ECB Supervisory Priorities 2023 to 2025

On 12 December 2022, the ECB published the supervisory priorities for the Single Supervisory Mechanism (SSM) for the years 2023 to 2025. They reflect what the ECB and the national competent authorities (NCAs) have identified as the key risks and vulnerabilities that significant institutions face in the current economic, regulatory, and supervisory environment, also drawing on the outcome of the 2022 Supervisory Review and Evaluation Process (SREP). The SSM supervisory priorities are addressed to significant institutions that are directly supervised by the ECB. However, they are also intended to guide national supervisors in setting their supervisory priorities for less significant institutions.

The SSM Supervisory Priorities 2023 to 2025 cover the following areas:

• Promoting resilience to immediate macro-financial and geopolitical shocks (Priority 1),
• Addressing digitalisation challenges and strengthening management bodies’ steering capabilities (Priority 2), and
• Stepping up institutions’ efforts in addressing climate change (Priority 3).

Below, we have summarised the key points:

Priority 1: Strengthening resilience to immediate macro-financial and geopolitical shocks

With Priority 1, the ECB addresses the current geopolitical challenges that the world economy faces. High uncertainties and downside risks are materially affecting the outlook for the European banking sector. The ECB stresses that institutions need to be prudent in developing and planning their business strategies, to monitor closely the risks associated with the fast-changing financial environment and to focus their efforts on risk management. The SSM’s top priority for the coming three years will, therefore, to ensure that banks under its direct supervision strengthen their resilience to immediate macro-financial and geopolitical shocks.

The SSM aims to accomplish this on the one hand with the 2023 EU-wide stress test exercise, coordinated by the European Banking Authority (EBA), which is set to be launched at the end of January 2023. For the stress test, institutions are required to estimate the evolution of a common set of risks (credit, market, counterparty, and operational risk) under an adverse scenario. Banks are also asked to project the impact of the scenarios on main income sources.

The SSM’s main activities with respect to Priority 1 will include:

• Targeted reviews of loan origination and monitoring, assessing compliance with the related EBA guidelines with a focus on residential real estate portfolios. For an overview on BaFin’s implementation of the EBA Guidelines on Loan Origination and new requirements in relation to real estate investments, please see our blogpost.
• Targeted reviews of IFRS 9, including on-site inspection (OSI) campaigns on IFRS 9 – focusing on large corporates, small and medium-sized enterprises and retail portfolios – and on commercial real estate/collateral.
• Targeted joint on-site/internal model investigations for some material portfolios in selected vulnerable sectors to assess the adequacy of the corresponding internal ratings-based (IRB) models, accounting models and credit risk management frameworks.

Another key aspect will be a review of the funding sources. The SSM has identified a lack of diversification in funding sources and deficiencies in funding plans as a prioritised vulnerability. Banks reporting a high concentration of funding sources should diversify their funding structure by developing and executing sound and credible multi-year funding plans, taking into account challenges stemming from changing funding conditions.

The SSM expresses this expectation only weeks after the ECB – in its monetary function – significantly changed the conditions of its TLTRO III programme, which used to provide for favourable and stable funding conditions for banks. This move by the ECB has already forced many institutions across the EU to assess alternative funding options. The expected repayments in this context will require banks to further diversify their funding sources and replace part of their central bank funding with more expensive and possibly shorter-term alternatives. Against this background, the SSM will perform a targeted review of TLTRO III exit strategies for selected banks which have a material reliance on this funding source and are more vulnerable to increases in market funding costs. This targeted review will be complemented by a broader analysis of banks’ liquidity and funding plans aimed at identifying weak practices and more vulnerable institutions, including targeted OSIs where appropriate.

Priority 2: Addressing digitalisation challenges and strengthening management bodies’ steering capabilities

As its second priority, the SSM has identified digitalisation and the risks that institutions face in this respect. The need for digitalisation of traditional bank business models has increased over the last years due to new tech-akin competitors, from inside (“FinTech”) but also outside the financial sector (“BigTech”), both of which challenge the business models of traditional institutions. The trend towards digital banking, be it in the area of payments or trading of securities or crypto-assets, has been further pushed not least by the COVID-19 pandemic and related social distancing measures imposed by governments.  

These developments must be effectively reflected in institutions’ internal governance and effective strategic steering by management bodies. Furthermore, a greater reliance on IT systems, third-party service providers and innovative technology raises significant challenges and risks for institutions.

The SSM has therefore identified four vulnerabilities that they prioritise in the next years:

• Deficiencies in digital transformation strategies.
• Deficiencies in operational resilience frameworks, namely IT outsourcing and IT security/cyber risks.
• Deficiencies in management bodies’ functioning and steering capabilities.
• Deficiencies in risk data aggregation and reporting.

1. Digital transformation strategies

Banks must have sustainable business models. This also requires to identify and adapt to a change in the competitive environment. From an internal governance perspective, this requires putting in place adequate arrangements to develop and adjust their business strategies and risk models.

In 2022, the SSM has sought to better understand and benchmark the practice established by the institutions in this regard. Based on the results, the SSM will develop and publish their supervisory expectations on institutions’ digital transformation strategies over the next years. This approach will be accompanied by targeted reviews of banks and follow-up by the Joint Supervisory Teams (JSTs) with those banks with material deficiencies. Targeted OSIs will complement the SSM’s related work.

2. Operational resilience frameworks, IT outsourcing and IT security/cyber risks

A side-effect of the digital transformation process in institutions is their ever-increasing reliance on information technology (IT), which often involves outsourcing to third party service providers, including cloud service providers.

It is an already established supervisory expectation that banks have robust outsourcing risk arrangements as well as IT security and cyber resilience frameworks as part of their internal governance arrangements and the EBA has published Guidelines on outsourcing arrangements as well as on information and communication technology and security risk management, including cyber-attacks.

The ECB intends to collect data and review the outsourcing registers of institutions to identify interconnections between significant institutions and certain third-party provider and potential concentrations. This measure will be accompanied by targeted reviews of outsourcing arrangements, cybersecurity measures and IT risk controls as well as OSIs. These measures also prepare the start of the comprehensive DORA framework, which will impose a comprehensive set of rules concerning operational risks relating to information and communications technologies (including outsourcing) (see our blogpost for an overview) and which will approximately apply from the end of 2024.

3. Management bodies’ functioning and steering capabilities

In the context of digitalisation, but not limited to digitalisation from a substantial perspective, the SSM discusses the need for institutions’ management bodies to address deficiencies in their functioning and steering capabilities and implement sound remedial action plans in a swift manner.

The SSM takes the view that effective strategic steering is fundamental for the ongoing sustainability of the bank’s business model, including adaption to trends such as digitalisation and green transition. This includes the collective suitability of the board, expressed by knowledge, skills, experience, and diversity.

The SSM has identified deficiencies in relation to internal or national gender representation targets in management bodies. Furthermore, the SSM notes that the skill set available on the boards sometimes lacks diversified expertise, in particular in relation to IT and cyber risk and succession planning. Boards in their supervisory capacity (and committees) are sometimes not sufficiently provide oversight and challenge management functions. The SSM considers that missing formal independence in the management bodies of some institutions contributes to the latter point.

The ECB Banking Supervision has announced to aim for improvement by way of targeted fit and proper assessments/reassessments and OSIs on the one hand, as well as updating the published supervisory expectations on governance arrangements and risk management on the other hand.

4. Risk data aggregation and reporting

Over the last couple of years, the ECB repeatedly identified deficiencies in institutions’ capabilities to aggregate and report risk data in sufficient quality as part of the annual SREP exercises. According to the ECB, shortcomings are mainly caused by limited oversight of management bodies, a lack of harmonisation of IT and missing capacity to aggregate data at group level. However, reliable quality and aggregation of risk data is crucial to effectively steer the institution and make sound decisions as well as effectively manage the institutions’ risks.

The SSM's expectations in this respect are mainly based on Basel principles and expectations published by the ECB in 2019.

The ECB Banking Supervision has concluded that the progress of banks to close these gaps has been slow and insufficient and that remediation plans have been of limited scope and ambition. The SSM therefore plans to increase their activities in this sector, by either refine and communicate the supervisory expectations, but also work across JSTs and undertake OSIs for banks with ongoing shortcoming. Furthermore, the ECB will continue their OSI campaign on risk data aggregation and reporting.

Priority 3: Stepping up efforts in addressing climate change

With Priority 3, the SSM highlights once more to address the challenges of climate transition. A large majority of banks have already acknowledged that they are exposed to climate risks. In the SSM’s view, the impact of climate change of banks is already visible and is expected to increase over the next years.

In the context of Priority 3, the SSM will:

Follow up on shortcomings identified in the context of the Thematic Review on Climate and Environmental Risks 2022 (the 2022 Thematic Review) and the 2022 Climate Risk Stress Test. In this regard, the ECB has already published a set of good practices for climate-related and environmental risk management observed in the 2022 Thematic Review. The ECB announced to publish a report on good practices observed in the 2022 Climate Risk Stress Test still in this year. The ECB generally expects full compliance by the end of 2024, whereby timelines are communicated directly to institutions.

Review compliance of banks with Pillar 3 disclosure requirements related to climate risk under Art. 449a CRR and the related ITS, which will set binding standards from 31 December 2022 onwards.

Review the reputational and litigation risks that selected banks are exposed to due to their climate-related and environmental strategies and risk profiles. The planned review will complement the ESA Call for Evidence on Greenwashing and draw a comprehensive picture of greenwashing risks in the banking sector (see our client briefing on liability risks for banks in this respect). The review follows a report from the Network of the Greening of the Financial Sector (NGFS) according to which supervisors must ensure that “financial institutions supervised by them adequately manage financial and operational risks resulting from potential climate-related litigation against themselves as well as against institutions to which they are exposed.”

Prepare for reviews of banks’ planning capabilities and readiness to implement the ESG related mandates that will expectedly be adopted as part of CRD VI. The current proposal provides, for instance, to develop strategies and processes on the assessment of internal capital needs to cover the ESG risks the institution may be exposed in the short, medium and long-term horizons (Art. 73 f. CRD IV).

Will focus on climate-related aspects as part of reviews of individual risks (e.g. credit risk, governance, business model) during their OSIs or conduct OSIs on a stand-alone basis concerning climate-related aspects.

In a statement published on 14 December, the BaFin has stressed that less significant institutions (LSIs) in Germany are not sufficiently prepared to manage climate and environmental risks adequately and found that none of the 17 institutions assessed by it was able to demonstrate emerging practices in this respect. BaFin notes LSIs should be guided by its Guidance Notice on Sustainability Risks and the Good Practices published by the ECB.