SSM supervisory priorities 2024–2026

December 2023

On Tuesday 19 December, the European Central Bank (ECB) published its updated supervisory priorities for the years 2024-2026. This update stems from an extensive evaluation of the key risks and vulnerabilities confronting significant institutions under its direct supervision. It also takes into account the advancements achieved in addressing priorities from previous years, alongside the findings of the 2023 Supervisory Review and Evaluation Process (SREP).

The priorities begin with a positive tone this year – the ECB observed that banks have successfully managed the challenging macro-financial and geopolitical environment of recent years. Additionally, the progress banks have made in dealing with Non-Performing Loans (NPLs), coupled with the development of strong capital positions and liquidity buffers, has prepared them adequately to face various recent challenges. These challenges include the COVID-19 pandemic, disruptions in supply chains, and a series of recent bank failures.

However, banks and their supervisors must stay vigilant in the face of several emerging challenges. The volatility of funding sources and costs in the medium term, coupled with the potential for asset quality deterioration due to further geopolitical unrest, necessitates that banks continue to strengthen their credit risk management, as well as asset and liability management frameworks. Recent bank failures underline the urgency for banks to remedy shortcomings in governance, particularly in the areas of risk data aggregation and reporting capabilities. Aligning with the 2024 deadlines for climate-related and environmental (C&E) risks remains a critical task. Moreover, as banks increasingly turn to digital transformation to stay competitive, supervisory attention will also focus on emerging related threats, including cybersecurity risks and the continuity of critical services.

Against this background, as in prior years, the ECB states that though the supervisory priorities and activities set out in 2022 remain valid overall, a few adjustments have been made to sufficiently address the risks above.

The ECB priorities for 2024-2026 are once again threefold, each holding equal importance and backed by a comprehensive work programme to address the identified vulnerabilities within each priority, coupled with an overview of the planned supervisory activities. We have summarised the three priorities and the respective vulnerabilities they aim to address below: 

A recurring theme across all three priorities, is the ECB building upon its previous efforts over the last few years to steer banks towards the effective and timely remediation of any long-standing issues. Specific examples identified in the first priority include gaps in banks’ preparedness for dealing with a potential increase in distressed debtors and refinancing risks, signs of overvalued collateral in CRE portfolios, or not meeting expectations regarding asset and liability management (ALM) arrangements.

In the context of the second priority, the ECB also has noted some banks’ inadequate progress in addressing persistent shortcoming in governance, encompassing not only the functions of banks’ management bodies, but also their risk data aggregation and reporting (RDAR) capabilities. In line with statements made during the year, the ECB highlights again its readiness to use all the supervisory tools at its disposal (such as capital add-ons, enforcement and sanctions and reviews of fit and proper assessments). This language becomes even more stringent when discussing banks needing to be fully compliant with supervisory expectations for C&E risks by the end of 2024, mentioning again the possibility of penalty payments.

Lastly, the third priority focuses on guiding banks through their digital transformation. The ECB plans to release a new publication on supervisory expectations in this area, aiming to help banks address long-term risks and maintain their robustness amid competition in the digital sphere.

What do the priorities mean for banks and what do KPMG professionals recommend?

In alignment with the above, the ECB has outlined its key supervisory activities that it intends to undertake for each vulnerability. Banks have been requested to do the following – and KPMG Banking and Financial Services professionals have included, per priority, some key recommendations on what they can do now:

• Priority 1: Strengthen resilience to immediate macro-financial and geopolitical shocks
  • Prepare for targeted reviews concentrating on portfolio resilience, especially those more susceptible to the prevailing macro-financial conditions and exposed to refinancing risk. This includes a continuation of earlier targeted reviews on Residential Real Estate (RRE) and Commercial Real Estate (CRE) lending, along with initiating a new targeted review focusing on vulnerable Small and Medium-sized Enterprise (SME).
  • Continue to be prepared for an extension of previous on-site inspections, focusing on IFRS 9 collective staging and provisioning for SMEs, retail portfolios and CRE, including collateral valuations, as well as Counterparty Credit Risk Management.
  • Expect other types of activities including deep dives on forbearance and unlikely-to-pay policies, focus on overlays as part of IFRS 9 reviews, and additional scrutiny on internal model investigations and follow up.
  • Get ready to review – and, if needed, redevelop – liquidity and funding plans, contingency planning and adequacy of collateral optimisation capabilities, as well as ALM governance and strategies. For some banks, prepare for targeted on-site inspections (OSIs) in this space.
  • For banks that have not yet undergone a targeted review on interest rate and credit spread risks, expect increased activity in this space.
• Priority 2: Accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks
  • Prepare documentation and review policies around management bodies’ collective suitability and diversity, as well as risk culture and risk management in advance of the publication of supervisory expectations and best practices regarding banks’ governance and risk culture.
  • Be ready to discuss directly with the JST ongoing weaknesses in governance arrangements. Prepare for targeted reviews of bank management bodies effectiveness and in some cases OSIs.
    
  • Assess progress with respect to persistent risk data aggregation and reporting deficiencies, especially with respect to the draft supervisory expectations related to the implementation of risk data aggregation and risk reporting principles in 2023 and the final publication in 2024, and expect a continuation of the OSI campaign in the RDAR space.
  • Prepare documentation and adequate resources to respond to the annual questionnaire Production of the Management Report on Data Governance and Data Quality.
  • Expect further supervisory communication and targeted follow-ups regarding banks’ progress in aligning with supervisory expectations on C&E risks by the end of 2024.
  • Expect deep dives on banks’ capabilities of addressing reputational and litigation risk associated with C&E-related commitments. Targeted OSIs will continue on a stand-alone or as part of other on-site inspections (eg: Credit risk, operational risk, business model)
• Priority 3: Further progress in digital transformation and building robust operational resilience frameworks
  • Expect targeted deep-dives on digital transformation impacts, as well as JST follow-ups on material deficiencies.
  • Keep-in mind the new publication of supervisory expectations and sharing of best practices on digital transformation strategies.
  • For the 2024 system-side cyber resilience stress test, ensure that the entire organisation is ready for an intrusive and important exercise.
  • Continue to focus on ongoing activities regarding data collection and horizontal analysis of outsourcing registers, as well as targeted reviews and OSIs on this area.

In short, at a minimum KPMG professionals would advise banks to analyse the priorities, identify the most challenging areas and the ones where supervisory activities have been already communicated as part of their supervisory examination plans and develop action plans to prepare themselves in advance. Throughout 2023, the ECB has escalated its willingness to use the full supervisory toolkit at its disposal, including the use of penalty payment where progress is not adequate. The language in the 2024-2026 priorities reinforce this shift in focus – banks should look to have a pre-emptive approach to any persistent shortcomings in their own portfolios.