At a glance
- The ECB Single Supervisory Mechanism’s (SSM) updated banking supervision priorities reflect a shift in focus to new financial and operational risks created by Russia’s invasion of Ukraine, and the subsequent deterioration in macroeconomic conditions seen in 2022.
- Concentration of funding sources is identified as a new vulnerability, while long-standing concerns around risk data aggregation have risen back to the top of the supervisory agenda.
- Operational resilience continues to climb up the ladder of supervisory priorities, with heightened cybersecurity risks as well as vulnerabilities stemming from outsourcing being a particular focus.
- Although the emphasis has shifted in several areas, firms should expect continued supervisory activity in relation to legacy risks such as digital transformation and management bodies’ steering capabilities. Climate and environmental risks remain equally prominent and will continue to form part of day-to-day supervisory engagement.
Relevant to: Board members; risk, compliance and finance leads; heads of regulatory affairs and other interested executives of banks operating in the Euro Area.
The SSM has reviewed its strategic priorities for the supervision of Euro Area banks. Its three overarching supervisory priorities for 2023-2025 take into account the 2022 SREP outcomes and the recent evolution of macroeconomic conditions. They are:
- Strengthening resilience to immediate macro-financial and geopolitical shocks;
- Addressing digitisation challenges and strengthening management bodies’ steering capabilities; and
- Stepping up efforts in addressing climate change.
Among these supervisory priorities, the SSM has identified a number of “prioritised vulnerabilities” that sit under each priority and give a much richer picture of the risks that it will seek to address through its supervisory engagement in the coming years. This blog analyses these vulnerabilities, looking specifically at what is new, what is growing in focus, and what continues to remain a focus from previous years.
What is new:
- Structural deficiencies in credit risk management remain a key element to tackle as recession risk threatens credit conditions across Europe
Although neither the pandemic nor the consequences of the war in Ukraine resulted in an uptick in non-performing loans (NPLs), so far, the ECB and the EBA have recently warned against a partial deterioration in asset quality. Several credit institutions recorded an increase in stage 2 loans (assets with deteriorating quality but that are not yet impaired). In the SSM’s analysis, the probability of default has increased by 50 basis points since March 2022 for mortgages underwritten with energy-intensive firms and with businesses vulnerable to increased production costs. These data guided supervisors to adopt last year’s blueprint on credit risk management, while shifting their focus to asset quality issues in the energy and commercial real estate sectors. Planned targeted reviews for material portfolios in vulnerable sectors should lead banks to enhance their understanding of the drivers of impairments and ensure impairment overlays can be clearly explained to supervisors.
Banks are also in the process of bringing back into their capital positions the impairments arising from COVID-19-related IFRS 9 transitional arrangements. This process paired with ongoing asset quality deterioration will put pressure on banks to reflect risks in their balance sheets accurately. The SSM will conduct targeted reviews of IFRS 9 aimed at assessing the compliance of selected banks with the credit risk management supervisory expectations laid down in the 2020 “Dear CEO” letter and investigating specific modelling aspects. Banks should start undertaking proactive credit analysis and risk management in line with their IFRS 9 position and update validation models to reflect cost-of-living movements (relative both to households and businesses) appropriately.
You can find more on the credit risk scenario banks are likely to face in 2023 in our flagship Financial Markets Regulatory Outlook publication.
- Concentration of Funding Sources is highlighted as a new vulnerability
Although banks’ liquidity ratios generally remain comfortably above regulatory minima, the SSM highlights the concentration of funding sources as a new “prioritised vulnerability”, meaning that firms should expect and prepare for heightened supervisory interest in this area in the near term. This follows a decision by the ECB to recalibrate the conditions of the TLTRO III, with many banks having increased their use of central bank funding through the pandemic and reduced their share of market-based funding. While banks in stronger funding and liquidity positions may be able to drive down TLTRO borrowings using early repayment windows and refinance borrowings at competitive market rates, diversification of funding sources may prove more expensive for smaller banks with high reliance on TLTRO III – potentially putting pressure on prudential ratios and profitability.
The SSM will conduct targeted reviews of banks’ TLTRO III exit strategies, as well as broader reviews of banks’ liquidity and funding plans, including through on-site inspections. It is therefore vital that banks develop and execute robust multi-year funding plans that take into account changes in funding conditions, and the SSM is likely to pay close attention to banks’ stress testing in the ILAAP.
- Risk data aggregation and reporting frameworks have risen back to the top of the agenda
Consistent with the results of last year’s SREP exercise, deficiencies in risk data aggregation and reporting (often exacerbated by fragmented and non-harmonised IT systems) are highlighted as a prioritised vulnerability. This is a long-standing supervisory concern, with many banks having long struggled to implement BCBS 239 effectively. The SSM’s prioritisation of risk data aggregation indicates that supervisory patience is running out, and banks should expect more intense supervisory scrutiny in the coming year.
For firms, allocating resources to improving risk data aggregation and reporting will be nothing new. However, given the renewed supervisory focus in this area, banks should develop more ambitious and wide-ranging remediation plans. Banks will need to be able to demonstrate to their supervisors that those plans are fully costed, resourced and approved.
What was there before but is growing as an area of supervisory focus:
- Deficiencies in IT outsourcing and IT security/cyber risks remain a vulnerability, with operational resilience now playing a greater role
The SSM has highlighted the risks arising from the digitisation of banking services and the growing reliance on third party service providers, as well as a heightened risk of cyberattacks as part of the Russia-Ukraine conflict. It underlines the need for banks to adopt sound IT and outsourcing risk management strategies and indicates that it will conduct targeted reviews of banks’ IT risk controls, cybersecurity measures and outsourcing arrangements.
With the recent entry into force of the EU’s Digital Operational Resilience Act (DORA), the SSM will also receive a number of new supervisory tools that will allow it to evaluate more closely the operational resilience of banks, including through the assessment of their operational resilience strategy, resilience testing programmes and related remediation, outsourcing concentration risk analysis and a new incident reporting framework. Taken together, the mandate given to the SSM by the DORA will amount to a significant step change in its supervisory engagement with banks’ work on managing IT risk, operational resilience, and outsourcing risk. All in-scope EU firms are required to comply with the DORA’s requirements by 17 January 2025.
You can read more of our analysis of the DORA’s new requirements and its implications here.
What is little changed from last year’s priorities:
- Deficiencies in management bodies steering capabilities remains a focus
The SSM has identified areas of ongoing concerns for banks, particularly with respect to gender representation targets in management bodies, insufficient risk diversity in boards and deficiencies in succession planning processes. The SSM will conduct reviews to establish the effectiveness of management bodies and their skills, with priority given to IT and cyber risk expertise.
- Deficiencies in digital transformation strategies continue to be a relevant vulnerability
The SSM continues to view the digital transformation of the banking sector as a vulnerability, both through risks associated with the change to and use of new technologies as well as the business model risk of competition from BigTech and FinTech actors. As part of its ongoing work in this area, the SSM is expected to publish its supervisory expectations for digital transformation strategies as well as the results of its 2022 benchmarking exercise. The SSM has also indicated that it will carry out targeted reviews of digital transformation strategies and conduct follow-ups with banks where material deficiencies have been identified.
- The SSM’s supervisory agenda related to climate change continues apace, following the ECB’s inaugural climate stress test in 2022 as well as its holistic thematic review
Those exercises, and in particular the thematic review, gave banks a clear steer on areas for improvement (and the deadlines for doing so) – with comprehensive materiality assessments due to be completed by March 2023, and the SSM’s expectations fully embedded by the end of 2023.
Alongside monitoring of banks’ progress on supervisory expectations, the SSM will assess compliance with EBA’s new Pillar 3 requirements for ESG risks, continue its on-site inspections kicked off in 2022 and conduct deep dives on reputational and litigation risk. For banks, pre-emptively reviewing the integration of climate risks into their management of those risk types will be a useful exercise.
The SSM’s 2023-2025 supervisory priorities are an important update of the supervisory approach to banks in the Euro Area, particularly given the dramatic macro-financial and geopolitical changes in 2022. The SSM will expect banks to understand how the latest priorities and the prioritised vulnerabilities underlying them relate to their own business model and risk profile.
As the risk of a deterioration in financial and economic conditions in 2023 continues to be high, banks should expect the SSM to intensify targeted reviews and specific supervisory action around areas where deficiencies have been identified. The supervisory priorities and prioritised vulnerabilities provide a good guide to where this scrutiny is most likely to focus.