The European Central Bank’s priorities for 2024: where do we stand after the first quarter?

The European Central Bank (ECB) issued the SSM supervisory priorities for the 2024-2026 cycle on 19 December 2023. They sum up what institutions under the direct supervision of the ECB should expect in terms of areas of supervision, in 2024 notably, and allow firms to prepare themselves for forthcoming onsite inspections or thematic reviews. Please also read our previous article on these priorities 2024-26 here.

The ECB grouped its priorities into three different pillars, tackling all main issues which currently affect banks. Work has already started in the first quarter of 2024 on the different topics of the supervisory canvas to provide appropriate answers to such issues. We discuss in this article the progress made in the first quarter of 2024 by the ECB and broader SSM for each of the three pillars and highlight foreseen areas of focus for the rest of the year. The year started with significant ECB supervisory activities across all priority areas.

Considering the need to strengthen resilience to macro-financial and geopolitical shocks, and in the context of the adoption of CRR3 – CRD VI, the ECB focussed its first quarter on how credit risks, market risks and counterparty credit risks shall be dealt with through internal models.

The ECB also continued to focus on enhancing the banks’ management and governance of climate-related and environmental risks. In February, the SSM underscored the significance of a comprehensive Pillar III ESG report and explored various avenues to achieve it. For this purpose, the ECB is expected to publish in June 2024 Pillar III KPIs.

The SSM priorities also constitute a milestone to recall the need to accelerate digital transformation and build robust operational frameworks. On 3 January 2024, the ECB announced the launch of its significant stress test exercise, designed to test the ability of banks to recover from cyber-attacks and to better monitor digital risks as a whole.

Pressure is increasing on banks to comply with supervisory expectations. The ECB is now moving towards a greater use of the escalation mechanisms available, including imposing more financial penalties for banks with serious shortcomings. Banks can expect this, especially for areas where Pillar 2 capital add-on does not provide sufficient incentive for action.

Eric Cloutier, Partner – Global Head of Banking Regulations, Mazars

Priority #1: Strengthening resilience to immediate macro-financial and geopolitical shocks

The ECB begins by assessing banks in light of growing geopolitical tensions and the broader impacts of the current macroeconomic conditions, such as inflation. Indeed, during economic slowdowns, debtors such as corporations and households may face challenges in servicing their debt. As such, credit risk remains a top priority for the ECB.

The concentration of real estate risks in the EU banking sector, and the high volume of such lending in some banks’ balance sheets, continue to raise significant concerns for the ECB. The ECB therefore continues to monitor the downward pressures on real estate and the potential impacts on banks it supervises. The ECB also continues to monitor the variations of such risks between jurisdictions, both for commercial real estate (CRE) and residential real estate (RRE).

For example, concerns continue to mount in the commercial real estate sector following the recent challenges faced by the US NY Community Bank and EU Pfandbriefbank, which both face high exposure to CRE. Additionally, RRE is facing negative trends in many European countries due to imbalances between supply and demand exacerbated by rising borrowing interest rates, rendering variable-rate loans less able to pay their debt obligations. The ECB continues to require banks to closely monitor these risks in banks, with an emphasis on refinancing risks and the accuracy of collateral valuations.

Against this backdrop, banks will also need to prepare themselves for the forthcoming implementation of the Basel III final agreement text in the EU regulatory framework, via the so-called ‘CRR3-CRDVI’. In that regard, new methodologies proposed in the legislative package to address risks of credit exposures to real estate will allow banks to better assess the capital needed to cover these risks. IRB banks will have to adapt their credit risk modelling in response to forthcoming changes outlined in CRR3 and the ‘IRB repair’ roadmap. Regarding the latter, the EBA reiterated in August 2023 that the implementation of the requirements for loss given default (LGD) and credit conversion factor (CCF) models covering portfolios no longer eligible for the revised advanced internal ratings-based (AIRB) approach, i.e. large corporates, institutions and financial sector entities portfolios, may be postponed until the entry date[1] for CRR3. Within that period, institutions may also choose to apply for permission to return to a less sophisticated approach or for the permanent partial use of the standardised approach for those portfolios. To ensure these expected and fundamental evolutions, the ECB published on 19 February a revised guide to guarantee a common and consistent approach to matters related to internal models.

If this higher-rates environment may increase banks’ credit risk, it also allows them to earn more revenues. From an asset and liability management (ALM) perspective, shortcomings in the areas of governance and risk management will still be a top priority for the ECB. For instance, revised EBA guidelines on interest rate risk and credit spread risk of the banking book have been in force since the end of 2023 and will mark an important ground for the ECB to challenge banks’ ALM frameworks.

On the funding side, banks will need to review their funding plan and contingency plan to achieve diversified funding structures, as well as be able to withstand short-term liquidity shocks. When it comes to monetary policy, to assess banks’ preparedness for the phasing-out of the targeted longer-term refinancing operations (TLTRO), the ECB reviewed exit strategies in 2023. As a follow-up, the ECB will ensure that banks further diversify their funding sources, to that respect a targeted review of the reliability and soundness of funding plans will feed the 2024 SREP.

Priority #2: Boosting resilience in governance through the management of climate and environmental risks

The agenda for the integration of environmental, social, and governance risks (ESG) within the prudential risks framework continues to be developed. Large banks are already required to disclose information related to ESG risk management, their exposures to transition and physical risks, and in 2024 their KPIs of taxonomy-aligned exposures (‘GAR’ and ‘BTAR’ in short).

“Banks must enhance their climate and environmental risk management frameworks.”

Edouard Fernandez-Bollo, member of the Supervisory Board of the ECB

On 21 February, the ECB reminded in its newsletter of its role to assess banks’ compliance with Pillar III disclosure requirements, and the discrepancies banks are experiencing in the appropriate disclosure of climate-related and environmental risks. The SSM highlighted the general struggle to address the quantitative templates related to ESG disclosures, with a particular weakness in the assessment of physical risks in template five. Despite this, the ECB noted some efforts in the disclosure of complex templates, with banks collaborating to identify practices to facilitate disclosures. As such, the ECB will concentrate in the future on following those efforts for a better reporting of ESG risks through Pilar III.

When it comes to ESG risk management, the EBA is currently consulting on its draft guidelines on the management of ESG risks for supervisors and banks and will revise its guidelines on institutions’ stress testing in due course. It will allow significant banks to comply with expectations seven and ten of the ECB Guide on C&E risks and help them plan their transition towards a sustainable economy as per new amendments introduced by the CRD VI. By the end of 2024, banks should be fully in line with all expectations of the guide, notably when it comes to integrating C&E risks in the Internal Capital Adequacy Assessment Process (ICAAP). The ECB will remain prepared to use its full toolkit to ensure banks comply, such as periodic penalty payments or bank-specific capital add-ons.

Moreover, on banks’ risk data aggregation and reporting (RDAR), the ECB identified important areas for robust governance and effective processes to identify, monitor and report risks. In this regard, the ECB issued a draft guide focusing on seven key areas. The key deficiencies already highlighted by the ECB relate to a lack of oversight of management bodies, weaknesses in data architecture, fragmented IT landscapes, low capacity for aggregating data, and ineffective governance frameworks. The ECB will therefore ensure that banks make significant progress in remedying the long-standing shortcomings related to RDAR and will apply enforcements and sanctions from 2024 onwards.

Priority #3: Driving digital transformation for robust operational resilience frameworks

The outcome of the 2023 SREP has confirmed the prominence of banks’ deficiencies related to the management of IT outsourcing and Information and Communication Technology (ICT) and cyber risks. Therefore, a robust and resilient business model should count on an efficient digital transformation strategy. Yet it calls for several questions to be answered such as robust governance to support the development of digital transformation strategies; the ability of risk management to cope with ICT and cyber risks; and how is third-party risk managed. Digitalisation should strengthen banks’ competitive positions and make them more robust to competition coming from outside the banking sector. The ECB will thus keep focussing on digital transformation during targeted reviews and onsite inspections, leveraging on supervisory expectations on banks’ digital transformation going forward. In addition, as banks’ compliance with the so-called Digital Operational Resilience Act (DORA) regulation is due by January 2025, supervised entities will need to strengthen their operational resilience and management of critical third-party providers.

“DORA aims to achieve a high common level of digital operational resilience across European financial entities.”

Anneli Tuominen, member of the Supervisory Board of the ECB

Finally, as part of a two-year stress testing cycle, the ECB will conduct 2024 for the first time a cyber resilience stress test on supervised banks. The exercise will assess how banks respond to and recover from a cyberattack, rather than their ability to prevent it. This stress test will be only qualitative since it will not have any impact on the P2G (Pillar II guidance). The insights gained will however be used for the wider supervisory assessment in 2024. The ECB has already started the exercise in January and is still ongoing, with the main findings expected to be published during the summer of 2024.

At a time when most European banks reported robust year-end financial results in 2023, they are also faced with increasing risks and uncertainties. The supervisors are therefore expected to continue closely monitoring the risks mentioned above, and pressuring banks to rapidly remediate any gaps identified with their expectations for the diverse risks. Moreover, the ECB will continue to expect banks to adopt prudent distribution policies and be ready to improve their capital base. Risks associated with the materialisation of unrealised losses on mortgage portfolios for instance may have an important impact on prudential capital, therefore the ECB could force banks to adopt more conservative provisioning policies in that respect.

[1] According to latest developments it should be the 1st of January 2025.