Governance, operational resilience, and business models remain crucial for banks in an environment of rising rates and digital banking

In an interview, Korbinian Ibel, Director General at the European Central Bank (ECB), shares insight on how bank-specific direct supervision works, what the current risks and challenges are, and priorities to look out for in the coming years.

What does the Banking Supervision arm of the European Central Bank do? Find out about its policies, methodologies, practices, and activities on its website. To learn more about how Banking Supervision is organised, see details here.

The ECB has organised bank-specific direct supervision in three directorates, based on the business model of the supervised banks:

1. Directorate General Universal & Diversified Institutions (DG/UDI) includes all the universal banks and all the diversified lenders (around 40 banks);
2. Directorate General Systemic & International Banks (DG/SIB) includes the largest and systemic banks;
3. Directorate General Specialised Institutions and LessSignificantInstitutions (DG/SPL) includes specialised lenders, and the institutional and sectoral oversight.

When looking at the three areas involved in bank-specific direct supervision, are there differences in terms of risk mapping or in the way banks are supervised?

There is no difference in terms of risk mapping, but there is a difference in the approaches we take when we address the risk. A joint supervisory team (JST) is composed of ca. 1/3 ECB and 2/3 NCA/NCB staff. The JSTs for each global systemic and international bank (GSIB) is larger than the JST for the universal and diversified institutions (UDI). Also, in DG/UDI we supervise business models which are not as complex as those of the globally systemic banks.

Still, the risk types we address are the same, and the largest bank in DG/UDI has nearly 1 trillion-euro assets. Within DG/UDI we have a wide geographical spread of banks – 14 European countries – from Finland to Cyprus. There are great differences among these institutions, and we use a proportionate approach in our supervision. We engage a lot of the specialists from the Directorate General Horizontal Line Supervision (DG/HOL) when our JSTs need additional specialised skills.

The Single Supervisory Mechanism (SSM) recently published its supervisory priorities for 2023-2025. The focus on strengthening banks’ resilience remains and the EU institutions should address deficiencies in their credit risk management frameworks to boost their resilience to potential asset quality deterioration and to swiftly identify and mitigate any build-up of risks. The SSM is now also highlighting the funding risks, as sound planning and diversified funding sources can help banks maintain reliable access to funding, also if funding conditions should become less favourable in the future. In addition, the SSM will continue ensuring that banks address deficiencies in digitalisation strategies effectively and strengthen their management bodies’ steering capabilities. Banks’ governance will always be a priority in banking supervision. Digitalisation is extremely important for the SSM: as supervisors, we will focus on ensuring that banks have sound strategies and adequate arrangements in place to address the challenge. Deficiencies in operational resilience frameworks, including IT and cyber security, and in risk data aggregation and reporting are also in the SSM focus. Finally, stepping up the efforts to address climate change is a clear priority for the SSM and last year we had both a stress test and a thematic review in this area. EU banks have made great efforts and much progress in this area when compared to a few years ago.

How will the SSM approach its direct supervisory practices in the environment of growing interest rate risk banks have? How will the SSM monitor these risks in the coming months and years? In terms of leverage, operational resilience, and cost effectiveness, what are your expectations towards banks’ management? Do you see this context preventing banks in the euro area from consolidation?

When inflation and interest rates started to increase last year, the SSM performed a review on a wide sample of banks, focussing on rising interest rates’ risks. In the short term, higher rates will increase the net interest income (NII) for most banks. At the same time, this can negatively affect the banks’ economic value of equity, especially if banks have locked-in fixed interest rates for long term assets (e.g., the mortgage book), while the short-term funding reprices faster. In the medium term, such an “asset sensitive” exposure, produced by the sensitivity of the banks’ assets to interest rates being higher than the liabilities’ one, might worsen long-term earnings and capital adequacy prospects, which in turn undermines the sector’s ability to attract investments.

Banks make use of internal models when assessing their exposure to interest rate risk, in particular to account for changes in customer preferences and behaviours on some particular balance sheet components (e.g., non-maturing deposits, loan prepayment, etc.). Banks, in this respect, are expected to carefully calibrate the time window over which the estimation of their model is performed to account for periods of both high and low interest rates as consumer preferences may change when the macro-economic conditions shift away from the “low for long” rate environment and extraordinary monetary policy support is withdrawn. Now, as rates are rising fast, deposits rates start rising too, and institutions may start competing for deposits more aggressively. The higher the rates, the more attractive the deposits’ rate, the greater the competition to attract new depositors. There is no clear trend we can detect now although we cannot disregard the risk that there might be new players entering the financial industry and try to aggressively attract deposits from established banks. For instance, if a big tech with a well-established platform enters this market, it will have already a large customer base, which constitute a competitive advantage, without being burdened by legacy assets locked in with lower rates, which sets the ground for the possibility to offer higher returns to the customers. If this happens, banks will realise that their deposit models might have been too optimistic and will have to reprice their deposits much more than anticipated in the models while the asset side will be locked in with lower rates products.

The deposit modelling is a very specific topic which deserves full Management Body’s attention. They might benefit from making themselves better aware of the content of their behavioural deposit models. That is why we raised this point in our recent deep dives. We have identified outlier banks and the banks with the most aggressive modelling had a discussion with us in order to raise their awareness.

Operational resilience is a very big topic for us as well. If one looks at the media reports, most big issues do not happen because of a cyber-attack, but because of a new software release or an internal update gone wrong. Operational resilience must cover these internal issues as well as externally driven events and we as supervisors put a lot of efforts there. For example, the backup data centre and the primary data centre should not be geographically too close. Too close in this sense refers to being at risk to be affected by one single event. And this is not only subject to physical distance, but also to the conditions of the environment. In effect, banks should be able to continue to provide their services even in adverse situations: for example, in unexpected weather conditions or floods, in case of internal mistakes, but also if cyber-attacks happen. In our supervision we apply regulation from the European Banking Authority (EBA), for example on ICT and Security Risk Management, but also the Principles of Operational Resilience from the Basel Committee on Banking Supervision. And we expect that banks apply these regulations. We perform intrusive on-site inspections covering this risk area, and the JSTs, in their daily discussions with the banks, also assess whether banks apply the regulations. We also have a cyber-incident reporting process where banks must report significant cyber incidents to the ECB. All of this is normal supervisory day-to-day business.

We see that the degree of outsourcing and the use of cloud services is heavily increasing, IT outsourcing grew by 14% and cloud expenses grew by 45% last year alone. Outsourcing is a crucial element for banks. If a cloud service would stop working, whatever the reason, many banks might find themselves in a very unpleasant situation. And since there are not many cloud providers, the potential concentration risk should be carefully considered.

During the years of ongoing onsite inspections, has the ECB noted improvements in the quality of data provided by the significant European banks? Is there a particular area there where deficiencies still exist and how can banks approach these more constructively?

While we can observe some improvements in the area of risk data management, overall there is less progress than expected. Gaps vis-à-vis to supervisory expectations still exist and the push towards further advancement needs to continue. Accurate risk data availability is critical for the bank management, as much as it is for supervisors. The nature of new risks is usually that they are not known a priori, so one doesn’t know which data are needed. Therefore, banks need to have their data ready in a way to slice and dice flexibly. The capability of constructing and deconstructing bank’s risk exposures in the IT systems is essential.

Limitations in the IT systems and in human interfaces exist. Asking front office workers to add data they do not see any use for, usually doesn’t lead to perfect data quality. Therefore, the more banks use correctly designed and tested automation in this area, expand their access to information from several sources, assign clear responsibilities and promote a data culture, the better the quality of information likely becomes. In this sense, the real solution lies in an advanced fit-for-purpose IT architecture that does not rely on a lot of manual intervention and effective governance arrangements.

We fully appreciate that changing and modernizing an IT architecture takes much time, money, and effort. Therefore, this will remain as one of our clear supervisory priorities also in the future. While we are aware of all the difficulties, we still expect banks to do more.

We observe increased ability of banks to deliver quick and solid risk data today, which is the result of the right decisions of the banks management in the last decade. Financial entities which focused on modular IT strategies and had enough resources to implement them, are in a better position today.

The ECB has been focusing on sustainability, digitalization, and governance for some time now. Do you see these areas keeping their prevalence in the supervisory approach of SSM? What developments (if any) do you expect in the OSI’s and IMI’s methodology in relation to these three points? What changes should banks anticipate regarding SSM’s supervisory priorities in 2023?  Finally, will the ECB issue new guidance?

The ECB will always develop further in the areas of sustainability, digitalisation, and governance, as they are “evergreens” in supervision. Every day there are new changes in the environment, and a good governance develops and adapts accordingly. We also constantly need to adapt our supervisory methodologies. If we look at digitalisation, this is a very broad and heterogenous topic. We don’t only care about the front end in our work on digitalisation. We are looking at the degree of digitalisation of the entire bank, including the straight-through process capabilities.  Banks need to continue their digital transformation, while adequately identifying and mitigating risks, including by keeping their systems safe, resilient, and sound.

Presently, we have coordinated on-site inspections on cyber security, and in 2022 we also started with coordinated on-site inspections focused on digital transformation. With this coordinated approach, we have clusters of onsite inspections with aligned scopes and conducted using the same methodology within a certain time window. Afterwards, we consolidate the results to take a horizontal view on the outcomes of the inspections.

The Prudential Regulation Authority (PRA) is putting together a new “Strong and Simple” regulatory regime in the UK and has also consulted on its own cut of Basel 3.1. These developments indicate that there could be a lot more regulatory divergence between the UK and EU than before. How would this divergence impact the supervision of branches or subsidiaries of UK banks operating in the EU, and vice versa?

We understand that this special regime would apply to small domestic banks and it’s for the UK only. There is no expected influence on the EU banks. We expect the UK to largely follow the globally agreed Basel rules for their internationally active banks. But the jury is still out: in both the UK and the EU the legislative process is still ongoing, and we need to wait and see the final outcomes on both sides of the Channel, before we will get a better view on the regulatory divergences. That said, we will ensure that any activities of UK-based entities in the EU – be it through subsidiaries or branches – is properly supervised,

We expect from their entities, which operate in the EU and have risk here, to maintain their risk management here as well.

The ECB, together with the EBA, has recently voiced that those deviations from Basel standards decided at the EU level could harm banks reputation and competitiveness. If those deviations were to be maintained in the final legislative text, especially on credit risk, should we expect the ECB to correct this bias via pillar 2 capital requirements?

We should faithfully implement Basel III. When implementation is not done properly, we cannot rule out the Basel Committee labelling the EU to “non-compliant” (the lowest possible rate) with the Basel rules. We should deliver an implementation of the Basel rules as close as possible to the internationally agreed standards in order to be seen by our international peers as a trusted partner. If not, in the end the European banks will be paying the price, as international investors will put a discount on the numbers of European banks.