The SSM supervisory priorities reflect ECB Banking Supervision’s medium-term strategy for the next three years. They are set by the Supervisory Board, reviewed annually, and rest on a comprehensive assessment of the main risks and vulnerabilities for supervised institutions. The priorities also take into account the outcome of the Supervisory Review and Evaluation Process (SREP)[1] and progress made on the priorities from previous years. They support an efficient allocation of the available supervisory resources and can be adjusted flexibly if warranted by changes in the risk landscape.
Supervised institutions have navigated the adverse macro-financial and geopolitical shocks of recent years well. Robust fundamentals – such as sound capital positions and liquidity buffers or lower levels of non-performing loans (NPLs) – have helped banks cope with the challenges stemming from the coronavirus (COVID-19) pandemic and related supply chain disruptions, Russia’s war in Ukraine and the subsequent energy supply shock, as well as the recent failures of US and Swiss banks. The ability of the banking sector to withstand a severe economic downturn has also been confirmed by the outcome of this year’s EU-wide stress test.[2]
Looking ahead, the European banking sector is facing several challenges that require enhanced vigilance by supervisors and banks alike. While the fast-paced rise in interest rates has so far benefited banks’ profitability, the higher interest rate environment is expected to increase both the volatility of some funding sources and banks’ funding costs in the medium term, just when substantial amounts of central bank funding are to be replaced. In addition, the quality of banks’ assets may start to deteriorate again if geopolitical risks materialise or high inflation coupled with tighter financing conditions challenges the debt servicing capacity of households and non-financial corporations. Higher risk premia may lead to a further repricing of financial assets and new episodes of high financial market volatility. Against this background, it is essential that banks maintain and keep enhancing their credit risk and asset and liability management (ALM) frameworks, ensuring, for the latter, both liquidity and funding risks and also interest rate risk in the banking book (IRRBB) are covered.
The failure of a number of medium-sized US banks and the takeover of a Swiss bank once again highlighted that banks need strong internal governance and effective risk controls to cope with a dynamically evolving risk landscape. The bank failures also stressed the importance of a timely and effective supervisory response and, if needed, escalation, whenever banks’ practices appear inadequate and remediation slow. Against this background, ECB Banking Supervision will progressively apply the appropriate escalation mechanisms and tools to ensure that banks promptly and successfully address the shortcomings identified in the supervisory priorities. This is especially the case in governance, where major shortcomings have not been adequately addressed by some banks despite long-standing engagement with supervisors, for instance those related to the functioning and steering capabilities of management bodies or risk data aggregation and reporting (RDAR) capabilities. Banks also need to ensure that their practices are fully aligned with the sound management of climate related and environmental (C&E) risks. They must do so by the deadline of the end of 2024 at the latest, and ECB Banking Supervision has also set interim deadlines by which banks need to satisfy certain requirements.
As digital transformation has become a priority for many banks seeking to remain competitive, it is essential that they have adequate safeguards in place to limit potential risks stemming from new business practices and technologies. Supervisory investigations have shown that while some banks have already made good progress with their digital transformation, others have not allocated the necessary resources to achieve their goals. In addition, growing cyber threats, fuelled by current geopolitical tensions, and the increasing reliance on third-party service providers underline the need for banks to stay resilient and ensure continuity of their critical services even in the event of severe operational disruptions. Against this background and alongside the supervisory activities initiated as part of these priorities, banks will be asked in the months ahead to demonstrate their ability to respond to and recover from such adverse events.
While the risk landscape has evolved further since last year, the supervisory priorities and corresponding activities set out in 2022 remain valid overall and still address the main vulnerabilities in the banking sector. Notwithstanding the stability necessary for planning over a three-year horizon, a few selected adjustments are warranted in order to address the risks highlighted above.
In the context of the SSM supervisory priorities for 2024-2026, supervised institutions will primarily be asked to strengthen their resilience to immediate macro-financial and geopolitical shocks (Priority 1), as well as accelerate the effective remediation of shortcomings in governance and the management of C&E risks (Priority 2) and make further progress in their digital transformation and building robust operational resilience frameworks (Priority 3). Figure 1 lists seven key vulnerabilities in banks that can be assigned to three overarching priorities.
Figure 1
Supervisory priorities for 2024-2026, addressing identified vulnerabilities in banks
The main purpose of ECB Banking Supervision’s strategic planning is to develop a sound strategy for the next three years. The priorities promote effectiveness and consistency in the supervisory planning of the Joint Supervisory Teams (JSTs) and support a more efficient allocation of resources, in line with the setting of the corresponding risk tolerance levels. They also help national supervisors set their own priorities for the supervision of less significant institutions in a proportionate way. Transparent communication of the priorities clarifies supervisory expectations to banks, enhances the impact that supervision has on further increasing the resilience of the banking sector and helps to ensure a level playing field.
The following sections provide more detail on the outcome of the 2023 risk identification and assessment exercise and set out the supervisory priorities and underlying work programmes for 2024-2026. Other regular and ad hoc activities are also carried out by supervisors as part of their ongoing engagement with banks and complement the work on the priorities.
2.1 Operating environment for supervised institutions
The European banking sector demonstrated its high resilience to external shocks when the stress in the US and Swiss banking sectors in March this year triggered only limited and temporary spillover effects. European banks proved to be strong in terms of capital, liquidity and asset quality, and could also draw on well-diversified funding sources and customer bases. Their profitability, which has been an area of concern for many years, has recovered strongly recently on the back of the higher interest rate environment and has returned to levels not seen in more than a decade. The banking sector’s increased resilience – achieved also through the strengthening of the European regulatory and supervisory frameworks – may, however, be tested again in the future and there can be no room for complacency.
The growth outlook for the euro area remains subject to high uncertainty in the context of tighter financing conditions and heightened geopolitical tensions, while future energy and food price paths are subject to upside risks.[3] Inflationary pressures are further shaping the challenging environment, and weak euro area growth is expected to persist over the near term. While weaknesses in the manufacturing sector remain, activity in the services sector – the main driver of economic growth so far – is also set to soften given that the effects from the post-pandemic reopening of the economy are fading and the drag from tighter financing conditions and elevated consumer uncertainty remain significant. The euro area labour market has been resilient so far, but labour demand may slow down should economic activity stagnate for longer.[4] Credit supply conditions have tightened significantly since December 2022 and lending dynamics have slowed as the fast-paced tightening of monetary policy feeds increasingly into the real economy.[5]
Headline inflation in the euro area is projected to continue on a downward path over the medium term, while core inflation is expected to fall more gradually.[6] If monetary policy requires further tightening, or if interest rates stay at higher levels for longer in a scenario of persistently high inflation, the economic growth outlook may deteriorate, impairing banks’ asset quality. While households and corporate balance sheets appear financially sound overall, concerns about borrowers’ debt servicing capacity are rising, especially in real estate lending. Besides an erosion of banks’ asset quality in the event of an economic downturn, one-off factors like the bank levy constitute a separate downside risk to banks’ earnings in some countries.
A mixture of heightened geopolitical tensions, “higher-for-longer” interest rates and a potential economic slowdown in the euro area may result in renewed turbulences in financial markets. The banking sector turmoil in the United States and Switzerland in early March, which triggered a steep risk-off sentiment among US banks, only spread partially and temporarily to the European banking sector. Spillover to the euro area remained contained and short-lived, market volatility receded, and euro area stock prices recovered shortly after the shock, especially in the banking sector, while corporate bond spreads narrowed again. A sudden deterioration in the economic outlook could nonetheless trigger renewed episodes of heightened volatility and abrupt asset price corrections, resulting in a further tightening of financing conditions.
2.2 Supervisory priorities for 2024-2026
The supervisory priorities are set after a holistic assessment of banks’ main risks and vulnerabilities. The three overarching priorities for the next three years focus both on the near-term risks to the banking sector (Priority 1) as well as the need to tackle more structural medium-term challenges (Priorities 2 and 3). Each priority targets a set of vulnerabilities in the banking sector – referred to as “prioritised vulnerabilities” – for which dedicated strategic objectives have been set and work programmes have been developed in order to mitigate the underlying risks. Cross-dependencies between risks are reflected in the design of the work programmes, which are aimed at strengthening both the efficiency and the effectiveness of supervisors’ engagement with banks.
Priority 1: Strengthen resilience to immediate macro-financial and geopolitical shocks
The uncertain macro-financial environment, coupled with persistent geopolitical tensions and the risk of renewed episodes of financial stress, continues to shape the outlook for the European banking sector. Supervised institutions need to be prudent and develop and follow resilient business strategies to cater for the fast-changing macro-financial and geopolitical environment. Against this background, the primary objective for ECB Banking Supervision is to ensure that banks under its direct supervision strengthen their resilience to immediate macro-financial and geopolitical shocks. While rising interest rates have had a positive impact on profitability so far, banks must be prepared to cope with more volatile funding sources, higher funding costs, a potential fall in asset quality and a further repricing in financial markets in the short and medium term. Consequently, banks need to strengthen their credit risk management and ALM frameworks.
Prioritised vulnerability: Shortcomings in credit risk and counterparty credit risk management frameworks
Strategic objective: Banks should effectively remedy structural deficiencies in their credit risk management frameworks, including counterparty credit risk (CCR), and address any deviations from regulatory requirements and supervisory expectations in a timely manner. Banks should be able to swiftly identify and mitigate any build-up of risks in portfolios that are more sensitive to the current macro-financial environment.
Firms and households have so far proved their resilience to the economic slowdown thanks to robust profits, low unemployment rates and large savings buffers. While supervised institutions’ aggregate NPL ratio and stock are still close to record lows, early signs of asset quality deterioration are on the horizon. The Stage 2 ratio has increased for loans to households, especially consumer loans, as the squeeze in real income coupled with higher interest rates increasingly weighs on households’ debt servicing capacity. Likewise, corporate bankruptcies and default rates have started to pick up from the low levels observed during the pandemic.
The residential real estate (RRE) cycle in the euro area has turned, with a slowdown in mortgage lending and a decline in house prices in most euro area countries. The commercial real estate (CRE) market remains in a downturn, with valuations and transaction volumes declining sharply. Structural vulnerabilities and lower demand, particularly for lower quality retail and office assets, are amplifying the tighter financing conditions and uncertain market environment. Banks’ exposures appear particularly vulnerable in countries characterised by pre-existing overvaluation and with a significant share of variable rate and non-amortising (e.g. bullet) loans, which may have a higher refinancing risk.
The combination of higher funding costs due to tighter financing conditions and the high level of volatility in financial markets is amplifying risks to highly leveraged non-bank financial institutions, especially those with large derivative positions. Exposure to such institutions could entail heightened CCR for some banks, highlighting the need for sound risk management practices.
Supervisors have been working towards addressing structural deficiencies in banks’ credit risk management frameworks for several years.[7] While the supervisory activities reveal that banks have made some progress in this area, they also highlight several persistent shortcomings. These range, for example, from banks’ limited capabilities to anticipate emerging risks (including C&E risks) and adequately reflect them in their credit risk provisions, to gaps in their preparedness for dealing with a potential surge in distressed debtors and refinancing risks, and evidence of collateral overvaluation in CRE portfolios. While the findings of those reviews have fed into the 2023 SREP outcome, dedicated supervisory measures have been communicated to banks, and supervisors are monitoring the implementation of the planned remedial actions closely.
Regarding CCR management, the targeted review conducted in 2022 and the subsequent on-site inspections (OSIs) have highlighted material shortcomings in banks’ customer due diligence, risk appetite definition, default management processes and stress-testing frameworks. While supervised institutions have made progress in addressing the identified issues, further effort is still expected to achieve close alignment with the “Sound practices in counterparty credit risk governance and management” report published in October 2023.
Looking ahead, the supervisory activities from last year’s work programme that are aimed at achieving the strategic objective in credit and CCR management will largely continue. Nevertheless, some re-focusing is necessary to allow for the changing economic environment and the progress achieved thus far. The remaining gaps identified in the 2020 “Dear CEO” initiative will continue to be followed up on as part of the reviews of forbearance, unlikeliness-to-pay (UTP) and provisioning practices. Regarding the latter, the targeted review focused on IFRS 9 and overlays will be repeated to monitor banks’ progress and remediation of past findings. Moreover, targeted reviews and, where relevant, OSIs and internal model investigations will be conducted on more sensitive portfolios such as real estate (both residential and commercial) and small and medium-sized enterprises (SMEs). Regarding CCR, JSTs will continue to closely monitor banks’ exposures and scrutinise the adequacy of their risk management practices, performing a targeted follow-up on the progress made in remediating the shortcomings identified in 2022.
Main activities as part of the supervisory priorities work programme
- Targeted reviews focusing on the resilience of portfolios that are more sensitive to the current macro-financial situation and exposed to refinancing risk, including a follow-up on findings from previous targeted reviews on RRE and CRE lending and the launch of a new targeted review on vulnerable SME borrowers.
- Follow-up on the IFRS 9 targeted review, monitoring progress on the ability of banks’ expected credit loss models to capture emerging risks, with a focus on overlays.
- Extension of the deep dives on forbearance and UTP policies.
- Extension of the OSIs, focusing on IFRS 9 collective staging and provisioning for SMEs, retail portfolios and CRE, including collateral valuations.
- Extension of internal model investigations and follow-up by JSTs to assess changes in internal ratings-based models related to new regulatory requirements and the remediation of the findings from the targeted review of internal models.
- Follow-up on the targeted review of CCR management conducted in 2022.
- Targeted OSIs on specific aspects of CCR management.
Prioritised vulnerability: Shortcomings in asset and liability management frameworks
Strategic objective: Banks should ensure sound and prudent ALM governance and strategies, reflecting strong oversight by their management bodies and the adequate capture of risks stemming from current monetary policy and the fast-changing economic environment. They should, in particular, develop robust and credible funding plans aimed at achieving diversified funding structures, as well as effective contingency plans to be able to withstand short-term liquidity shocks. Banks should also ensure adequate management of their interest rate risk positions, reflecting prudent assumptions regarding customer behaviour, and develop corresponding mitigation strategies commensurate to their risk profiles.
The interest rate environment in which banks are operating has fundamentally changed over the past two years. While higher interest rates are broadly supporting the profitability of supervised institutions, they might also result in higher funding costs and pose challenges to banks’ liquidity situations and, more generally, their ALM governance, strategies and frameworks.
Financial market volatility and price corrections in fixed income markets in the light of the current interest rate dynamics have increased the risk of unrealised losses building up in banks’ amortised cost portfolios. Although the effects can be severe, as evidenced by the turmoil surrounding some US medium-sized banks in March, the combination of factors that led to that particular episode has so far not been observed in banks under European banking supervision. Indeed, as evidenced by data[8] published in July 2023, the overall amount of such unrealised losses was relatively contained, at €73 billion as of February 2023, compared with USD 620 billion for US banks at year-end 2022[9]. Supervisors have been scrutinising banks’ assessment and management of interest rate and credit spread risks from as early as the second half of 2021, when the first signs of inflationary pressure emerged. In 2022 ECB Banking Supervision included those risks in its supervisory priorities and performed a dedicated targeted review to proactively assess banks’ preparedness for potential rate hikes. Findings identified at that time pointed to the need for banks to review the calibration of their ALM models more frequently to respond to changes in customer behaviour stemming from the new interest rate regime and to weaknesses in some hedging strategies.
On the liquidity and funding side, supervised institutions have, on the whole, shown strong resilience to the changes in the financial environment so far. While shrinking central bank reserves and weak monetary dynamics have led to a decline in banks’ liquidity buffers, their liquidity coverage ratios and net stable funding ratios remain, on average, well above the regulatory minimum. In addition, supervised institutions are not displaying funding concentrations similar to those of some of the US medium-sized banks that failed earlier this year, as their main sources of funding primarily stem from deposits. These mostly come from retail customers, with the bulk covered by deposit insurance. In order to ensure the smooth phasing-out of the targeted longer-term refinancing operations (TLTRO) programmes and to assess banks’ preparedness for it, a targeted review focusing on banks’ TLTRO exit strategies was conducted in 2023. Against this background, some banks have been asked to further diversify their funding sources. A targeted review is also assessing the reliability and soundness of banks’ funding plans, the results of which will feed into the 2024 SREP outcome.
Going forward, ECB Banking Supervision will continue to strongly emphasise the need for banks to have robust ALM arrangements in place. Targeted activities will review banks’ ALM governance and strategies and assess the adequacy of the assumptions underpinning some of their behavioural models. Supervisors will also evaluate banks’ resilience to short-term liquidity shocks and the credibility and soundness of their liquidity contingency plans. Finally, supervisors will continue the efforts initiated in previous years by further reviewing how banks are managing IRRBB, as well as the soundness and reliability of their funding plans.
Main activities as part of the supervisory priorities work programme
- Targeted reviews of the soundness and reliability of funding plans, contingency planning and the adequacy of collateral optimisation capabilities, as well as of ALM governance and strategies.
- Targeted OSIs assessing the robustness and appropriateness of funding and recovery plans.
- Follow-up on the findings from the targeted review on interest rate and credit spread risks, extending this review also to a wider scope of institutions.
- OSI campaign on IRRBB, investigating in particular ALM positioning and strategy, IRRBB behavioural models and hedging strategy.
Priority 2: Accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks
The 2023 SREP results continue to highlight the insufficient progress achieved by some banks in tackling shortcomings in governance. This is especially the case in areas related to the functioning and strategic steering of banks’ management bodies, but also their RDAR capabilities. Furthermore, the importance of strong governance and sound risk controls has once again been highlighted by the failures of some US and Swiss banks earlier this year. The same is true in the context of steadily increasing C&E risks, the adverse impact of which is already being felt globally. Banks will be asked to step up their efforts and adequately reflect the relevant risk dimensions in their business strategies and risk management frameworks in order to fully comply with the corresponding supervisory expectations by the end of 2024. To support this objective, ECB Banking Supervision stands ready to make use of the tools at its disposal (including, when needed, capital add-ons, enforcement and sanctions and reviews of fit and proper assessments) to incentivise banks’ effective remediation of the identified shortcomings, especially when clear measures and concrete deadlines for meeting supervisory expectations are set.
Prioritised vulnerability: Deficiencies in management bodies’ functioning and steering capabilities
Strategic objective: Banks should effectively address material deficiencies in the functioning, oversight and composition of their management bodies by developing and swiftly implementing sound remedial action plans, adhering to supervisory expectations.
Strong internal governance arrangements and effective strategic steering are instrumental in assuring the resilience and sustainability of banks’ business models. The current uncertain macro-financial outlook and the ongoing change in the interest rate environment following years of accommodative financing conditions require banks to apply effective strategic steering and adjust their practices to adequately assess, control and manage the related risks. The March turmoil in the US and Swiss banking sectors has highlighted the crucial role of banks’ boards and management, who have the ultimate responsibility for ensuring adequate internal governance arrangements and effective risk management processes. It also underscored the potentially dire consequences for a bank if these are lacking. Effective strategic steering is also needed to adapt banks’ business models to evolving trends, such as digitalisation and an accelerated green transition.
Tackling deficiencies in management bodies has been one of ECB Banking Supervision’s top priorities for several years, and while there have been improvements in some areas, more progress is needed in terms of the composition, collective suitability and oversight role of banks’ boards. Following direct supervisory engagement in 2022, banks have made improvements in their diversity policies, which now include the criteria of education, experience, geographical provenance, and age in addition to gender. Currently, almost all supervised institutions have targets to address gender imbalances in their management bodies. However, the progress in meeting those targets is still insufficient.[10] Banks also need to further improve the collective suitability of their boards, as well as their challenging capacity. The latter is related to weaknesses in board composition (e.g. an insufficient number of formal independent directors and a lack of knowledge in specific areas like IT) and functioning (e.g. insufficient time set aside for debate and concerns in the nomination processes of management bodies). The oversight role of board committees also needs further improvement, as revealed in the 2023 targeted review of management bodies.[11]
ECB Banking Supervision will continue its engagement with banks to address these long-standing deficiencies through targeted reviews and OSIs. In addition, supervisors will update and publish supervisory expectations on governance and risk management.
Main activities as part of the supervisory priorities work programme
- Targeted review of the effectiveness of banks’ management bodies and targeted OSIs.
- Update and external publication of supervisory expectations and best practices regarding banks’ governance and risk culture.[12]
Prioritised vulnerability: Deficiencies in risk data aggregation and reporting
Strategic objective: Banks should effectively address long-standing deficiencies and have adequate and effective RDAR frameworks in place to support efficient steering by management bodies and to address supervisory expectations, including in times of crisis.
Timely and accurate risk-related data aggregation and reporting are essential for sound decision-making and effective strategic steering by banks, especially in the current environment, as well as for the purpose of risk, financial and supervisory reporting. The outcomes of supervisory exercises performed to date – including the 2023 SREP exercise and the ongoing OSIs campaign – all point towards insufficient progress in closing gaps with respect to supervisory expectations and compliance with the Basel Committee on Banking Supervision principles for effective risk data aggregation and risk reporting. The key deficiencies relate to insufficient attention and oversight of management bodies, weaknesses in data architecture and fragmented and non-harmonised IT landscapes, low capacity for aggregating, and ineffective governance frameworks. Strong prioritisation by management bodies is key, as tackling RDAR-related deficiencies often requires significant resources.
As already communicated in last year’s supervisory priorities, ECB Banking Supervision is strengthening its efforts to ensure that supervised institutions deliver substantial progress in remedying the long-standing shortcomings identified in RDAR. A structured escalation mechanism, possibly including enforcements and sanctions, will be increasingly applied from 2024 onwards.[13] The Guide on effective risk data aggregation and risk reporting further reinforces and specifies the supervisory expectations. A public consultation[14] on the Guide took place between July and October 2023, and the Guide is planned to be published in 2024. Supervisors will also perform targeted reviews and OSIs and will engage with banks when persistent shortcomings are identified. Moreover, the Management Report on Data Governance and Data Quality[15], piloted in early 2023, will be continued as an annual questionnaire to banks. It aims to ensure adequate accountability of banks’ management bodies in matters related to internal, financial and supervisory reporting.
Main activities as part of the supervisory priorities work programme
- Refinement of supervisory expectations related to the implementation of RDAR principles and publication of the Guide on effective risk data aggregation and risk reporting.
- Targeted reviews of RDAR practices.
- OSIs campaign on RDAR (extension from 2023).
- Production of the Management Report on Data Governance and Data Quality – an annual questionnaire to ensure adequate accountability of banks’ management bodies in matters related to internal, financial and supervisory reporting.
Prioritised vulnerability: Material exposures to physical and transition risk drivers of climate change
Strategic objective: Banks should adequately incorporate C&E risks within their business strategy and their governance and risk management frameworks in order to mitigate and disclose such risks, aligning their practices with current regulatory requirements and supervisory expectations.
Global greenhouse gas emissions have continued to rise[16], leading to further future global warming and, in turn, the intensification of multiple and concurrent hazards, as repeatedly shown by record-breaking heatwaves and the wildfires and floods in Europe and other regions of the world. The policies in place fall short of achieving the global warming targets set under the 2015 Paris Agreement.[17] Delayed climate action is expected to further increase physical and transition risks and, potentially, the related losses to banks, raising the risk of greater damages, locked-in high-emission infrastructures, stranded assets and cost escalation.[18] Geopolitical tensions, as well as increasingly higher upfront investments and disruptive changes needed for mitigation and adaptation, are likely to further fuel transition risks amid the tighter financing conditions.
While for some banks, the SREP 2023 revealed some improvement in defining their strategy with respect to C&E risks, for others it also showed the pressing need to address these deficiencies. SREP qualitative measures focused mainly on banks’ weaknesses in strategic and operational planning and in management bodies’ knowledge of environmental, social and governance (ESG) topics. C&E risks affected Pilar 2 requirement levels for an increasing number of banks when compared with last year’s SREP exercise.[19]
In order to effectively address the deficiencies highlighted by the ECB’s 2022 climate risk stress test[20] and thematic review[21], ECB Banking Supervision set institution-specific deadlines for banks to fully align their practices with the supervisory expectations laid out in the 2020 ECB Guide on climate-related and environmental risks by the end of 2024. March 2023 marked one of the intermediate milestones in this process, as this was the month by which banks were expected to adequately categorise C&E risks and conduct a full assessment of the related impact on their activities. Some banks have still shown severe weaknesses in this respect, and supervisors have engaged with them through operational acts, SREP qualitative requirements and ad-hoc Supervisory Board decisions. By the end of 2023, banks are expected to incorporate C&E risks in their governance, strategy and risk management, and finally, by the end of 2024, meet all remaining supervisory expectations outlined in 2020, including full integration in the Internal Capital Adequacy Assessment Process (ICAAP) and stress testing. Going forward, ECB Banking Supervision will continue to use its full toolkit to ensure banks comply with these expectations including, when needed, supervisory escalation, such as periodic penalty payments or bank-specific capital add-ons.[22]
Moreover, supervisors will continue reviewing and assessing the adequacy of banks’ disclosure practices. While banks have made some headway in this area, as revealed by the outcome of the third assessment of the progress European banks have made in disclosing climate and environmental risks, the quality of the disclosed information remains low. Other areas of focus in the coming years will include addressing C&E-related reputational and litigation risks arising from the publication of transition objectives and/or net zero commitments. Supervisors will also pursue their preparatory work to develop a framework for reviewing banks’ transition planning and readiness to meet ESG-related mandates in the Capital Requirements Directive (CRD VI). Finally, climate-related risks will continue to be assessed in certain risk-specific OSIs, while targeted stand-alone C&E risk missions are planned to start in 2024.
Main activities as part of the supervisory priorities work programme
- Targeted follow-up on shortcomings identified in the context of the 2022 climate risk stress test and thematic review, with the aim of achieving full alignment with the related supervisory expectations by the end of 2024.
- Review of banks’ compliance with and alignment between implementing technical standards on reporting and Pillar 3 disclosure requirements related to C&E risks, together with a benchmarking of banks’ practices against supervisory expectations.
- Deep dives on banks’ capabilities of addressing reputational and litigation risk associated with C&E-related commitments.
- Targeted OSIs on climate-related aspects, either on a stand-alone basis or within planned reviews of individual risks (e.g. credit, operational and business model).
Priority 3: Further progress in digital transformation and building robust operational resilience frameworks
While most supervised institutions are making progress in the digitalisation of their operations and services to cope with ever-increasing competitive challenges, they also need to strengthen and, where needed, adjust their operational resilience frameworks to mitigate potential risks. Achieving operational resilience should contribute to the sustainability of banks’ business models in the medium term and enable them, among other things, to reap the benefits of innovative technologies. However, some banks are falling behind in achieving their goals in this area. In addition, supervised institutions need to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers and improve their IT security/cyber risk management. This is especially important in the light of the increasing cyber threats stemming from the current geopolitical environment.
Prioritised vulnerability: Deficiencies in digital transformation strategies
Strategic objective: Banks should develop and execute sound digital transformation plans through adequate arrangements (e.g. business strategy and risk management) to strengthen their business model sustainability and mitigate risks related to the use of innovative technologies.
Supervised institutions have recently reported record-high profitability, largely driven by higher net interest margins. However, structural weaknesses in their business models persist. Banks’ cost-to-income ratios remain persistently high and sticky, and the implementation of cost containment measures might prove challenging with the current high inflationary pressures. In this regard, supervised institutions should be able to manage the envisaged increase in operating expenses without jeopardising much-needed investment in digital transformation. Digitalisation is expected to strengthen banks’ competitive positions and make them more resilient to competition stemming from outside the banking sector.
In 2023 ECB Banking Supervision conducted a horizontal assessment and a benchmarking analysis based on the SSM-wide data collection on digital transformation and the use of financial technology (fintech). The outcome of this analysis was shared with banks and helped qualify a number of risks related to digital transformation, including strategic and execution risks, cyber risk, third-party dependency risk and money laundering and fraud risks. Targeted OSIs, which complemented the horizontal assessment, raised concerns about effective strategic steering and execution and underlined the importance of upskilling staff and management bodies. Deficiencies in budgeting and financial planning were also revealed, as banks struggle to monitor the financial impact of their digital transformation initiatives. The outcome of these activities informed the supervisory assessment of banks’ business models during the 2023 SREP cycle. Going forward, ECB Banking Supervision will continue to focus on digital transformation, combining targeted reviews with dedicated OSIs. ECB Banking Supervision will publish its supervisory expectations on banks’ digital transformation.[23] The revised expectations will help strengthen the supervisory assessment methodology.
Main activities as part of the supervisory priorities work programme
- Targeted reviews focusing on the impact of banks’ digital transformation on their business model/strategy, governance and risk identification/management, complemented by JSTs’ follow-up with banks where material deficiencies are identified.
- Targeted OSIs on digital transformation, combining the business model dimension with the IT aspect of banks’ digital transformation strategies.
- Publication of supervisory expectations and sharing of best practices on digital transformation strategies.
Prioritised vulnerability: Deficiencies in operational resilience frameworks, namely IT outsourcing and IT security/cyber risks
Strategic objective: Banks should have robust outsourcing risk arrangements and IT security and cyber resilience frameworks to proactively tackle any unmitigated risks that might lead to material disruption of critical activities/services, while ensuring adherence to the relevant regulatory requirements and supervisory expectations.
Cyber risk and data security remain key drivers of banks’ operational risk. The number of cyber incidents that supervised institutions reported to ECB Banking Supervision surged in the first half of 2023, reflecting the banking sector’s significant exposure to evolving cyber threats, which was due, among other things, to Russia’s war in Ukraine and heightened geopolitical tensions. Destructive attacks have become a prominent component of the operations of state actors, with financial institutions also being a likely target given their role in critical infrastructure.[24] Ransomware attacks in particular have been on the rise, with cybercriminals becoming more sophisticated and banks increasingly being affected by evolving extortion techniques.
Weaknesses in IT outsourcing arrangements present another key vulnerability, given banks’ increasing reliance on third-party service providers. The lengthening and increasing complexity of supply chains require banks to gain a better understanding and control of their supplier relationships and (inter-)dependencies to proactively address potential concentration risks. Sound asset and vendor management are thus key for banks to be able to meet the demands of customers and increase their efficiency in an increasingly competitive landscape, all while ensuring proper risk management of their outsourcing arrangements and adoption of cloud solutions. The outcome of the 2023 SREP assessment has further confirmed the prominence of banks’ deficiencies related to the management of IT outsourcing and IT security/cyber risks, as operational risk continues to be the element with the worst SREP scores.[25]
Against this background, ECB Banking Supervision has established an annual collection of supervised institutions’ outsourcing registers. The analyses run so far have identified various vulnerabilities, including a high dependency on some non-European external providers and a significant number of outsourcing contracts. Proper third-party risk management, including cloud outsourcing, remains high on the supervisory agenda and will be assessed further as part of ongoing activities.
Besides the horizontal assessment of banks’ outsourcing arrangements and the analysis of concentration risk, ECB Banking Supervision will continue to carry out targeted reviews of outsourcing arrangements and cyber resilience, to gain a better insight into the nature and magnitude of the risks as well as banks’ related mitigation measures. The targeted reviews will also be complemented by OSIs in order to identify and assess deficiencies on a bank-by-bank basis. Given the surge in cyberattacks and the importance of the topic in the current geopolitical environment, ECB Banking Supervision will additionally conduct a thematic stress test on cyber resilience next year, to assess banks’ ability to respond to and recover from a successful cyberattack.[26]
Main activities as part of the supervisory priorities work programme
- Data collection and horizontal analysis of outsourcing registers to identify interconnections among supervised institutions and third-party providers and potential risk concentrations in certain providers.
- Targeted reviews of outsourcing arrangements and cyber resilience.
- Targeted OSIs of outsourcing and cyber security management.
- System-wide cyber resilience stress test in 2024 focusing on the response and recovery capabilities of banks after a cyber security incident, and their ability to contain the impact and restore services in a timely manner.
European Central Bank, 2023
Postal address 60640 Frankfurt am Main, Germany
Telephone +49 69 1344 0
Website www.bankingsupervision.europa.eu
All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.
For specific terminology please refer to the SSM glossary (available in English only).
PDF ISBN 978-92-899-6273-5, ISSN 2599-8420, doi:10.2866/14 QB-BZ-24-001-EN-N
HTML ISBN 978-92-899-6281-0, ISSN 2599-8420, doi:10.2866/473275 QB-BZ-24-001-EN-Q