On the 19 December 2023, the European Central Bank published the results of its Supervisory Review and Evaluation Process (SREP)[1] for 2023 and its supervisory priorities for the years 2024-2026[2]. The SSM supervisory priorities reflect ECB Banking Supervision’s medium-term strategy for the next three years. Set by the Supervisory Board, the priorities are reviewed annually, and rest on a comprehensive assessment of the main risks and vulnerabilities for supervised institutions. The priorities also factor in the outcome of the SREP, and progress made on the priorities from previous years.
The ECB contends that the 2023 SREP results highlight the insufficient progress achieved by some banks in tackling shortcomings in governance. This is especially the case in areas related to the functioning of and strategic steering by Boards, but also in their data aggregation and reporting (RDAR) capabilities. The failures of some US and Swiss banks during 2023 continued to emphasize the strong need for such remediation. The same is true in the context of steadily increasing climate and environmental (C&E) risks, the adverse impact of which is already being felt globally.
In what is referred to as Priority 2, the ECB expects banks to accelerate the effective remediation of shortcomings in governance, particularly certain material deficiencies in the functioning, oversight and composition of the Board of directors. Banks will be asked to step up their efforts and adequately reflect the relevant risk dimensions in their business strategies and risk management frameworks to fully comply with the corresponding supervisory expectations. The ECB emphasized how it will adopt, as necessary, measures such as capital add-ons, enforcement and sanctions and reviews of fit and proper assessments, as necessary, to incentivise banks’ effective remediation of the identified shortcomings and meeting of supervisory deadlines.
Deficiencies in the functioning and steering capabilities of Boards
The ECB has reiterated the crucial role of Boards and management which have the ultimate responsibility for ensuring adequate internal governance arrangements and effective risk management processes. Boards need to recognise that they to steer their institutions strategically and for business models to embrace evolving trends, such as digitalisation and an accelerated green transition. While acknowledging that there have been improvements in the area of Board composition, collective suitability and the Board’s oversight role, more needs to be done. Although diversity policies have become more comprehensive, in terms of education, geographical, age and gender attributes, gender imbalance remains an issue as evidenced in the lack of progress to meet certain gender targets. Banks also need to further improve the collective suitability of their boards, as well as their challenging capacity. The ECB singled out the insufficient number of formal independent directors, a lack of knowledge in specific areas like IT, insufficient time set aside for debate and concerns in the nomination processes of Board and management members. It also refers to the oversight role of Board committees as requiring more consideration. Within this context, it is pertinent to note that the ECB is expected to update and publish supervisory expectations on governance and risk management.[3]
Deficiencies in risk data aggregation and reporting
The ECB considers RDAR frameworks as providing support to the efficient steering by Boards and as tools to address supervisory expectations, including in times of crisis. It therefore emphasizes that timely and accurate risk-related data aggregation and reporting are essential for decision-making and strategic steering by banks, as well as for the purpose of risk, financial and supervisory reporting. The 2023 SREP highlighted insufficient progress in complying with the Basel Committee on Banking Supervision principles for effective risk data aggregation and risk reporting particularly in terms of insufficient attention and oversight of Boards, weaknesses in data architecture and fragmented and non-harmonised IT landscapes, low capacity for aggregating, and ineffective governance frameworks. The ECB acknowledges that tackling RDAR-related deficiencies often requires significant resources but that nonetheless it should be at the forefront of an institution’s priorities. The ECB warns that a structured escalation mechanism, possibly including enforcements and sanctions, will be increasingly applied from 2024 onwards. The ECB, on its part, intends, amongst others, to refine supervisory expectations related to the implementation of RDAR principles and the publication in 2024 of the Guide on effective risk data aggregation and risk reporting, whilst carrying out targeted reviews of RDAR practices.
Material exposures to physical and transition risk drivers of climate change
Unsurprisingly, C&E risks and ESG considerations feature prominently in the ECB’s priorities. While for some banks, the SREP 2023 revealed some improvement in defining their strategy with respect to C&E risks, others were found to be lacking. SREP qualitative measures focused mainly on banks’ weaknesses in strategic and operational planning and in the Board and management knowledge of ESG topics. Following the 2022 climate risk stress test and thematic review,[4] by the end of 2023, banks were expected to incorporate C&E risks in their governance, strategy and risk management, and finally, by the end of 2024, they are expected to meet all remaining supervisory expectations outlined in 2020[5], including full integration in the Internal Capital Adequacy Assessment Process (ICAAP) and stress testing. Another area of focus which the ECB will assess as regards C&E is the adequacy of banks’ disclosure practices of climate and environmental risks.
Although to varying degrees and extents, many of the considerations above are also highly relevant to the less significant banks (“non-ECB supervised banks”) considering that regulators are often guided or informed by the ECB’s approach to, and standards set in fundamental areas such as governance. In addition, certain mentioned deficiencies such as ineffective Boards and inadequate challenging of management, can constitute the root cause of vulnerability in any type of bank. Similarly, the regulatory scenario relating to risk data aggregation and reporting as well as climate considerations continues to evolve, and these are areas which will continue to be incorporated in supervisory activities of regulators.
Author: Catherine Formosa
4 January 2024
Footnotes
[1] The SREP is an annual exercise in which supervisors examine banks’ risks and produce capital requirements and guidance for each individual bank (which is in addition to legally required minimum capital). It assesses four main elements: the viability and sustainability of business models, the adequacy of internal governance and risk management, risks to capital and risks to liquidity and funding.
[2] https://www.bankingsupervision.europa.eu/banking/priorities/html/ssm.supervisory_priorities202312
[3] https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm_supervisory_statement_on_governance_and_risk_appetite
[4] https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.climate_stress_test_report
[5] https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.202011finalguideonclimate-relatedandenvironmentalrisks