SSM supervisory priorities for 2024-2026: addressing identified vulnerabilities in banks

On 19 December 2023, the European Central Bank (ECB) published its updated Single Supervisory Mechanism (SSM) strategic supervisory priorities for the period 2024 to 2026. The priorities indicate what banks should expect in terms of supervisory activities in 2024.

For 2024-2026, the ECB supervisory priorities are built upon three main pillars:

  • Priority 1: Strengthen resilience to immediate macro-financial and geopolitical shocks
  • Priority 2: Accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks
  • Priority 3: Further progress in digital transformation and building robust operational resilience frameworks

These priorities were informed by the latest ECB comprehensive assessment, which identified numerous risks and vulnerabilities faced by the European banking sector. In the shorter term, the macro-economic and geopolitical environment may negatively impact banks’ assets quality but also elevate risks associated with liquidity, funding and interest rate risk in the banking book (IRRBB). The collapse of several banks in the US in Spring 2023 underscored the need for robust internal governance and effective risk controls in banks. Emerging risks, such as climate-related and environmental (C&E) risks as well as digitalisation, remain high on the agenda. The geopolitical environment also continues to accentuate the need to focus on information and communication technology (ICT) and related risks.

Moreover, the outcome of the ECB 2023 SREP identified weakness areas and deficiencies in banks supervised by the ECB, which will require supervisory attention next year. These include data aggregation and reporting, management body effectiveness, and compliance and risk management functions. In some of the supervised banks, a lack of progress or even deterioration was noted.

Priority 1: Strengthen resilience to immediate macro-financial and geopolitical shocks

Credit risks remain at the top of the agenda

Credit risk remains top of the supervisor’s agenda for next year. While banks’ asset quality remains resilient until now, early signs of deterioration are being observed. There are concerns that heightened geopolitical risks, inflation, and surges in the cost of living will continue to put downward pressure on the debt-servicing capacity of borrowers. The ECB also warned in its latest Financial Stability Review in November 2023 that further real-estate corrections could turn disorderly if not adequately managed.

Hence, the list of planned credit risks supervisory activities for the next year remains significant: 

  • Emphasis will remain on ensuring the adequacy of credit risk management frameworks and the early identification of credit deterioration (i.e., with further deep dives on forbearance and unlikely-to-pay policies).
  • Real estate will continue to be in focus, echoing this year’s activities in both residential and commercial real estate, with an emphasis on refinancing risks and accuracy of collaterals valuations.
  • A new targeted review of vulnerable SME borrowers will likely require significant amounts of data to prepare
  • IFRS 9 will remain an active topic, as it was this year. Banks will now be expected to have remediated any findings and shortcomings with their staging and provisioning, but also to demonstrate that their credit loss models are adequately capturing emerging risks.
  • The ECB will continue to assess progress with alignment of internal rating-based models with the new regulatory requirements.
  • Banks with significant counterparty credit risks exposures will need to prepare for further target onsite inspections (OSIs) on the topic, especially if prior findings have been communicated.

Banks will need to address shortcomings in asset and liability management (ALM) frameworks

Another important focus falls on how banks’ structure their funding in an environment of high interest rates and fast changing economic changes. This is particularly critical given the volatile behaviour of uninsured depositors observed during the spring banking turmoil in the US and which was accentuated by digitalisation and social media influence. In response to these trends, the ECB will continue to scrutinise banks’ funding and recovery plans and their strategies to withstand short-term liquidity shocks. Next year activities will include a series of targeted reviews and on-site inspections in this area. The ECB is also planning an OSI campaign on IRRBB.

Priority 2: Accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks

Governance as the cornerstone of good risk culture

Tackling deficiencies in management bodies has already been a top priority for the ECB for years. This necessity of having adequate bank governance was strongly reiterated in Andrea Enria’s speech. Robust internal governance, including effective oversight and suitable management bodies, is essential for preserving sound business models. Banks’ boards and management have a crucial role as they are responsible, amongst others, for ensuring adequate internal governance arrangements and effective risk management processes.

The ECB however underscored that insufficient progress has been made by banks to resolve their governance shortcoming. The ECB reiterated that more progress is required by banks in terms of the composition, collective suitability, and challenging capacity of their boards. The oversight role of banks’ boards committees also still requires improvement. Moreover, while most banks have targets to address gender imbalances in their management bodies, progress is still insufficient.

Next year, the ECB will continue its targeted reviews and on-site inspections on the effectiveness of banks’ management bodies.

Banks must correct their deficiencies in risk data aggregation and reporting (RDAR)

Significant deficiencies remain in banks’ compliance with the supervisory expectations, as defined by the Basel Committee on Banking Supervision principles BCBS 239. Following the publication of the ECB Guide on effective RDAR (final version in 2024), the ECB will perform targeted reviews on the topic in 2024, but also extend its OSI campaign started in 2023. The ECB will expect banks to be investing adequate time and resources to accelerate their progress in this area, starting with greater prioritisation on the topic by banks’ management.

Climate related and environmental (C&E) risks remains high on the agenda

By the end of 2024, banks are expected to fully comply with the ECB’s supervisory expectations as defined in its Guide of 2020, including the full integration of C&E risks into their Internal Capital Adequacy Assessment Process (ICAAP) and stress testing. Progress has been made in 2023, following a substantial level of supervisory activities performed in this area. However, some banks still demonstrate severe deficiencies, and many have been subjected to higher Pillar 2 requirements this year due to such inadequacies.

Next year the focus will be on further accelerating compliance. This will include targeted follow-ups on identified shortcomings, deep dives on capabilities for addressing reputational and litigation risks, and targeted OSIs on diverse aspects. Reporting and disclosure will also remain in focus.

Priority 3: Further progress in digital transformation and building robust operational resilience frameworks

Digital transformation remains an important long-term objective of the ECB, particularly with regard to business model strategy and risks mitigation from new or innovative technologies. Targeted reviews and OSIs will be conducted and, in addition, the ECB supervisory expectations on banks’ digital transformation will be published in 2024.

Operational resilience is another area where supervisory activities are heightened considering the current geopolitical environment and rise in cybercriminals’ sophistication. Targeted reviews and OSIs with focus on outsourcing arrangement, cyber resilience, and cyber security management will continue. Moreover, there will be a system-wide cyber resilience stress test next year which will require banks to demonstrate the robustness of their response and recovery capabilities.