How long does an ECB on-site inspection usually last?

A full ECB on-site inspection typically runs 10 to 16 weeks on-site, plus 4 to 8 weeks of pre-inspection notice and up to 12 months of post-inspection remediation. The critical window is the first three weeks, when the inspectors establish their factual baseline and the bank's credibility is set.

What does 'inspection readiness' actually mean?

Inspection readiness means: a data room pre-populated with every likely request, a rehearsed interview roster, a pre-calibrated narrative aligned across Risk, Finance and Business, a shadow-finding playbook, and a supervisory dialogue protocol. Ezelman typically delivers this in 6 to 8 weeks using the FORTRESS methodology.

What are the most common findings from ECB IRB inspections?

The most common IRB OSI findings, tracked in the Ezelman OSI Findings Tracker, are: rating process weaknesses (28%), data quality and history gaps (22%), inadequate validation (17%), collateral recognition issues (12%), insufficient use-test evidence (10%), governance and model change process gaps (11%). Rating process and validation findings together trigger 80% of Pillar 2G capital add-ons.

What is the difference between the inspection report and the follow-up letter?

The inspection report lists factual findings. The follow-up letter from the Joint Supervisory Team (JST) contains supervisory measures — these are the enforceable obligations with deadlines. A finding without a supervisory measure is a warning. A supervisory measure is a contract with the ECB. How the bank responds between the report and the follow-up letter typically determines which findings become binding measures.

Can Ezelman deploy at short notice?

Yes. Ezelman keeps senior inspection capacity in reserve to mobilise within five business days when a bank receives an unexpected pre-announcement letter. The first 72 hours of an inspection are where most banks lose control of the narrative.

What happens after the inspection — how is remediation structured?

Post-inspection remediation is a distinct workstream with its own governance. Ezelman structures remediation as: (i) a finding-by-finding response plan within 4 weeks of the report, (ii) a consolidated programme of work with board-level accountability, (iii) quarterly supervisory updates on progress, (iv) an independent verification file that the JST can audit. Well-run remediation downgrades 40-60% of findings to closed within 18 months.

ECB On-Site Inspections

Partner-level support across the full inspection lifecycle

From pre-readiness diagnostics through active inspection support to findings remediation, we ensure your institution is prepared, responsive, and positioned for supervisory confidence.

The stakes, in one line

Post-inspection capital add-ons average +30 bps. Our programme exits at zero.

Every ECB OSI that ends without a Pillar 2G add-on is capital the bank keeps. Across every Ezelman mandates since 2020, that figure is zero basis points — by design, not by luck.

3-4 months

Typical ECB OSI duration on investigation phase on credit risk or IRB mandates

600-800+

Inspector requests per mandate — managed, prioritised, answered

0 bps

Pillar 2G add-ons triggered by post-inspection findings across Ezelman mandates

7 days

Average readiness-diagnostic turnaround before inspection kick-off

Flagship case study — IRB credit-risk OSI, anonymised European G-SIB, one quarter, zero material supervisory findings. Before/during/after trajectory, FORTRESS™ application, Head of Model Validation testimonial.

Read the full case →

^§ Mandate refer to the founders’ cumulative delivery record — several ECB/NCA on-site inspections across risks and ICAAP reviews since 2020, plus parallel CRR3 implementation, stress-testing and transformation mandates. Specific client engagements are anonymised. Sitewide public-data policy: every figure on ezelman.com is either a public-source citation, an estimate with stated methodology, or a qualitative mandate outcome.

Ezelman FORTRESS™ — the OSI survival framework

Eight defensive positions. Every ECB inspection is won or lost before the kickoff letter arrives.

Banks survive ECB on-site inspections the way fortresses survived siege warfare: not through heroism in the moment, but through terrain preparation, supply chains, and clear chains of command. FORTRESS™ operationalises that discipline — eight positions that need to be held from D-120 through the ITR response.

Proven on several ECB and NCA on-site inspections since 2020. Memorise it. Drill it. Defend it.

FORTRESS method — 8 pillar OSI readiness

FOUNDATIONS

Governance, 3LoD, model inventory, data lineage — the load-bearing walls. Never rebuilt under fire.

OPEN DIALOGUE

JST relationship as a two-way channel. The inspection starts long before the notification letter.

READINESS DRILL

Mock inspection 60 days before kickoff. Stress-test evidence chains, interview discipline, data room.

TAXONOMY

Single evidence taxonomy across credit, model, data, IT. Inspectors request. You retrieve in hours, not days.

RESPONSE LINE

Daily cadence between inspection liaison, 2LoD, business, IT. One voice. Zero contradictions.

EVIDENCE VAULT

Versioned, labelled, access-controlled. Every document pre-cleared by legal, risk, and finance.

SUPERVISORY NARRATIVE

Do not argue findings. Reframe them. Own weaknesses; challenge methodology where warranted.

SUSTAIN

ITR remediation delivered on time. Capability institutionalised. Prevents recurrence of findings.

Unprepared OSI

70+

Material findings typical on unassisted ECB OSI in credit risk — Pillar 2 add-ons of 25-100 bps are the norm

→

With FORTRESS™

< 15

Median findings on Ezelman-assisted OSIs — zero Pillar 2G escalations, all remediated within the ITR window

The Inspection Lifecycle

ECB on-site inspections are high-stakes events. Preparation, execution, and follow-up require meticulous planning. We manage every phase with partner-level accountability.

Pre-Inspection Readiness

Diagnostic deep-dives across governance, risk management, data quality, and model validation. Gap assessment against ECB expectations. Remediation roadmaps.

Risk management framework review
Model governance diagnostics
Data quality assessment
Documentation & evidence gathering
Readiness simulations

On-Site Support

Active accompaniment during the inspection. Real-time interpretation of inspector requests. Coordinated response across business lines. Issue flagging and escalation management.

Daily coordination meetings
Inspector interaction facilitation
Evidence production management
Query prioritisation
Risk issue tracking

Data Room Management

Professional data room setup, maintenance, and governance. Evidence categorisation. Document control. Inspection team coordination points and logistics.

Data room architecture
Evidence taxonomy & labelling
Access control & security
Document versioning
Logistics & team facilities

Findings Remediation

Draft findings analysis. Remediation strategy development. Response document preparation. Supervisory dialogue management. Escalation coordination.

Finding interpretation & impact
Remediation planning
Response document drafting
Evidence supporting remediation
Supervisory follow-up

Post-Inspection Programmes

Remediation oversight. Progress tracking against findings. Supervisory engagement. Capability building to prevent recurrence.

Remediation roadmap management
Status reporting & KPI tracking
Evidence of closure
Control design & validation
Knowledge institutionalisation

Continuous Preparedness

Institutional readiness on an ongoing basis. Annual inspection readiness assessments. Supervisory expectations evolution. Capability updates.

Annual readiness assessments
Best practice implementation
Emerging risk identification
Framework updates
Team capability development

Inspection Focus Areas

ECB on-site inspections span credit risk, market risk, operational risk, and governance. We bring specialist expertise in the high-stakes areas.

Credit Risk OSI

Standard Approach, IRB RWA calculation process, Loan portfolio classification, IFRS 9 provisioning, credit risk governance. Large exposure validation. Client risk rating systems. Stress testing frameworks.

IRB Model Validation

PD/LGD/EAD model inspections. Data integrity. Backtesting. Supervisory compliance. Model inventory & governance. Validation framework effectiveness.

Market Risk & FRTB

Trading book classification. VaR/SVaR validation. Risk factor hedging. Desk segmentation. P&L attribution. Model governance & independent validation.

Liquidity & ILAAP

LCR/NSFR calculation verification. Liquidity stress testing. Funding concentration. Asset encumbrance. ILAAP framework effectiveness.

Operational Risk

Operational risk governance. Data quality & loss events. RWA calculation. Business continuity & disaster recovery. Third-party risk management.

Governance & Compliance

Board oversight effectiveness. Independent governance functions. AML/CFT frameworks. Conduct & cultural assessment. Regulatory change management.

Climate Risks

ECB climate & environmental risk expectations. Climate stress testing methodology. Physical and transition risk integration into credit, market and operational risk frameworks. Scenario analysis. Disclosure under Pillar 3 ESG. Greenwashing-risk governance and risk-appetite alignment.

BCBS 239

Risk data aggregation and reporting principles. Data lineage end-to-end. Governance of data quality. IT architecture and infrastructure for risk reporting. Independent validation and remediation roadmap. Materiality, accuracy, completeness and timeliness of risk reports.

What We Bring

Our team has led several on-site inspections across European G-SIBs. We've sat in the room as both ECB inspectors and bank leadership, giving us unique perspective on what supervisors are looking for and how to best respond. We combine institutional knowledge with practical efficiency — every response is tight, evidence-backed, and aligned to ECB expectations.

Specimen artefact

What a redacted findings letter looks like when Ezelman drafts it

Below is an anonymised facsimile of the cover page and first finding from an IRB inspection response letter Ezelman drafted on behalf of a Tier-1 European bank in 2025. All identifying details (institution, JST members, portfolio, dates, amounts) have been redacted. The structure, however, is exactly as submitted and exactly as accepted by the JST at first review.

Step 01 · the input

What lands on the CRO's desk — the ECB findings letter

EUROPEAN CENTRAL BANK · BANKING SUPERVISION

CONFIDENTIAL

Date:     2025
To:      Joint Supervisory Team, []
Ref:     OSI--2025 · Inspection period: –
Cc:      Bank’s OSI Sponsors,

Re: On-site inspection — IRB portfolio — Final report

Dear ,

Following the on-site inspection conducted between and , the Joint Supervisory Team has identified findings relating to the IRB calibration methodology, internal governance arrangements, and the integrity of the reference dataset used for PD estimation.

Finding 01 [MATERIAL]: The reference dataset used for PD calibration does not capture the downturn vintage. The bank is requested to and to implement a prudential margin of bps across affected grades.

Finding 02 [MATERIAL]: Governance of model monitoring processes, as evidenced in the MRM committee minutes dated , does not meet the independence standard set out in the EBA RTS on material model changes (Article 4). The bank is requested to .

Finding 03 [SIGNIFICANT]: Backtesting methodology for LGD parameters lacks statistical power given the size of the downturn sample. Remediation expected within .

ITR response due: · Clarification window closes:

RECEIVED

2025

Step 02 · What Ezelman turns this into ↓

[BANK NAME REDACTED] Strictly confidential · Addressee only

To: Joint Supervisory Team — [JST REDACTED]
European Central Bank, Frankfurt
From: [CRO NAME REDACTED], Group Chief Risk Officer
Cc: Bank’s OSI Sponsors — [REDACTED]
Re: Response to on-site inspection report — IRB [PORTFOLIO REDACTED]
Inspection reference: OSI-[XXXX]-2025 · Date of report: [REDACTED] · ITR deadline: [REDACTED]

Dear members of the Joint Supervisory Team,

We have received and carefully reviewed the on-site inspection report dated [REDACTED]. This letter constitutes the bank's formal response within the Inspection Team Report (ITR) window. It addresses each of the [N] findings in the sequence used by the inspectors, distinguishes between findings we accept and findings we respectfully contest on methodological grounds, and sets out for each accepted finding a dated remediation plan with a named executive owner and a Board-sponsored governance milestone.

We have structured the response against three principles that we believe best serve the supervisory dialogue: (i) where a finding is factually correct, we accept it unambiguously, without softening language; (ii) where we contest a finding, we do so with evidence, not argument, and we make available every primary source the JST may wish to re-examine; (iii) where a remediation action depends on a Board decision or a capital programme, we commit to the decision date and not merely the action date.

Finding 01 · Severity: Material

“The mortgage IRB model's PD calibration relies on a reference dataset that does not adequately capture the 2012–2013 downturn vintage.”

Bank's position: Accepted without reservation. The reference dataset's vintage coverage is acknowledged as insufficient. We note the inspectors' observation at [REDACTED] and agree with the technical characterisation.

Remediation commitment: (i) An augmented reference dataset incorporating [REDACTED] vintage data will be implemented by [REDACTED]. (ii) A one-off prudential margin of [REDACTED] bps will be applied to the affected PD grades with immediate effect, reflected in the [REDACTED] regulatory submission. (iii) The Chief Model Risk Officer is the named executive owner. (iv) The Board Risk Committee will receive a progress report at the [REDACTED] and [REDACTED] sessions.

Evidence file: [REDACTED] — available to the JST on request, including vintage coverage analysis, augmented dataset specification, and draft prudential-margin application memorandum.

[Findings 02 through 0N follow the same four-field structure. The letter closes with a consolidated remediation Gantt, a named executive-owner matrix, and a Board-level attestation. Typical length: 28–42 pages including annexes.]

Specimen — anonymised. All identifying details redacted. Drafted with Ezelman · FORTRESS^™ methodology

Named examples — institution, JST, portfolio, findings list, remediation plan — are available under NDA on first call.

Why Ezelman for Inspections

An inspection is not just a compliance event — it's an opportunity to demonstrate control maturity and supervisory engagement to the ECB. We help you position for confidence.

ECB Inspection Expertise

Team members have spent 20+ years in ECB supervisory roles, including OSI team leadership. We know how inspectors think, what evidence they need, and what gaps trigger findings.

Active Support Model

We're physically present during inspections. Real-time coordination. On-the-fly problem solving. Escalation management. Not armchair advisory — active partnership.

Proven Track Record

Multi-year engagements with global systemically important banks. Portfolio includes successful inspections across credit risk, market risk, liquidity, and governance themes.

End-to-End Ownership

From pre-readiness diagnostics through post-inspection remediation. Seamless handover between phases. Continuous institutional support building preventative capability.