securitisations, compliance must be able to demonstrate seamlessly why data were not available and when they were requested.

3. Money Laundering Reporting Officer (MLRO)

Although these are primarily credit risk rules, there is a critical interface with anti-money laundering.

• Data inconsistency (KYC vs. risk): If the risk department aggregates clients into a “group of connected clients” (e.g. due to economic dependence), but the AML department does not see these connections in its KYC profiles, a compliance risk arises. The MLRO must check whether these credit linkages indicate concealed structures or strawman arrangements.
• Increased transparency for securitisations: The guidelines require investors to have greater access to obligor data. If, as part of this review, the MLRO becomes aware of problematic end borrowers in an acquired portfolio, the question arises of reporting obligations (SAR) and reputational risk.

To comply with the new EBA guidelines (as of February 2026), institutions must move from purely reactive reporting to proactive steering. The changeover from the iterative procedure to the one-step approach with the 10% tolerance limit requires concrete procedural and technical adjustments.

Here are the priority measures, broken down by functional areas:

1. Strategic & steering measures (C-level)

Adjust the Risk Appetite Framework (RAF): The 10% ratio should not be utilised to the limit. Management must define internal warning thresholds (e.g. at 8.5%) so that market fluctuations do not immediately push the institution into the 100% RWA range.

RWA impact analysis & capital allocation: Run a simulation of how exceeding the 10% limit affects the CET1 ratio. Where appropriate, pricing for “large retail loans” (close to the 0.2% threshold) must be adjusted to reflect higher capital consumption.

Approve budget for data infrastructure: Ensure that IT resources are available to carry out the granularity test in an automated and timely manner (ideally daily).

2. Operational & technical measures (risk management & IT)

Automate the one-step approach: Implement an algorithm that:

Sums the eligible total portfolio.

Identifies all groups of connected clients (GCCs) that account for > 0.2%.

Checks whether their sum is ≤10% of the total volume.

Data clean-up of “groups of connected clients” (GCCs): Since the 0.2% threshold applies at GCC level, error-free linking of borrowers is essential. Outdated or missing links lead to artificial granularity, which can result in massive additional capital requirements in an audit.

Dashboarding for real-time monitoring: Build a reporting tool that visualises the current utilisation of the 10% ratio to allow early countermeasures (e.g. through sales or synthetic hedges).

3. Monitoring & review measures (compliance & AML)

Harmonise GCC logic between Risk and AML: Carry out a data reconciliation. If the risk department recognises an economic unit (for the 0.2% threshold), the AML department must check whether this information is also stored in the KYC profile. Inconsistencies must be resolved.

Update compliance policies: Incorporate the new thresholds and the one-step procedure into internal work instructions (Written Procedures – SFO).

Due diligence for securitisations: Create a process for cases where obligor data are missing. It must be documented what efforts were made to obtain the data in order to rely on the “temporary exemption” in a legally robust manner.