When JPMorgan Chase CEO Jamie Dimon testified before Congress in late 2023 that the original Basel III Endgame proposal would require his bank to hold an additional $50 billion in capital—enough to fund 500,000 small business loans—the operational risk component was the single largest contributor to that number.
The Advanced Measurement Approaches (AMA) that the largest US banks had spent over a decade building would be eliminated overnight, replaced by a standardized formula that, critics argued, bore little relationship to actual risk exposure.
Fast-forward to March 2026, and US regulators have formally rescinded the 2023 proposal and issued a fundamentally different re-proposal.
The Federal Reserve, OCC, and FDIC now project that aggregate capital in the banking system will modestly decrease under the new framework—a dramatic pivot from the original +16% CET1 increase.
| What You Need to Know |
| The March 2026 re-proposal dramatically scaled back capital increases, with regulators now projecting overall capital levels will modestly decrease rather than the original +16% aggregate CET1 increase. |
| Operational risk is the single largest RWA driver under Basel III Endgame, with the new Standardized Approach (SA) replacing all internal models (AMA) for banks above $100 billion in assets. |
| The Business Indicator Component (BIC) and Internal Loss Multiplier (ILM) form the core calculation, tying capital directly to revenue size and 10 years of historical loss data. |
| US regulators have diverged from the Basel Committee framework by proposing reduced operational risk floors (potentially 40–60% vs. the original 72.5%), creating global comparability challenges. |
| Comment period closes June 18, 2026, with implementation expected to begin in 2027 and phase in over three years through 2030. |
| Banks that start gap analyses, loss data remediation, and BIC calculations now will gain a 12–18 month head start on compliance readiness. |
| The Three Lines Model must adapt: first-line operational risk owners need new data collection capabilities, second-line needs recalibrated capital models, and third-line must validate the entire framework. |
But for operational risk managers specifically, the structural change remains significant: internal models are still gone, the Standardized Approach is still coming, and the compliance clock is ticking.
This guide breaks down exactly what the Basel III Endgame means for operational risk: the new capital calculation methodology, how it differs from the 2023 proposal, what your Three Lines of Defense need to do differently, and a 90-day roadmap to get compliance-ready before the comment period closes.
1. What Is Basel III Endgame and Why Does It Matter?
Basel III Endgame refers to the final set of reforms issued by the Basel Committee on Banking Supervision (BCBS) in December 2017, designed to reduce excessive variability in risk-weighted assets across global banks.
In the US, these reforms apply to banking organizations with $100 billion or more in total consolidated assets. The core objective: replace internal models with standardized approaches that produce comparable, transparent capital requirements across institutions.
The Basel III Endgame encompasses changes to credit risk, market risk (via the Fundamental Review of the Trading Book, or FRTB), credit valuation adjustment (CVA) risk, and—most significantly for this article—operational risk.
Operational risk was identified by the American Bankers Association (ABA) as the single largest driver of RWA inflation under the original 2023 proposal, accounting for an estimated 78% RWA increase for Category I and II banks.
Figure 1: RWA Impact by Risk Category
Source: PwC analysis of 2023 NPR. Operational risk represents the largest single RWA driver under the original proposal.
Understanding this context is critical because even though the 2026 re-proposal significantly reduced overall capital impact, the structural shift from internal models to the Standardized Approach for operational risk remains intact.
Every bank above the $100 billion threshold must prepare for a fundamentally different methodology, regardless of whether aggregate capital requirements go up or down.
2. The Regulatory Timeline: From 2023 NPR to 2026 Re-Proposal
The path from the original Notice of Proposed Rulemaking (NPR) to the current re-proposal has been unusually turbulent. In July 2023, the Fed, OCC, and FDIC published a joint NPR that generated over 16,000 comment letters—an unprecedented volume for a banking regulation—with the overwhelming majority opposing the proposal’s scope and calibration.
Figure 2: Basel III Endgame Regulatory Timeline
Key milestones from the original 2023 proposal through the 2026 re-proposal and expected implementation.
On March 19, 2026, the agencies formally rescinded the 2023 proposals and issued three new proposals that comprehensively overhaul the existing US bank capital framework. The comment period for these proposals closes on June 18, 2026.
According to Bloomberg Professional Services, Fed remarks point to a largely capital-neutral outcome, with implementation expected to begin in 2027 and phase in over three years.
| Milestone | Date | Status | Implication |
| Original NPR Published | July 2023 | Rescinded | Set baseline; generated massive pushback |
| Comment Period Closed | January 2024 | Complete | 16,000+ letters; forced re-proposal |
| Fed Chair Signals Re-Proposal | September 2024 | Complete | Acknowledged broad material changes needed |
| Re-Proposed Rules Published | March 2026 | Active | Three proposals; dramatically reduced scope |
| Comment Period Closes | June 2026 | Pending | Last window for industry input |
| Final Rule Expected | Late 2026/Early 2027 | Projected | Must prepare before finalization |
| Implementation Begins | Mid-2027 | Projected | Three-year phase-in to 2030 |
3. The New Standardized Approach for Operational Risk
The most consequential change for operational risk management in banking is the elimination of the Advanced Measurement Approaches (AMA) and their replacement with a single Standardized Approach (SA).
Under the AMA, banks used proprietary internal models to calculate operational risk capital. These models produced vastly different capital charges for banks with similar risk profiles—the exact problem the BCBS set out to solve.
3.1 Business Indicator Component (BIC)
The BIC is a financial-statement-based proxy for operational risk exposure. It uses a Business Indicator (BI) calculated as the sum of three components, each averaged over three years: (1) the Interest, Leases, and Dividends Component (ILDC), (2) the Services Component (SC), and (3) the Financial Component (FC). The BI is then multiplied by marginal coefficients that increase with the bank’s size.
| BI Range (USD Billions) | Marginal Coefficient | Bucket |
| $0 – $1B | 12% | Bucket 1 |
| $1B – $30B | 15% | Bucket 2 |
| Above $30B | 18% | Bucket 3 |
For the largest US banks (GSIBs), nearly all operational risk capital will fall into Bucket 3, meaning 18% of their three-year average BI drives the baseline capital requirement before loss adjustments.
This design inherently ties capital to revenue scale, which the ABA has criticized as penalizing well-managed banks that generate high revenue with low operational losses.
3.2 Internal Loss Multiplier (ILM)
The ILM adjusts the BIC based on a bank’s actual historical loss experience over the preceding 10 years.
The formula is: ILM = ln[exp(1) – 1 + (LC/BIC)^0.8], where LC (the Loss Component) equals 15 times the bank’s average annual operational risk losses. Banks with better loss records get a multiplier below 1.0 (reducing their capital charge), while banks with heavy losses face multipliers above 1.0.
However, the US re-proposal introduces a critical divergence from the BCBS framework: the ILM floor may be set at 40–60% of the BIC rather than the BCBS standard of 72.5%.
This means US regulators are giving banks more credit for strong loss management—but it also creates global regulatory fragmentation that multinationals will need to manage across jurisdictions.
3.3 Final Capital Calculation
The minimum operational risk capital requirement = BIC × ILM. For a hypothetical large bank with a three-year average BI of $50 billion and average annual operational losses of $2 billion, the calculation would yield a BIC of approximately $8.1 billion (using the tiered marginal coefficients) and an ILM that adjusts this based on the LC/BIC ratio.
The actual capital charge depends heavily on the final ILM calibration and floor—which is why the June 2026 comment period matters so much.
4. Capital Impact: Original Proposal vs. 2026 Re-Proposal
The difference between the 2023 and 2026 proposals is stark. The original NPR would have increased aggregate CET1 capital requirements by approximately 16%, with GSIBs facing a 19% increase.
The 2026 re-proposal, by contrast, is designed to be broadly capital-neutral, with regulators projecting that overall capital in the banking system will modestly decrease. For risk assessment professionals, this shift changes the compliance calculus from a capital-building exercise to a methodology-transition exercise.
Figure 3: Capital Impact Comparison
Estimated CET1 impact by bank category. The 2026 re-proposal targets capital neutrality, a dramatic shift from 2023.
| Dimension | 2023 Original NPR | 2026 Re-Proposal |
| Aggregate CET1 Impact | +16% industrywide | Modest decrease expected |
| GSIB Impact | +19% CET1 | ~Capital neutral |
| Operational Risk Approach | SA replaces AMA | SA replaces AMA (unchanged) |
| ILM Floor | 72.5% (BCBS standard) | 40–60% (proposed) |
| Applicability Threshold | $100B+ total assets | $100B+ total assets (unchanged) |
| Output Floor | 72.5% phase-in | Reduced; longer phase-in |
| Implementation Start | July 2025 | Mid-2027 (estimated) |
| Phase-In Period | 3 years (to June 2028) | 3 years (to ~2030) |
5. AMA vs. Standardized Approach: What Changes for Your Team
The shift from AMA to the Standardized Approach is not merely a formula change—it transforms how operational risk teams organize their work, what data they collect, and how they report to the board.
Under the AMA, banks invested heavily in scenario analysis, external loss databases, and complex internal models that required ongoing validation.
The SA eliminates the need for model development and validation but introduces new requirements around loss data quality and Business Indicator calculation.
Figure 4: AMA vs. Standardized Approach Comparison
The SA reduces complexity and regulatory approval burden but also reduces risk sensitivity compared to internal models.
| Capability | Under AMA (Old) | Under SA (New) |
| Loss Data Collection | Required for model inputs; 5+ years | Required for ILM; 10 years minimum |
| Scenario Analysis | Core model input | Not required for capital; still useful for risk management |
| Model Validation | Annual independent validation required | No models to validate; focus shifts to data validation |
| Capital Calculation | Proprietary internal model | Standardized formula (BIC × ILM) |
| Regulatory Approval | Model must be approved by regulators | No model approval needed; data quality audited |
| Board Reporting | Model outputs and assumptions | BIC components, loss trends, ILM trajectory |
For key risk indicator (KRI) programs, the SA introduces a new set of metrics that boards and risk committees will need to monitor. Where AMA-era KRIs focused on model performance and scenario coverage, SA-era KRIs should track BIC component trends, loss data completeness, ILM trajectory, and peer benchmarking on standardized capital charges.
6. Three Lines Model: Roles and Responsibilities Under the SA
The shift to the Standardized Approach requires a recalibration of the Three Lines Model for operational risk. Each line of defense has distinct new responsibilities under the SA framework.
| Line | Role | Key SA Responsibilities | New Capabilities Needed |
| 1st Line | Business Units / Process Owners | Accurate loss event capture; incident classification; root cause documentation | Standardized loss taxonomy; real-time reporting tools; training on 10-year data requirements |
| 2nd Line | Risk Management / Compliance | BIC calculation; ILM monitoring; capital adequacy reporting; policy updates | Financial statement integration for BI components; loss data quality assurance; peer benchmarking |
| 3rd Line | Internal Audit | Independent assurance over loss data integrity; BIC/ILM calculation validation | SA-specific audit methodology; data completeness testing; regulatory change tracking |
The most significant capability gap for most banks is in loss data management. The ILM requires 10 years of operational loss history, classified according to the Basel event-type taxonomy.
Banks that have gaps in their historical data—due to mergers, system migrations, or inconsistent classification—must begin remediation now.
The COSO ERM framework provides a useful lens for integrating operational risk data governance into broader enterprise risk management structures.
7. Global Regulatory Divergence: US vs. EU vs. UK
The 2026 re-proposal widens the gap between US and international implementations of the Basel III framework. The EU implemented its version through CRR3, effective January 2025, with an ILM set at 1.0 (effectively neutralizing the loss multiplier).
The UK’s Prudential Regulation Authority (PRA) plans to go live in January 2027 with a framework closer to the BCBS standard. The US re-proposal charts yet a third path, with reduced ILM floors and broader exemptions for mid-size banks.
| Dimension | US (2026 Re-Proposal) | EU (CRR3) | UK (PRA) |
| Implementation Date | Mid-2027 (est.) | January 2025 | January 2027 |
| ILM Treatment | 40–60% floor (proposed) | Set at 1.0 (neutralized) | BCBS standard (72.5%) |
| Applicability | $100B+ assets | All banks (proportional) | All PRA-regulated firms |
| Output Floor | Reduced; longer phase-in | 72.5% by 2030 | 72.5% by 2030 |
| AMA Retention | Eliminated | Eliminated | Eliminated |
For multinational banks, this divergence creates operational complexity. A global GSIB must calculate operational risk capital under at least three different calibrations, maintain data infrastructure that satisfies the most demanding jurisdiction’s requirements, and report consistently across regulators with different timelines and definitions.
Operational risk management frameworks must be designed to accommodate this multi-jurisdictional reality.
8. Practical Impacts on Loss Data and Reporting
The SA’s dependence on historical loss data elevates data management from a back-office function to a capital-determining activity.
Under the AMA, banks had flexibility in how they incorporated loss data into their models. Under the SA, the loss data feeds directly into the ILM formula, meaning every misclassified, unreported, or incomplete loss event has a quantifiable capital impact.
8.1 Loss Data Quality Requirements
| Requirement | What It Means in Practice |
| 10-Year Loss History | Banks must maintain 10 consecutive years of operational loss data classified by Basel event types; gaps trigger regulatory scrutiny |
| De Minimis Threshold | The re-proposal may set a minimum loss threshold (e.g., $20,000) below which events are excluded from the ILM calculation |
| Event Type Taxonomy | All losses must map to the seven Basel II event categories (internal fraud, external fraud, EPWS, CPBP, damage to physical assets, BDSF, execution/delivery) |
| Gross Loss vs. Net Loss | The SA uses gross loss (before recoveries); banks must track both and reconcile |
| Merger/Acquisition Data | Acquired bank loss histories must be integrated into the combined entity’s 10-year dataset |
For banks with robust risk metrics and KRI programs, the transition is manageable.
For banks that treated loss data as an AMA model input rather than a standalone data asset, the remediation effort could take 12–18 months—which is why starting now, before the final rule, is critical.
9. 90-Day Implementation Roadmap
Whether the final rule lands in late 2026 or early 2027, banks that complete the following 90-day readiness program will have a structural advantage.
This roadmap assumes your organization has not yet begun formal SA preparation. If you have, use it as a gap-check against your current program.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Assess & Scope | 1. Conduct gap analysis of current loss data vs. SA requirements 2. Map BIC components to financial statements 3. Identify ILM data gaps (10-year history) 4. Establish project governance and RACI | Gap analysis report BIC component mapping Data remediation plan Project charter with RACI | Gap analysis completed with <5 open items All BIC components mapped to GL accounts Sponsor sign-off on remediation timeline |
| Days 31–60: Build & Remediate | 1. Build BIC calculation engine (spreadsheet or system) 2. Begin loss data remediation 3. Calculate preliminary ILM 4. Benchmark against peer disclosures 5. Draft board reporting framework | BIC calculation tool Loss data remediation tracker Preliminary capital estimate Peer benchmarking analysis Board reporting template | BIC tool produces results within 5% of manual calculation Loss data gaps reduced by 50% Preliminary capital estimate reviewed by CRO |
| Days 61–90: Validate & Embed | 1. Independent validation of BIC/ILM calculations 2. Submit comment letter on re-proposal 3. Update risk appetite statement for SA 4. Train 1st and 2nd line staff 5. Integrate SA metrics into KRI dashboard | Validation report Comment letter Updated risk appetite Training completion records SA-enhanced KRI dashboard | Zero material findings in validation Comment letter submitted before June 18 deadline 90%+ staff completion rate KRI dashboard operational |
10. Common Pitfalls in Basel III Endgame Preparation
| Pitfall | Root Cause | Remedy |
| Treating the SA as a capital exercise only | Focus on numbers rather than operational changes | Embed SA into operational risk framework, not just finance reporting |
| Ignoring loss data gaps until the final rule | Assumption that the rule will change further | Start remediation now; 10-year data gaps cannot be fixed retroactively |
| Using BIC as a standalone metric | Failure to contextualize with loss experience | Always present BIC alongside ILM and peer benchmarks in board reporting |
| Neglecting the comment period | Belief that industry groups will represent your interests | Submit institution-specific comments by June 18, 2026; regulators weight individual letters |
| Underestimating M&A data integration | Loss histories from acquired entities are incomplete | Audit acquired bank loss data immediately; build integration playbooks |
| Failing to update risk appetite statements | Risk appetite still references AMA-era metrics | Rewrite operational risk appetite in SA terms: BIC trends, ILM trajectory, loss thresholds |
| Not training first-line staff | Assumption that SA is a second-line responsibility | First-line captures the loss data that drives ILM; training is non-negotiable |
| Delaying system changes for the final rule | Waiting for certainty before investing | Build flexible BIC/ILM calculation tools now; calibration parameters can be updated later |
11. Looking Ahead: 2026–2028 Operational Risk Landscape
The Basel III Endgame re-proposal marks the beginning, not the end, of a multi-year transformation in how US banks manage and capitalize operational risk. Several converging trends will shape the landscape through 2028 and beyond.
First, the convergence of operational risk with operational resilience regulation is accelerating.
DORA in the EU, the PRA’s operational resilience framework in the UK, and growing US supervisory focus on critical operations all point toward a future where operational risk capital and resilience testing are integrated.
Banks that build their SA infrastructure with resilience linkages from the start will be better positioned for this convergence.
Second, AI and machine learning are transforming operational risk detection and loss event classification. As banks adopt AI governance frameworks, the intersection of AI risk and operational risk becomes increasingly important.
The SA’s reliance on historical loss data creates an interesting tension with AI-driven risks that may have no historical precedent—regulators will need to address how emerging risks are captured in a backward-looking framework.
Third, the global divergence in SA implementation will drive demand for harmonized reporting tools and cross-jurisdictional risk frameworks.
Banks that invest in flexible, multi-regime calculation engines now will have a competitive advantage as regulators in the US, EU, and UK fine-tune their respective approaches through 2028. The ISO 31000 risk management standard provides a jurisdiction-agnostic foundation that can help multinational banks maintain consistency across regulatory regimes.
Finally, the role of the operational risk function itself is evolving. With the SA removing the need for complex internal model development and validation, operational risk teams have an opportunity to redirect resources toward forward-looking risk identification, compliance monitoring, and strategic risk advisory—activities that create more value for the business than capital modeling ever did.
Ready to build your Basel III Endgame operational risk readiness program? Visit riskpublishing.com for practitioner guides, operational risk frameworks, KRI libraries for banks, and ERM implementation templates designed for financial services risk professionals.
References
1. Basel Committee on Banking Supervision – High-Level Summary of Basel III Reforms (2017)
2. BIS – Operational Risk Standardised Approach: Executive Summary
3. Federal Reserve – Agencies Request Comment on Proposed Rules (July 2023)
4. PwC – Basel III Endgame: Complete Regulatory Capital Overhaul
5. EY – Basel III Endgame: What You Need to Know
6. Bloomberg Professional Services – Fed Remarks Point to Capital-Neutral Basel III Endgame in 2026
7. Moody’s – US Proposes Final Basel Rules, Transition Period to Start in July 2025
8. American Bankers Association – Over-Estimation of Basel III Endgame Operational Risk Capital
9. ABA – Methodological Flaws in Basel III Endgame Operational Risk Capital Requirements
10. Atlantic Council – Basel III Endgame: The Specter of Global Regulatory Fragmentation
11. Congressional Research Service – Bank Capital Requirements: Basel III Endgame
12. Brookings Institution – What Is Bank Capital? What Is the Basel III Endgame?
13. Freshfields – Basel III Endgame, Take Two: 8 Key Takeaways from the Re-Proposals
15. KPMG – Capital Requirements: Proposed Basel III Endgame & GSIB Capital Surcharges
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.