CRR3, responsible AI and the real cost of regulatory overload for European banks

The 2025 ABBL Annual Report, published by the Association des Banques et Banquiers Luxembourg, opens with a statement that captures the moment: the regulatory agenda was “exceptionally dense.” CRR3 entered into application. CRD VI moved toward national transposition. Omnibus I significantly recalibrated the sustainability reporting framework. PSD3 and the Payment Services Regulation progressed through trilogues. DAC 8, securitisation reform, and the T+1 settlement transition added further breadth to a cycle of simultaneous, substantial change.

This is not a temporary condition. It is a structural one. And the institutions best positioned for the next five years are those investing now in the infrastructure to absorb it, efficiently, accurately, and in ways that regulators and auditors can actually examine.

CRR3: what “Basel IV” actually means for compliance operations

The Capital Requirements Regulation III — formally CRR3, informally called “Basel IV” in many market commentaries — entered into force across the EU on 1 January 2025. It is the EU’s implementation of the final Basel III framework published by the Basel Committee on Banking Supervision, and it touches nearly every dimension of a bank’s capital and risk infrastructure.

The headline change is the output floor: from 2025, institutions using internal risk models cannot set their risk-weighted assets below 72.5% of the standardised approach figure, phasing in progressively toward full implementation by 2030. According to the EBA’s December 2025 Risk Assessment Report, total risk-weighted assets across EU/EEA banks increased by 3% year-on-year, with operational risk RWAs alone rising by more than €300 billion — an increase of 30% — specifically because CRR3 replaced all existing operational risk approaches with a single standardised business indicator component. For banks previously using internal models, this translated directly into higher capital requirements on day one.

But the more operationally demanding dimension of CRR3 may be the reporting infrastructure it requires. The regulation assigns approximately 140 technical mandates to the European Banking Authority across a broad range of implementation areas. Most are being delivered in a two-step sequential approach running through at least 2027. As Wolters Kluwer’s regulatory intelligence team noted in its assessment: “Implementation will not be a one-off event, but an ongoing process for some time that banks must prepare for.”

The Pillar 3 layer is particularly significant. From reference date June 2025, under CRR3 and the new EBA Pillar 3 Data Hub, all institutions in scope must submit structured disclosures in machine-readable XBRL-CSV format via the EUCLID Regulatory Reporting Platform. These disclosures are published publicly — not on individual bank websites, but on a centralised supervisory hub accessible to regulators, investors, and the market simultaneously. The new Pillar 3 templates cover capital structure, credit risk, market risk, CVA risk, operational risk, and — critically — ESG risk exposures, including Green Asset Ratio metrics, for the largest listed institutions.

The cumulative picture is one of structural data complexity. CRR3’s XBRL mandate alone requires banks to convert Pillar 3 templates into taxonomy-aligned machine-readable formats, validate against EBA rules and cross-template consistency checks, maintain alignment between narrative disclosures and structured data, and establish audit-ready traceability for every data point submitted. According to the CSSF’s Pillar 3 guidance for Luxembourg institutions, the EBA issued a No-Action Letter in August 2025 specifically to reduce legal and operational uncertainty during the transition — an acknowledgement that even for the regulator, the pace of implementation has tested what institutions can absorb.

Compliance as a measurable business problem: what the data says

This approach reflects a shift in framing. Broad arguments about “overregulation” are easily dismissed. But when an industry body can demonstrate that a specific share of operating costs is consumed by compliance infrastructure rather than lending, trading, or asset management — and that this compresses the capital available to finance European companies — the conversation changes.

One of the more significant developments in European banking advocacy in recent years is the emergence of quantified compliance cost research as a formal policy tool. The ABBL, in partnership with EY, published a dedicated Cost of Regulation Survey in 2025 — designed specifically to give policymakers evidence-based arguments about what the current regulatory cycle actually costs. The ABBL paired this with a position paper containing 40 concrete proposals for smarter financial regulation, presented at European level as part of its advocacy with EU institutions.

External research supports the scale of the problem. BCG’s 2025 global compliance benchmark study found that compliance operating costs have risen sharply in Europe following a wave of new directives — the EU AML package, EBA guidelines, and the EU AI Act — all arriving within a 12-month period. The same study identified AI and generative AI as the key lever for managing expanding obligations without proportional headcount growth. In BCG’s framing, leading banks are transforming their compliance functions from cost centres into strategic enablers — but only those that have moved beyond pilots and into production deployment.

McKinsey’s 2025 analysis of regulatory technology put the underperformance of manual systems in concrete terms: financial institutions relying on manual compliance processes often fulfil only a fraction of their obligations, leaving them at higher risk of penalties and operational inefficiencies. McKinsey cited the example of a US-based bank whose legacy compliance system met just 75% of requirements before an automated RegTech solution raised this to above 95% — a gap that, in a post-CRR3 environment where disclosures are publicly auditable, carries direct reputational and supervisory consequences.

The ABBL’s CEO, Jerry Grbic, captured the essential tension in his 2025 letter to members: European banks finance nearly 80% of companies’ funding needs. “Innovation must serve clients and the economy, not be consumed entirely by reporting obligations and administrative complexity.” When compliance absorbs operational capacity, the cost is ultimately paid by the real economy — not just the institution.

Where do hours go in regulatory compliance?

The most labour-intensive dimension of CRR3 compliance, and of most regulatory reporting obligations, is not only the calculation. It is also the extraction and mapping. A compliance analyst producing a Pillar 3 XBRL submission must retrieve relevant data across internal systems, understand which regulatory concept each figure maps to, convert it to the correct XBRL taxonomy tag, and validate it against cross-template consistency rules. Multiply this across hundreds of data points, multiple reporting entities, and quarterly cycles, and the manual burden becomes clear.

The same applies to ESG reporting. Under CRR3’s ESG Pillar 3 templates, banks must disclose Green Asset Ratio metrics, taxonomy alignment figures, and counterparty-level ESG exposures, data that typically sits in sustainability reports, valuation models, and lending files across the institution. Getting it into a structured, XBRL-ready format is a data extraction and mapping problem first, and a regulatory problem second.

According to BCG’s GenAI banking compliance analysis (November 2025), generative AI solutions that perform dynamic data extraction — automatically gathering and reconciling data from unstructured sources — dramatically reduce manual review work in KYC, reporting, and disclosure workflows. BCG found that this approach generates productivity uplifts of 20 to 60 percent in compliance operations — with KPMG documenting up to 85% reduction in reporting preparation time, and EY citing up to 90% time reduction in compliance verification workflows where AI pre-filling is deployed end-to-end.

What 92% AI adoption actually means, and what responsible deployment requires

According to the EBA, 92% of EU banks are now deploying AI in some form, with this figure expected to approach 100% in 2026. In the UK, the equivalent figure was already 94% in 2024 per Bank of England data, with UK banks’ investment in AI doubling over the course of 2025, according to data compiled by Chambers & Partners’ Banking Regulation 2026 guide. The question is no longer whether financial institutions are using AI. The question is whether they are using it in ways that withstand regulatory scrutiny.

Luxembourg’s financial centre has been unusually direct about this. The Haut Comité de la Place Financière — the coordinating body for Luxembourg’s financial sector, where the ABBL plays a central role — developed a 10-point action plan in 2025 specifically to accelerate responsible AI adoption across the sector. The ABBL’s 2025 Annual Report notes this as a strategic priority alongside cybersecurity resilience, reflecting an understanding that AI deployment and AI governance are not separable questions.

The word “responsible” in this context is operational, not rhetorical. As Wolters Kluwer’s compliance intelligence team observed in early 2026, banks racing to embed AI without concurrent governance frameworks risk regulatory scrutiny triggered by model risk management examination failures: “Effective AI governance requires clear accountability for AI-driven decisions, robust senior management oversight, and strong challenge mechanisms involving risk, compliance, and internal audit functions.”

In the context of compliance and regulatory reporting specifically, where every output may be subject to supervisory examination, external audit, or public scrutiny via the EBA’s Pillar 3 Data Hub, four dimensions of responsible AI deployment are non-negotiable.

Auditability and source traceability

Every AI-assisted output — a pre-filled questionnaire answer, an extracted Pillar 3 data point, a mapped XBRL field — must be traceable to its source document, section, and passage. In a compliance context, an answer without a verifiable origin is not an answer. The EBA’s Pillar 3 Data Hub makes this more pressing: disclosures submitted in XBRL format are publicly searchable and cross-referenceable by regulators and market participants in real time.

Data isolation and no-training guarantees

Financial institutions process counterparty data, internal capital models, and client-level ESG assessments that carry legal and commercial confidentiality obligations. Enterprise AI deployments used in production compliance workflows must operate under contractual guarantees that document content is not retained after processing and is not used for model training. Enterprise AI providers offering Zero Data Retention addenda, where no conversation data is written to disk, represent the appropriate baseline for regulated financial data processing.

Domain-specific regulatory knowledge

General-purpose AI models perform inconsistently on financial regulatory documents. The system needs to recognise how CRR3 capital templates, SFDR disclosure requirements, EU Taxonomy criteria, and ESRS data points reference overlapping concepts under different terminologies, and to distinguish between frameworks even when source documents do not explicitly state which one they are addressing. Keyword matching is not sufficient for cross-framework regulatory mapping.

Human validation architecture

AI in compliance workflows must be designed to support human decision-making, not replace it. McKinsey’s analysis of AI in risk and compliance describes this as an AI- and gen-AI-powered risk intelligence centre that serves all lines of defence, automating reporting and improving transparency while risk managers retain decision authority. Accountability stays with the institution; AI changes what that accountability is spent on.

What AI document intelligence actually does in a CRR3 compliance workflow

The conversation about AI in financial regulation often stays abstract. In practice, the use cases for AI document intelligence in a post-CRR3 compliance environment are specific and operational. Three are particularly relevant for financial institutions managing the current regulatory cycle.

Pillar 3 XBRL data extraction and template mapping

The EBA’s CRR3 Pillar 3 Data Hub requires structured XBRL-CSV submission of hundreds of data points covering capital, risk, ESG exposure, and more. A bank’s relevant figures are distributed across internal risk model outputs, capital calculation systems, lending files, and sustainability assessments — in formats that were never designed with XBRL submission in mind. AI document processing identifies the relevant figures in source documents, maps them to the corresponding EBA taxonomy tags, flags inconsistencies or missing data for human review, and generates a structured pre-populated template ready for compliance team validation. The analyst validates rather than constructs — a qualitative shift in what a reporting cycle requires.

ESG questionnaire pre-filling for counterparty due diligence

Under CRR3’s ESG Pillar 3 templates and the Green Asset Ratio framework, banks must demonstrate taxonomy alignment across their lending portfolios — which requires counterparty-level ESG data that arrives, at best, in the form of sustainability reports and at worst as a heterogeneous collection of PDFs, spreadsheets, and partial disclosures. AI Intelligent Document Processing reads these documents regardless of format or reporting framework, extracts the relevant indicators semantically (recognising that “Scope 3 value chain emissions” and “indirect upstream carbon footprint” refer to the same concept), and maps extracted values to the questionnaire fields or disclosure templates the bank needs to populate. Every extracted value is linked to its source passage, creating a defensible evidence chain for regulatory review. McKinsey’s research on AI in compliance workflows highlights that agentic AI systems creating full audit trails for every interaction — including data used and steps followed — are precisely what compliance teams need to meet supervisory expectations.

DORA third-party risk questionnaires and ICT vendor registers

DORA’s third-party risk management obligations require financial institutions to maintain structured registers of ICT service providers, document contractual clauses, and conduct ongoing due diligence, much of which involves processing vendor documentation, certification reports, SOC 2 audits, and incident histories. This is document intelligence work: extracting relevant data points from unstructured vendor documents, mapping them to the categories required by the DORA register, and flagging gaps or inconsistencies for the operational resilience team. The same AI infrastructure that processes ESG questionnaire responses processes DORA vendor documentation, because the underlying problem is identical in both cases: structured compliance data locked in unstructured documents.

Across all three use cases, the underlying AI workflow is consistent. Documents are ingested and parsed regardless of format. Relevant data points are extracted semantically — meaning the system understands the content and its regulatory context, not just its position on the page. Extracted values are mapped to the target template or questionnaire fields. Low-confidence extractions and data gaps are flagged for human review. The compliance professional’s job shifts from extraction to validation. At the volume of documentation that CRR3, DORA, and ESG obligations now require financial institutions to process, this is not a marginal improvement. It is a qualitative change in what compliance operations can achieve.

What financial institutions should require from an AI compliance platform

Not all AI systems perform equivalently in financial regulatory contexts. The conditions that determine whether AI-assisted compliance is accurate, defensible, and audit-ready are specific and should be treated as baseline requirements rather than differentiating features.

Semantic understanding, not pattern matching. CRR3 Pillar 3 templates, ESG questionnaires, and DORA vendor assessments do not follow a single standard structure. A system that locates data by position — finding a number at a fixed location in a fixed template — will fail as soon as the document format changes. The system must understand meaning, recognising that different documents reference the same regulatory concept under different terminology and in different formats.

Full traceability, at every step. The EBA Pillar 3 Data Hub publishes disclosures to the market in real time. Supervisors, auditors, and investors can now cross-reference submitted XBRL data against publicly available sustainability reports and financial filings. In this environment, the question “where does this number come from?” is not an internal audit exercise — it is a market-facing accountability requirement. Every AI-extracted value must link to its source document, page, and passage.

Regulatory domain expertise. As the BCG compliance benchmark study concluded, the most effective compliance functions will combine risk and operations expertise with advanced technological capabilities. The AI system must have genuine domain knowledge of the frameworks it is processing — CRR3, SFDR, EU Taxonomy, ESRS, DORA — not just general document-reading capability. This is particularly important for cross-framework mapping, where the same underlying data point may satisfy requirements under multiple frameworks with distinct terminology.

Certified, client-isolated infrastructure. Financial institutions processing counterparty data, internal capital models, and client ESG assessments require AI infrastructure that operates under clear legal and technical data isolation guarantees. Enterprise AI deployments certified under ISO 27001, SOC 2 Type II, and with contractual Zero Data Retention provisions represent the appropriate baseline. Data residency within the EU is an additional requirement for institutions subject to GDPR and ECB supervisory expectations.

Dydon AI’s regulatory intelligence platform is built around all four requirements: semantic document extraction, full source traceability for every output, regulatory domain knowledge covering CRR3, SFDR, EU Taxonomy, ESRS, DORA and adjacent frameworks, and a client-isolated European infrastructure under which no document content is retained or used for model training. Every compliance output generated by the platform links to the document and passage from which it was extracted — producing the evidence chain that regulators, auditors, and the EBA Pillar 3 Data Hub now make visible to the market.

From document volume to structured compliance intelligence

CRR3 is not a reporting reform with some capital implications. It is a data infrastructure challenge that has arrived with capital implications attached. The shift to XBRL-based Pillar 3 submission via a public EBA hub, the integration of ESG risk into capital frameworks, the 140 EBA technical mandates being delivered through 2027 — all of these converge on the same operational bottleneck: getting structured, auditable, traceable compliance data out of the unstructured documents where it currently lives, at a pace and volume that manual processes cannot sustain.

The ABBL’s quantification of the cost of regulation, BCG’s documentation of compliance operating cost increases, and McKinsey’s analysis of the performance gap between manual and AI-assisted compliance processes all point in the same direction. The institutions that invest now in AI document intelligence — deployed responsibly, with governance frameworks that satisfy the EU AI Act, DORA, and supervisory expectations — will emerge from the current regulatory cycle with a structural operational advantage. Those that remain in manual workflows, or in disconnected pilot programmes that have not reached production, will face the next wave of EBA technical standards at a cost they cannot absorb proportionally.

As BCG concluded: leading banks treat regulatory infrastructure as a competitive advantage, not a burden. The question is no longer whether AI belongs in compliance operations. The question is whether the platform meets the standards that regulated financial data requires.

See how this works for your institution

Every compliance landscape is different. Our experts audit your specific situation — where the extraction burden is highest, where automation creates immediate value, and how it integrates with your existing workflows.

Sources cited in this article:

1. ABBL (2025). Annual Report 2025 — Resilience in the Financial Sector. Association des Banques et Banquiers, Luxembourg. abbl.lu
2. EBA (December 2025). Risk Assessment Report. European Banking Authority. eba.europa.eu
3. EBA (2025). Pillar 3 Data Hub — onboarding plan and reporting framework 4.1. European Banking Authority. eba.europa.eu
4. EBA (February 2025). Final Report ITS/2025/01 — IT solutions for Pillar 3 Data Hub submission. European Banking Authority. eba.europa.eu
5. CSSF (2025). Pillar 3 framework — guidance for Luxembourg institutions. Commission de Surveillance du Secteur Financier. cssf.lu
6. BCG (2025). Risky Times Call for Innovation in Bank Compliance. Boston Consulting Group. bcg.com
7. BCG (November 2025). A Faster Path to Scaling GenAI in Banking Compliance. Boston Consulting Group. bcg.com
8. McKinsey & Company (2025). Ushering in a New Era of Trusted AI — Regulatory Technology Analysis. McKinsey. mckinsey.com
9. McKinsey & Company (2025). How Agentic AI Can Change the Way Banks Fight Financial Crime. QuantumBlack, AI by McKinsey. mckinsey.com
10. McKinsey & Company (2024). How Generative AI Can Help Banks Manage Risk and Compliance. McKinsey Financial Services Practice. mckinsey.com
11. Wolters Kluwer (2025). CRR3 Implementation — What Institutions Need to Know. Regulatory Intelligence. wolterskluwer.com
12. Wolters Kluwer (March 2026). The AI Imperative in Banking: Moving from Pilot to Production. Wolters Kluwer Financial Services. wolterskluwer.com
13. Chambers & Partners (2026). Banking Regulation 2026 — Global Practice Guide. practiceguides.chambers.com
14. European Parliament (2025). The Implementation of Basel Standards: Progress, Divergence and Policy Challenges. Directorate-General for Internal Policies. europarl.europa.eu
15. KPMG (2023). Regulatory Technology Report — Automated Regulatory Reporting.
16. EY (2023). Global Risk Consulting — Compliance Verification Automation. Ernst & Young.

---