Banking

Supervisory methodology


The following sections provide a broad description of the Supervisory Review and Evaluation Process (SREP) methodology applied to significant institutions under the direct supervision of the European Central Bank (ECB) (as set out in the SSM Regulation[1] and the SSM Framework Regulation[2]). The ECB continuously refines its supervisory methodologies to ensure they are up to date and reflect the latest supervisory developments as well as regulatory requirements.

The ECB carries out the SREP assessment on the basis of a case-by-case approach using a standardised methodology, applying a principle of business and corporate governance neutrality.

The SREP approach:

  • is consistent with the European Banking Authority (EBA) Guidelines on SREP (EBA/GL/2014/13)[3], relevant Capital Requirements Directive (CRD)[4] provisions as transposed into national laws, relevant Capital Requirements Regulation (CRR)[5] provisions and other relevant EBA guidelines and regulatory technical standards as applied to the relevant risks assessed in the SREP;
  • is periodically updated to ensure alignment with the EBA Guidelines on SREP and to reflect new regulations;
  • draws on leading practices within the Single Supervisory Mechanism (SSM) and methods recommended by international bodies, thereby keeping up with evolving practices and ensuring continuous improvement;
  • is applied in a proportionate manner to significant institutions, taking into account the nature, scale and complexity of their activities and, where relevant, their position within a group.

For official definitions and further information, please refer to the EBA Guidelines on SREP.

1.1 Executive summary

Joint Supervisory Teams (JSTs) regularly assess and measure risks to SSM significant institutions. The teams are made up of supervisors from the ECB and national competent authorities (NCAs) and carry out this regular review and assessment to determine whether banks are complying with relevant European laws and regulations and are meeting supervisory expectations.

Supervisors do this through the Supervisory Review and Evaluation Process, or SREP, which is central to European banking supervision.

The SREP assesses the way a bank deals with its risks and the elements that could adversely affect its capital or liquidity, now or in the future. This process determines where a bank stands in terms of capital and liquidity requirements, as well as the adequacy of its internal arrangements and risk controls.

The SREP has three main outcomes:

The SREP is based on four elements:

  • a business model and profitability assessment;
  • an internal governance and risk management assessment;
  • an assessment of risks to capital on a risk-specific basis (i.e. credit risk, market risk, operational risk, interest rate risk in the banking book – IRRBB), of the institution’s internal capital adequacy assessment process (ICAAP) and of capital adequacy;
  • an assessment of risks to liquidity and funding on a risk-specific basis (i.e. short-term funding, long-term funding and the institution’s internally identified risks in normal scenarios and under stressed conditions), which feeds into the preliminary determination of a liquidity requirement to cover those risks, of the institution’s internal liquidity adequacy assessment process (ILAAP) and of the adequacy of liquidity.

Figure 1

The SREP methodology

For each element, the evaluation is conducted through a dedicated risk assessment system (RAS). The RAS is fed with regular reporting, such as common reporting (COREP) and financial reporting (FINREP), and qualitative information, and also includes ad hoc information obtained by JSTs from various sources on an ongoing basis. These include other data (e.g. short-term exercise data, internal bank data), reports (e.g. external audit reports), meetings and inputs stemming from on-site supervision and/or “deep dive” analysis. The outcome of the RAS is summarised in a “rationale” and a score that facilitates comparison and internal communication.

The approach for each of the four elements is based on the three phases described below and focused on a quantitative (risk level)[9] and/or a qualitative (risk control)[10] perspective in line with the EBA Guidelines on SREP. Following the JST’s detailed assessment, each of the four elements is given a combined score ranging from 1 (low risk) to 4 (high risk). Following the conclusion of a pilot project conducted in SREP 2021 to introduce more granular and accurate scoring for the assessment of internal governance and the overall SREP assessment, for SREP 2022 the four elements have been scored using qualifiers for scores 2 and 3 (2+, 2, 2- and 3+, 3, 3-). The qualifiers provide a more granular and more accurate assessment, allowing a more precise reflection of the year-to-year evolution. The qualifiers should not be interpreted as a tool to express trends or outlooks, but as a tool to increase the granularity of the assessment.

The assessment includes the evaluation of the institution’s ICAAP and ILAAP, as well as the performance of stress tests.

The assessment of each element is performed in three phases:

  • Phase 1: Supervisors gather data from the bank.
  • Phase 2: Production of an automated preliminary anchoring score for the risk level and a formal compliance check for risk control.
  • Phase 3: Supervisors carry out a more thorough risk assessment, taking into account supervisory judgements regarding the specificities of the bank.

Figure 2

The three phases of the SREP assessment

1.1.1 Overall assessment

The assessment of the four elements is then combined in an overall SREP assessment, reflecting the “supervisory view”, which is summarised in an overall SREP score of between 1 and 4 (with qualifiers) and a main rationale which explains why the score in question has been assigned. In line with the EBA Guidelines on SREP, this overall SREP score reflects the supervisor’s overall assessment of the viability of the institution: higher scores reflect higher risks to the viability of the institution stemming from one or more features of its risk profile.

As an outcome of the assessment, banks may be asked to implement a wide range of measures to address any capital and liquidity shortcomings, as well as other qualitative measures.

Banks receive the outcome of the SREP assessment via a formal SREP decision. The individual SREP decision supports other supervisory activities. It feeds into the SEP, which consists of strategic and operational planning for the upcoming supervisory cycle. Moreover, it has a direct impact on the frequency and depth of the bank’s off-site and on-site supervision.

The SREP is flexible and adjustable to ensure risk-based supervision. In practice, this means that the frequency, scope and depth with which the elements of the SREP are assessed can vary depending on the level of supervisory engagement and the bank’s specific circumstances.

The SREP assessment cycle is generally based on year-end data from the previous year, i.e. the SREP 2022 assessment cycle is generally based on year-end data for 2021. The outcomes of the SREP assessment cycle for a given year generally translate into SREP decisions applicable for the following year, i.e. the outcomes of the SREP 2022 assessment cycle are reflected in SREP decisions applicable for 2023.

2.1 Backward and forward-looking perspectives

The SREP aims to assess an institution’s intrinsic riskiness, its position vis-à-vis a group of peers, and its vulnerability to exogenous factors.

Supervisors are required to take all necessary steps in a timely manner to ensure an institution’s future viability, so their assessment also needs to adopt a forward‑looking perspective. Thus, the SREP assesses an institution’s viability at a 12-month horizon as well as from a medium to long-term perspective, using a wide range of backward and forward-looking quantitative and qualitative information.

Past developments are a key input into the assessment, since reliable data are, in general, widely available and may give an indication of trends in terms of future developments. This must be complemented by forward-looking information (including, for instance, probabilities of default (PDs), losses given default (LGDs), institutions’ capital and liquidity planning, and institutions’ own and supervisory stress tests). In the RAS, the forward-looking perspective is incorporated in Phase 3 assessments. Blocks 2 of Elements 3 and 4 take a forward-looking view with a focus on the near future. Blocks 3 of Elements 3 and 4 adopt a longer-term perspective, e.g. three to five years.

2.2 Holistic approach

The SREP aims to produce an overall picture of an institution’s risk profile that is as complete as possible, taking into account all relevant risks and their possible mitigants. An institution’s risk profile is necessarily multi-faceted, and many risk factors are interrelated. This also holds true for the possible supervisory actions that can be implemented in response. This is why the four elements of the SREP need to be looked at together when producing the overall SREP assessment and preparing the SREP decision.

With regard to possible additional capital requirements, the holistic approach is being expanded by looking more closely at the individual drivers of risk, since the factors that feed into the overall supervisory assessment of a bank do not all have the same impact on its additional capital requirements.

2.3 Accountability

The SREP results in supervisory actions, including decisions on capital or liquidity or other types of supervisory measure. These measures (whether immediate, short‑term or more structural) have to be taken into account in supervisory planning.

The SREP provides high-quality supervision to ensure financial stability within the euro area. This entails enhancing SSM institutions’ resilience to shocks. JSTs carry out their assessments in a conservative manner, adopting a fair but tough approach, and take the necessary action to enhance and ensure the viability of institutions.

2.4 Constrained judgement

The principle of “constrained judgement” applies throughout the SREP, allowing the JST to take into account the specificity and complexity of an institution while also ensuring consistency across supervisory judgements within the SSM. This is done through anchor points provided by the process, from which JSTs can deviate to a certain extent. Both dimensions are important. Anchor points are necessary to ensure homogeneity in supervisory assessments, but they cannot take into account the specificities of an institution’s risks and are considered to be only a starting point for the supervisory assessment. Supervisory judgement is necessary to adequately assess an institution’s specific risk profile but needs to be consistent over time and across institutions.

Constrained judgement in the SREP can be summarised as follows:

  • anchor points provide a standardised perspective across institutions;
  • all assessments rely on supervisory judgement;
  • judgement is guided by the SREP methodology, and it is possible to depart from anchor points to a certain, pre-defined extent;
  • each step is justified and documented, to ensure accountability.

The constrained judgement should ensure the right balance between:

  • a common process, ensuring consistency across SSM banks and defining anchor points;
  • the necessary supervisory judgement, to take into account the specificities and complexity of an institution.

Constrained judgement is used effectively by JSTs in both directions – improving as well as worsening the scores.

Figure 3

The overall SREP

3.1 Preparation: information sources

The SREP assessment is performed on the basis of a wide range of information sources, including both quantitative and qualitative data. The preparation phase entails intense cooperation between the ECB and national competent authorities, which work together on bank-specific topics within the Joint Supervisory Teams and on the SREP methodological elements within a dedicated technical network. Quantitative data are of particular importance for fostering consistency and comparability.

Key sources of quantitative information include (non-exhaustive list):

  • risk indicators based on FINREP and COREP data (available at a consolidated level since mid-2014);
  • risk indicators from sources other than FINREP/COREP;
  • indicators of economic and market conditions (GDP, sector NPLs, market volatility, etc.);
  • other, non-harmonised regulatory data (central credit register, etc.);
  • an institution’s internal information (ICAAP, ILAAP, including stress tests, internal reports, etc.);
  • financial statements, Pillar 3;
  • peer group indicators;
  • supervisory stress test results;
  • market views (external ratings, investors’ quantitative analyses, etc.).

Key sources of qualitative information include (non-exhaustive list):

  • relevant documentation, such as policy documents;
  • supervisory findings (inspection reports, meeting reports, etc.);
  • institutions’ internal documents (ICAAP/ILAAP information, such as risk management reports (dashboards, limit reports, etc.), risk appetite, financial statements, management body memos, organisational charts, internal audit reports, whistle-blower reports, etc.);
  • reports on the environment in which institutions operate: risk trends, new areas of focus, analysts’ reports, rating agencies’ reports, equity analyst recommendations, news, etc.

3.2 Evaluation: overview

The SSM risk assessment system supports the JSTs’ day-to-day supervisory work. It is used for their ongoing analysis of Element 1 (business model), Element 2 (internal governance and risk management), Block 1 of Element 3 (risks to capital) and Block 1 of Element 4 (risks to liquidity and funding).

Supervisory assessments of the four elements and the overall SREP are formalised in a rationale and a score. In the rationale, the JST highlights the main factors driving its assessment, key deficiencies, and their possible effects on the institution’s viability, supported by key evidence such as tables and figures.

Scores are mostly used as a means of summarising supervisors’ views and facilitating high-level, cross-sector comparisons and communication, both within the SSM and with the institution itself. They should not be confused with other types of rating, such as those used by rating agencies or institutions to assess a debtor’s ability to pay back its debt or the likelihood of its default.

Figure 4

Overview of the scoring framework

Source: EBA Guidelines on SREP.

Risk elements are assessed from both a quantitative (risk level)[11] and a qualitative (risk control)[12] perspective.

For each perspective, assessments are performed in three complementary phases[13]:

Figure 5

The three complementary phases of risk level and risk control assessments

Notes: n/a: not applicable

These three phases establish a logical sequence to be followed when performing the assessment. In practice, additional information collected during thesupervisory activities needs to be recorded on an ongoing basis. The outcome of Phase 3 may also require the JST to gather additional information in order to refine its assessment.

3.2.1 Considerations in relation to inherent risk: risk level

A risk level (RL) assessment refers to the intrinsic riskiness of an institution’s portfolios and takes account of several different aspects: the intrinsic situation and riskiness of the institution, the institution’s position relative to its peers, and macro factors that may influence its risk profile. These aspects are reviewed in the three‑phase process mentioned above.

Figure 6

The three phases of risk level (quantitative) assessment

Phase 1

This information/data gathering phase allows the JST to maintain up-to-date information on an institution’s activities, risks and processes. It is also an initial opportunity to identify the materiality of the risk factors and sub-categories that will be assessed in Phase 3.

The “materiality” of an institution’s risks is taken into account for two main reasons: (i) to identify those activities and risks which are critical for an institution’s ability to ensure sound management and coverage of its risks; and (ii) to focus supervisory work and decisions on those activities that entail risks which threaten the institution’s capacity to operate, either in the short term (viability) or in the medium to long term (sustainability), and its ability to cover and manage its risks.

A “material risk” is defined as a risk that would have an impact on the “prudential elements” of the institution if it materialised. The materiality of a risk reflects both size and riskiness. Depending on the category, size and riskiness, the materiality is either separable (e.g. in the case of credit and market risk) or inseparable (e.g. in the case of operational risk).

The materiality of a risk is taken into account at three different levels in the SREP:

  1. When assessing the business model and profitability
    The main activities of the institution are initially reviewed from a holistic point of view in order to identify activities which may threaten the institution’s prudential elements (especially its future profits, its capital adequacy, and its liquidity position).
  2. When assessing the risk level of a risk factor category
    Phase 1 starts with a more detailed check to determine whether the category could be considered non-material in special cases. Scores assigned at the end of Phase 3 reflect the materiality of a risk.
  3. When combining risk category scores: the overall SREP score should reflect the institution’s ability to bear and manage its risks (especially the material ones)
    The data gathering phase also allows the JST to look at an institution relative to its peers. SSM institutions are classified by business model to allow further comparisons. JSTs can also complement their analysis by referring to other peer groups that they deem relevant.

Phase 2

This automated anchoring phase involves an intrinsic assessment based on a number of pre-defined indicators/criteria that are applied to all institutions in a systematic and comparable way. The objective is to systematically review the situation at an institution against a selection of identical quantitative indicators that European banking supervisors deem relevant, so as to foster consistency of assessment within the system.

Each underlying indicator is associated with a score ranging from 1 to 4 corresponding to defined thresholds. For reasons of availability and consistency, indicators are calculated on the basis of regulatory reporting. When choosing the indicators and the corresponding thresholds, a balance had to be struck between accuracy and simplicity so that they could be applied to a very large population of institutions with different business models. The relevance of the indicators, thresholds and aggregation rules is monitored and back-tested ex post on a regular basis and updated as deemed appropriate.

In all cases, data quality is key for institutions to be able to properly manage their risks and for supervisors to be able to reliably assess institutions.

Phase 3

This main assessment phase reviews a broad range of quantitative and qualitative information coming from a wide range of sources to provide a more accurate picture of an institution from a quantitative perspective, and to shed light on its relative position vis-à-vis its peers and the environment in which it operates. This complements the limitations of the standardised assessment performed in Phase 2. Results are expressed by means of a rationale summarising the assessment and a score.

The JSTs then adjust the Phase 2 risk level score on the basis of this Phase 3 intermediate score, following the constrained judgement approach.

Common scores for the assessment of the risk level

1 = “Low”: There is no discernible risk of significant impact on the prudential elements of the group or its entities, given the inherent risk level.

2 = “Medium-low”: There is a low risk of significant impact on the prudential elements of the group or its entities, given the inherent risk level.

3 = “Medium-high”: There is a medium risk of significant impact on the prudential elements of the group or its entities, given the inherent risk level.

4 = “High”: There is a high risk of significant impact on the prudential elements of the group or its entities, given the inherent risk level.

3.2.2 Considerations in relation to adequate management and controls: risk control

A risk control (RC) assessment refers to the adequacy and appropriateness of (i) an institution’s internal governance/risk management and (ii) the risk management and controls that are in place at the risk factor level. This includes assessing how institutions monitor their risk exposures, identify the measures that need to be taken, and assess the adequacy of their internal policies, organisation and limits.

Category-specific risk control arrangements that are assessed need to be consistent with the general internal governance/risk management at the level of the institution.

Figure 7

The three phases of (qualitative) assessment of risk control

Phase 1

The information gathering phase involves assembling relevant data and information on the key features of an institution’s risk control/internal governance environment.

Phase 2

This phase checks whether an institution’s internal governance and risk control framework formally complies with the key requirements of the applicable regulation, technical standards and key guidelines issued by the EBA.

For risk controls related to capital and liquidity risks, the focus includes, but is not limited to, four main sub-categories: (i) governance, (ii) risk appetite, (iii) risk management and internal control, and (iv) internal audit.

For internal governance, the focus includes, but is not limited to, three main sub‑categories: (i) internal governance, (ii) risk management and risk culture, and (iii) risk infrastructure, data and reporting.

In all cases, data quality is key for institutions to be able to properly manage their risks and for supervisors to be able to reliably assess institutions.

Phase 3

In this main assessment phase, the JST assesses how the governance and control framework works in practice. This involves reviewing the adequacy of the governance and control framework in the light of the scale and complexity (business model, organisational structure, etc.) of the institution, and the degree to which the framework is embedded in its operational processes.

The JST performs an in-depth analysis of Phase 2 non-compliance areas, notably by considering questions such as the following:

  • What are the reasons for non-compliance?
  • Is the non-compliance confirmed and does it constitute a breach of regulatory requirements?
  • Are there mitigating factors?
  • What could the supervisory response be?

In addition, institutions may formally comply with Phase 2 requirements and still be assigned a high risk score in Phase 3: weaknesses may arise from aspects that were not covered by Phase 2 or, more importantly, control mechanisms may not work properly.

The JSTs assess each sub-category, identifying underlying reasons for the score assigned (key strengths and deficiencies, mitigants and other relevant corrective factors). This content is meant to be indicative of the type of assessment required to assign the score.

Although the competence to supervise credit and financial institutions as regards money laundering and the financing of terrorism (AML/CFT) lies with national authorities, and the ECB’s supervisory tasks explicitly exclude AML/CFT supervision, in line with the applicable legal framework[14], the ECB should consistently factor money laundering and financing of terrorism (ML/FT) risks into its relevant supervisory activities, taking into consideration the input of AML/CFT supervisors. In this context, the ECB has developed an approach aimed at identifying and reflecting AML/CFT-related concerns and associated prudential warning signals in its prudential supervision, leveraging the information exchanged with national AML/CFT authorities under the different legal frameworks.[15] Based on the insights gained in such exchanges, the ECB incorporates prudential concerns in relation to AML/CFT when assessing an institution’s business model (Element 1), internal governance and risk management (Element 2), operational risk (Element 3, Block 1), credit risk (Element 3, Block 1) and risks to liquidity (Element 4).

Common scores for the assessment of risk control

1 = “Strong control”: There is no discernible risk of significant impact on the prudential elements of the group or its entities, given the quality of management, organisation and controls. The level of risk management and control is high. The risk management and control framework is clearly defined and fully compatible with the nature and complexity of the institution’s activities.

2 = “Adequate control”: There is a low risk of significant impact on the prudential elements of the group or its entities, given the quality of management, organisation and controls. The level of risk management and control is acceptable. The risk management and control framework is adequately defined and sufficiently compatible with the nature and complexity of the institution’s activities.

3 = “Weak control”: There is a medium risk of significant impact on the prudential elements of the group or its entities, given the quality of management, organisation and controls. The level of risk management and control is weak and needs improvement. The risks are insufficiently mitigated and controlled, leaving an excessive residual risk. The risk management and control framework is poorly defined or insufficiently compatible with the nature and complexity of the institution’s activities.

4 = “Inadequate control”: There is a high risk of significant impact on the prudential elements of the group or its entities, given the quality of management, organisation and controls. The level of risk management and control is very low and needs drastic and/or immediate improvement. The risks are not – or only inadequately – mitigated and are poorly controlled. The risk management and control framework is not defined or is not compatible with the nature and complexity of the institution’s activities.

A more granular set of risk control scores was introduced for the first time in SREP 2021 for the assessment of internal governance and risk management (Element 2).

3.2.3 Combining risk level and risk control assessments

The assessments of a category’s risk level and risk control are combined to provide a “combined assessment”.

For each risk category relating to capital and liquidity, risk level and risk control scores are aggregated. Starting from the basis that a risk control score of 2 (“adequate control”) is “neutral”, in which case the combined score is identical to the risk level score, some combinations require the application of supervisory judgement.

  • If risk control is “strong” (i.e. 1), the JST may choose to assign a combined score that is identical to or better than the risk level score.
  • If risk control is “weak” (i.e. 3), the JST may choose to assign a combined score that is identical to or worse than the risk level score.
  • If risk control is “inadequate” (i.e. 4), the JST may choose to assign a combined score that is worse than the risk level score.
  • For Element 3 (risks to capital), the assessments of individual risk categories are subsequently combined using a weighted average to produce an overall assessment of capital-related risks.

3.2.4 The overall assessment

Once the four elements have been assessed, supervisors assign an overall SREP score ranging from 1 to 4. In line with the EBA Guidelines on SREP, this overall SREP score represents a supervisory view on the overall viability of the institution based on an aggregate view of the threats to viability.

The overall SREP score should take account of the outcome of the assessments of individual risks: higher scores reflect an increased risk to the viability of the institution stemming from one or more features of its risk profile, including its business model, its internal governance framework, and individual risks to its solvency or liquidity positions.

The JST can then adjust this anchoring overall SREP score by applying constrained judgement based on: (i) the JST’s knowledge of the institution, (ii) peer comparisons, (iii) the macro environment in which the institution operates, (iv) the institution’s capital/liquidity planning to ensure a sound trajectory towards full implementation of the CRR/CRD IV, and (v) the SSM’s risk tolerance. It may want to reflect in the overall SREP score weaknesses identified during the SREP that it considers particularly important for the institution.

The aim is to provide a holistic assessment of an institution’s risk profile and, if need be, determine the most appropriate supervisory measures: own funds requirements, liquidity requirements, or other qualitative supervisory measures. As regards additional own funds requirements, the holistic approach is expanded on by taking a closer look at institutions’ individual risk drivers.

3.3 Decision: SREP decisions and their communication

3.3.1 SREP decision

The SREP decision is taken under Article 16 of the SSM Regulation and is issued following a hearing (see Article 22(1) and Article 31 of the SSM Framework Regulation). It must be duly reasoned (see Article 22(2) of the SSM Regulation and Article 33 of the SSM Framework Regulation).

SREP decisions are adopted by the Governing Council via the non-objection procedure on the basis of complete draft decisions proposed by the Supervisory Board and may include the following:

Own funds requirements

  • Total SREP capital requirement composed of Pillar 1 minimum own funds requirements (8%) and additional own funds requirements (Pillar 2 requirements – P2R)
  • Combined buffer requirements

Institution-specific quantitative liquidity requirements

  • LCR higher than the regulatory minimum
  • Higher survival periods
  • National measures

Other qualitative supervisory measures

  • Additional supervisory measures stemming from Article 16(2) of the SSM Regulation (such as the restriction or limitation of business, a requirement to reduce risks, restrictions on or prior approval for the distribution of dividends, and the imposition of additional or more frequent reporting obligations)
  • Pillar 2 guidance expressed as a CET1 ratio add-on

3.3.2 Capital requirements

If a SREP assessment shows that the arrangements, strategies, processes and mechanisms implemented by the credit institution and the own funds held by it do not ensure sound management and coverage of risks, the ECB may impose a Pillar 2 requirement (P2R) and Pillar 2 guidance (P2G). The ECB sets P2G above the level of binding capital requirements (minimum and additional) and on top of the combined buffers. If a bank does not comply with its P2G, this will not result in automatic action by the supervisor and will not trigger any limitations on the distributable amount. However, the ECB will closely monitor institutions that do not comply with P2G and will consider whether – and, if so, which – measures are to be taken to address the specific circumstances at the bank.

Banks also need to consider the systemic buffers (G-SII, O-SII and systemic risk buffers) and the countercyclical buffer in the capital stack.

Figure 8

Capital stack

In order to assess the final measures to be taken, the Supervisory Board will assess every instance of a bank not complying with its P2G and may take appropriate bank‑specific action as deemed necessary.

As part of the Pillar 2 framework, qualitative outcomes of the stress test are taken into account in the determination of the P2R, especially for the risk governance element.

ECB Banking Supervision has refined its approach to setting the P2R to reflect the new elements covered in CRD V[16] and the EBA Guidelines on SREP. As a result, the holistic approach used to determine the P2R has been expanded by looking more closely at institutions’ individual risk drivers, which should be addressed through additional capital requirements. In this regard, the ICAAP assessment and supervisory benchmarking constitute key steps for determining the P2R.

Details on How the Pillar 2 requirement is set

As regards the determination of P2G, ECB Banking Supervision has, in line with recent guidance from the EBA, introduced a new methodology which allows a better understanding of the use of stress test results within the SREP and removes previously applied P2G floors. This methodology applies a bucketing framework consisting of a two-step approach. The first step allocates banks to P2G buckets on the basis of their maximum CET1 capital depletion in the stress test. The second step then allows supervisors to incorporate bank-specific criteria/information. The inclusion of bank-specific information results in the final P2G, in most cases within the ranges of the bucket and exceptionally outside them.

Supervisors may, for example, consider the following sources of information when setting P2G as part of a holistic approach:

  • The starting point when setting P2G is, in general, the depletion of capital in the hypothetical adverse scenario (quantitative outcome).
  • JSTs take into account the specific risk profile of the individual institution and its sensitivity to the stress scenarios.
  • Interim changes in the bank’s risk profile since the cut-off date for the stress test and measures implemented by the bank to mitigate risk sensitivities (such as relevant asset sales) are also considered.

Details on Leverage ratio Pillar 2 guidance

3.3.3 Supervisory dialogue

The core objective of the SREP supervisory dialogue is for the JST to communicate the draft outcomes of the SREP assessment to the institution, explaining the quantitative and qualitative outcomes and expectations that will be included in the SREP decision.

As a key element of the supervisory dialogue, it is recommended that JSTs organise a number of meetings – either physical meetings or conference calls – with the management body of the institution to present the conclusions of the SREP and the measures set out in the draft SREP decision. This allows the institution to understand how it has been assessed and the areas where it needs to improve. The intended effect of this dialogue is to foster robust communication and to give the institution the opportunity to ask questions and address any uncertainties.

The adoption of a SREP decision follows the standard ECB decision-making process as laid down in Article 26(8) of the SSM Regulation, i.e. a draft decision by the Supervisory Board is adopted by the Governing Council via the non-objection procedure.

SREP decisions must state the reasons on which they are based.[17] This enables institutions to identify areas where improvements are needed more urgently and plan effective remedial actions in a timely manner. Moreover, institutions must have an opportunity to be heard before SREP decisions are adopted[18] (see the SSM Supervisory Manual).

Finally, an operational letter to banks (the “Executive Letter”), which accompanies the SREP decision, has been introduced since SREP 2021. The aim of this letter is to increase focus and transparency regarding the key supervisory concerns and the main risk drivers to be addressed by the P2R.

The assessment of an institution’s business model is split into two parts: (i) business model viability, and (ii) business model sustainability.

An institution’s business can be impaired – and, accordingly, its ability to generate profits and growth can be adversely affected – not because of a particular risk but owing to the sheer nature of the institution’s business model. The risk of such scenarios occurring is called “business model risk”. This outcome may stem from factors within the institution (e.g. inefficient design or pricing of key products, inadequate targets, reliance on an unrealistic strategy, excessive concentration of risk, poor funding and capital structures, or insufficient execution capabilities), but it may well also result from external factors (e.g. a challenging economic environment or a changed competitive landscape).

Business model viability is the ability to generate acceptable returns from a supervisory perspective over the next 12 months. Business model sustainability is a more forward-looking concept that refers to an institution’s ability to generate acceptable returns over an entire cycle.

The business model assessment (BMA) is aimed at creating a sound understanding of the functioning of the institution. It provides insights into the key vulnerabilities of an institution on a forward-looking basis. The identification of key vulnerabilities is likely to help identify specific risks to solvency and liquidity that are material to the institution and should, therefore, support the assessment of other SREP elements.

In conducting a BMA, the JST needs to:

  • identify the materiality of business areas (geographical locations, subsidiaries/branches and business lines/products – or divisions if business line profitability and forecasts are not readily available);
  • assess the viability of the institution’s business lines, also compared with its competitors;
  • assess the sustainability of those business lines over an entire economic cycle.

The business model assessment is performed in three phases:

Figure 9

The three phases of the risk level assessment for a business model

Business model risk is only assessed from a quantitative (risk level) perspective. Phase 1 serves to identify the institution’s business model and the materiality of its business areas (geographical locations, subsidiaries/branches, business lines/products or divisions, depending on the information available). Information is gathered to provide an up-to-date picture of the institution’s major business areas. Furthermore, institutions are assigned to peer groups.

Phase 2 assigns the institution an automated score based on profitability indicators. The objective is to assess whether the institution can achieve adequate returns.

Phase 3 analyses the viability and sustainability of the institution’s business model over the medium term and over the cycle. Instead of focusing purely on past profitability, other indicators are used to better reveal the vulnerabilities of different business models. The objective is to assess, for instance, what could happen to the profitability of the business area in an economic downturn, what the counterbalancing measures could be and whether there is an appropriate balance between the business strategy and the risk appetite. This phase results in an overall assessment of the institution’s business model risk that can lead to the Phase 2 score being adjusted in line with the constrained judgement rules.

As the economic and regulatory environment keeps evolving, the SREP business model assessment methodology is updated regularly, for example to reflect challenges posed by climate risks and digitalisation to the sustainability of institutions’ business model.

Details on the Business model Assessment SREP Methodology

This section analyses risk management and internal governance at a group-wide level. It serves as an overall review of the institution’s operational and organisational structure, the overall risk control and risk management framework and the technical architecture supporting the risk management framework and practices. The assessment covers three main aspects:

  • the institution’s internal governance framework (including its organisational structure, management body, risk management and compliance functions, and internal audit function);
  • its risk appetite framework and risk culture, including remuneration policies;
  • its risk infrastructure, data aggregation and reporting.

This element adopts a broad perspective with a view to assessing an institution’s overall organisational competence and capacity. This does not include a detailed assessment of the controls for specific risks to capital, liquidity and funding for each specific risk category. The risk control framework at the risk category level is expected to be consistent with the firm-wide governance and risk management control framework.

Details on the Internal Governance and Risk Management SREP Methodology

The JST’s determination of the capital needed by the institution to cover its capital‑related risks relies on three “building blocks”. This makes it possible to analyse the institution’s capital position from three different and complementary angles. The assessment of each block is broken down into precise steps, which allows the JST to exercise judgement based on its knowledge of the institution.

6.1 Block 1: Assessment of risks to capital

In Block 1, an assessment of the risk levels and risk controls is carried out by the JST for the four capital-related risks: credit risk, market risk, operational risk, and interest rate risk in the banking book. For each of these risks, risk levels and risk controls are assessed in three complementary phases: (i) a data/information gathering phase (Phase 1); (ii) a scoring phase (Phase 2) based on pre-defined indicators (risk level) or compliance checks (risk controls); and (iii) a supervisory assessment phase (Phase 3). Scores calculated in Phase 2 can be adjusted by the JST in Phase 3 to a certain extent in line with the principle of constrained judgement. Phase 3 assessments must be justified and documented and are subject to horizontal consistency checks.

For each risk category, the risk level and risk control assessments performed in Phase 3 are combined to achieve a combined rationale and a combined score. Then the assessments of individual risk categories are combined to form an overall assessment of the capital‑related risks.

6.1.1 Block 1: Credit risk

Credit risk is defined as the possibility that an institution could suffer losses stemming from an obligor’s failure to repay a loan or otherwise meet a contractual obligation in accordance with agreed terms.

For most institutions, loans are the largest and most obvious source of credit risk. However, credit risk may also arise from other activities, whether booked in the banking book or the trading book, on or off-balance-sheet. For instance, institutions face credit risk or counterparty risk through various financial instruments, including acceptances, interbank transactions, trade financing, foreign exchange transactions, forward contracts, swaps, bonds, equities, options, the extension of commitments and guarantees, and the settlement of transactions.

The aspects that typically need to be considered when reviewing an institution’s credit risk are as follows:

  • the size of credit exposures/activities;
  • the nature and composition of the credit portfolio, including its concentration;
  • the evolution of the credit portfolio;
  • the quality of the credit portfolio;
  • the credit risk parameters, including internal ratings-based ones (e.g. probability of default, loss given default and credit conversion factors) and other internally estimated parameters;
  • credit risk mitigants and coverage.

Details on the Credit risk SREP methodology

6.1.2 Block 1: Market risk

Market risk is defined as the risk of losses in on and off-balance-sheet positions arising from movements in market prices or from inaccurate determination of their fair value on the balance sheet with an impact on profits and losses or on the capital position of the institution. It covers the risk arising from:

  • risk factors underlying the instruments held: interest rate risk (excluding positions in the banking book), equity risk, credit spread risk, foreign exchange risk (including the gold position) and commodity risk (including precious metal positions);
  • features of the positions taken: valuation risk related to complex and illiquid positions, non-linear risk and gap risk;
  • the relationship with the counterparty to the transactions: credit valuation adjustment (CVA) risk and other valuation adjustments (xVA) risk;
  • risk management practices of the institution: hedging strategies, basis risk and concentration risk.

Details on the Market risk SREP methodology

6.1.3 Block 1: Interest rate risk in the banking book

Interest rate risk is an institution’s exposure to unfavourable movements in interest rates. IRRBB includes the interest rate risk that arises from potential changes in interest rates that adversely affect an institution’s non-trading activities.

The IRRBB assessment comprises two complementary analyses:

  • analysis from an economic value perspective, which focuses on how changes in interest rates affect the present value of the expected net cash flows;
  • analysis from an earnings perspective, which focuses on the impact that changes in interest rates have on near-term earnings.

Institutions should demonstrate their capacity to identify and assess the different components of IRRBB (i.e. gap risk, basis risk and option risk), which can be defined as follows:

  • Gap risk is the risk arising from timing mismatches in the maturity (for fixed rates) and repricing (for floating rates) of assets, liabilities and off-balance-sheet short and long-term positions, or from changes in the slope and the shape of the yield curve.
  • Basis risk is the risk that arises when exposures to one interest rate are hedged using exposures to another rate that reprices under slightly different conditions.
  • Option risk (or optionality) is the risk that arises from options where the institution or its customer can alter the level and timing of cash flows, including embedded options (e.g. consumers redeeming fixed-rate products when market rates change). This optionality can be either automatic (i.e. the holder will almost certainly exercise the option if it is in the holder’s financial interest to do so) or behavioural (i.e. the decision to exercise depends not only on interest rates but also on client behaviour, which is often expected to change as interest rates change).

6.1.4 Block 1: Operational risk

Operational risk is defined as the risk of losses resulting from inadequate or failed internal processes, people and systems or from external events.

This definition includes legal risk, compliance risk, conduct risk, model risk (for models not relating to other SREP risk categories) and information technology (IT or ICT) risk, but excludes strategic and reputational risk. Nevertheless, reputational risk should be assessed together with operational risk given the strong links between the two. Operational risk is broken down into seven event types:

  • internal fraud;
  • external fraud;
  • employment practices and workplace safety;
  • clients, products and business practices;
  • damage to physical assets;
  • business disruption and system failures;
  • execution, delivery and process management.

As the economic and regulatory environment keeps evolving, the SREP internal operational risk methodology is updated regularly, for example to reflect the primary drivers of this risk, including, among others, cyber and ICT risks, as well as other risks related to disruptive events hindering the operational resilience of the bank.

6.2 Block 2: Challenging an institution’s internal assessment of its capital needs

In Block 2, the JST assesses the institution’s internal processes for managing its capital adequacy (ICAAP). This assessment is performed from both a qualitative and a quantitative perspective. The objective is to assess whether the institution’s ICAAP is sound and proportionate to the nature, scale and complexity of the institution’s activities, checking, for instance: (i) how the institution identifies, measures and aggregates its risks; (ii) how the ICAAP is embedded into its daily management processes, including the role of the management body, as well as the roles of internal control, validation and audit as part of the governance framework for the ICAAP; and (iii) how the forward-looking perspective is considered, e.g. in capital planning. The ICAAP assessment should also inform the internal governance and risk management assessment. In addition, the review of both qualitative and quantitative aspects of the ICAAP plays a significant role in the supervisors’ determination of additional capital requirements.

For further details on the ECB’s ICAAP expectations, please refer to the ECB Guide to the internal capital adequacy assessment process (ICAAP), published in November 2018.

6.3 Block 3: Challenging an institution’s internal estimates of capital under stressed conditions

In Block 3, the JST assesses the institution’s capacity to cover its capital needs from a forward-looking perspective, assuming stressed economic and financial developments. This is done using a wide range of information sources, including the institution’s internal stressed projections, the SSM’s stressed supervisory calculations, and the outcome of supervisory (bottom-up and/or top-down) stress tests when available.

Institutions usually rely on a wide range of internal stress tests and sensitivity analyses to determine their capital trajectory and their ability to raise own funds at a certain horizon. This helps them to identify backstop actions that may be warranted at an early stage should adverse scenarios materialise. An institution’s ICAAP risk taxonomy is expected to be the same overall under both normal and stressed conditions, even if additional risks may be identified under stressed conditions that are not relevant under normal conditions.

When reviewing these stress tests, the ECB follows the principles and recommendations established by international supervisory bodies in line with the ECB Guide to the internal capital adequacy assessment process (ICAAP).

6.4 Risk of excessive leverage

Basel III introduced the leverage ratio as a non-risk-based backstop to address the risk of excessive leverage (REL). As of June 2021, the fifth Capital Requirements Directive (CRD V) and the second Capital Requirements Regulation (CRR II) impose additional own funds requirements in the form of a Pillar 2 requirement (P2R-LR) to address the REL which is not covered or not sufficiently covered by Pillar 1 requirements.

The assessment of REL covers the areas of contingent leverage – the risk of an unexpected increase in leverage ratio exposure, regulatory arbitrage and items excluded from P1R-LR – and is focused on five risk drivers:

  • contingent leverage originating from derivatives and securities financing transactions (SFTs);
  • contingent leverage originating from off-balance-sheet items;
  • contingent leverage originating from step-in risk;
  • window dressing;
  • institution-specific risks in exposures excluded from P1R-LR.

Each risk driver is assessed only if it is identified as material on the basis of pre-defined indicators.

6.5 Capital adequacy assessment

The assessment of an institution’s capital adequacy is a quantitative assessment of its capacity to comply with all of its regulatory capital requirements, guidance and other capital needs. JSTs assess to what extent the capital situation of a bank raises doubts concerning its ability to sustainably follow its business model, considering the normative and the economic perspectives, both in the current situation and over the medium term, under normal and stressed conditions.

The assessment leverages on other SREP assessments, including Block 1 assessments of risks to capital, the Block 2 assessment of the ICAAP and the Block 3 assessment under stressed conditions. For the forward-looking part of the assessment, banks’ capital plans are challenged and adjusted, where needed.

As with capital-related risks, the JST’s assessment of the institution’s ability to cover its liquidity and funding-related risks relies on three “building blocks”. This makes it possible to analyse the institution’s liquidity and funding position from three different and complementary angles. The assessment of each block is broken down into precise steps, which allows the JST to exercise judgement based on its knowledge of the institution.

7.1 Block 1: Assessment of risks to liquidity

In Block 1, the JST assesses the risk levels and risk controls for short-term liquidity risk and funding sustainability risk in three complementary phases.

Liquidity is the ability of an institution to fund increases in assets and meet obligations as they become due, without incurring unacceptable losses. The fundamental role of credit institutions in the maturity transformation of short-term deposits into long-term loans makes them inherently vulnerable to liquidity risk, which (i) is institution-specific in nature and (ii) affects markets as a whole. Effective liquidity risk management helps to ensure that institutions are able to meet cash-flow obligations, which are uncertain as they are affected by external events and the behaviour of other agents.

Risk level scores for short-term liquidity risk and funding sustainability risk are combined at the end of the process to produce a single score for liquidity risk.

A single risk control assessment is performed for short-term liquidity risk and funding sustainability risk and one combined risk control score is assigned.

The final outcome is summarised in an overall Block 1 liquidity risk rationale and score. This reflects the dynamic nature of short-term liquidity and funding risks, which can materialise very rapidly and therefore need to be assessed at a relatively granular level depending on the overall risk appetite.

7.1.1 Block 1: Short-term liquidity risk

Short-term liquidity risk is the risk that an institution will be unable to meet its short-term financial obligations when they fall due. Obligations can be payment obligations (i.e. obligations to deliver cash) or obligations to deliver collateral (assets). The risk generally arises when an institution faces outflows that exceed its inflows and is not able to generate enough liquidity with its counterbalancing capacity over a horizon of up to one year. Therefore, potential maturity mismatches in cash and collateral flows across regions, currencies and netting arrangements need to be assessed.

An institution’s short-term liquidity risk is assessed from two different perspectives:

  • its cash and collateral needs arising from contractual and behavioural cash payment and collateral delivery obligations;
  • its available counterbalancing capacity.

Both need to be assessed at the relevant point in time, at a certain horizon, and over the cycle. The forward-looking assessment needs to factor in both normal and stressed economic conditions.

7.1.2 Block 1: Funding sustainability risk

Funding sustainability risk is the risk that an institution is unable to fund its balance sheet in a sustainable way in the medium to long term. This includes the capacity to roll over maturing funding and increase liabilities at any time to cover refinancing needs. Factors such as a poor capital position, an unclear business strategy, a negative rating outlook or a negative perception on the part of investors can restrict access to funding markets and thereby increase the risk.

A balanced funding profile will, to a certain extent, shield an institution from market disruptions. Institutions must therefore strive to maintain the right balance between short-term and long-term, secured and unsecured funding and their different funding sources (in terms of counterparties, instruments, costs, currencies and markets). A weakness in one area (e.g. a high concentration in certain funding segments, excessive maturity mismatches or high levels of asset encumbrance) can exacerbate an already stressed situation in terms of cumulative liquidity and refinancing requirements.

An institution’s funding sustainability risk is assessed from two different perspectives:

  • its medium to long-term funding needs;
  • its capacity to raise the necessary funding over time.

Both need to be assessed at the relevant point in time, at a certain horizon, and over the cycle. The forward-looking assessment needs to factor in both normal and stressed economic and financial market conditions.

7.2 Block 2: Challenging an institution’s internal assessment of its liquidity needs

In Block 2, the JST assesses the institution’s internal processes for identifying and estimating the liquidity needed to cover its own risks (ILAAP). This assessment is performed from both a qualitative and a quantitative perspective. The objective is to assess whether the institution’s ILAAP framework is reliable, checking, for instance: (i) how it identifies its risks; (ii) how the ILAAP is embedded into its daily management processes (e.g. looking at the roles of internal control, validation and audit as part of the governance framework for the ILAAP); and (iii) how the quantification models are constructed, controlled, acted upon, etc. It also has a forward-looking perspective. The ILAAP assessment should inform the assessment of internal governance and risk management. The outcome of the Block 2 assessment should be taken into account when assigning the overall liquidity adequacy score and when considering the imposition of liquidity measures.

For further details, please refer to the ECB Guide to the internal liquidity adequacy assessment process (ILAAP), published in November 2018.

7.3 Block 3: Challenging an institution’s internal estimates of liquidity under stressed conditions

In Block 3, the JST assesses the institution’s capacity to cover its liquidity needs from a forward-looking perspective, assuming stressed economic and financial developments. After finalising the assessment, the JST should consider whether there is a need to impose liquidity measures on the credit institution. SREP measures should reflect weaknesses and vulnerabilities identified in the liquidity risk assessment, which can be either qualitative or quantitative in nature (or both).

Liquidity stress tests play a key role in the quantitative assessment of institutions’ liquidity needs and their ability to continue their operations through periods of stress. For one thing, liquidity stress tests serve to challenge the internal stress tests that are developed by the institutions themselves. Moreover, when combined with such internal stress tests, they help to identify inherent liquidity and funding risks faced by an institution in a forward-looking manner. The liquidity stress test framework adopts a top-down approach, leveraging the reporting of supervisory data.

7.4 Liquidity adequacy assessment

The liquidity adequacy assessment combines the conclusions of Blocks 1, 2 and 3 in a single score. Thus, the JST’s assessment is formalised in a single rationale and score. There is no mechanical rule to follow when assigning the score. Rather, the different characteristics presented in score definitions are to be regarded as typical for the scores they are associated with. JSTs should judge all elements assessed under this category from a holistic perspective and assign the score that, overall, best reflects the liquidity adequacy situation.

In particular, quantitative measures should be considered when there are material risks that are not covered by the LCR and the institution is not adequately mitigating these risks via its ILAAP.

© European Central Bank, 2023

Postal address 60640 Frankfurt am Main, Germany
Telephone +49 69 1344 0
Website
www.bankingsupervision.europa.eu

All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.

For specific terminology please refer to the SSM glossary (available in English only).

HTML ISBN 978-92-899-6359-6, ISSN 2811-6895, doi:10.2866/387557, QB-09-23-002-EN-Q




Source link

Leave a Response