OSIs: Update for 2026

The ECB maintains its view that On-Site Inspections (OSIs) are a key element of its supervisory toolbox. The ECB applies OSIs to the entire range of supervisory priorities like credit risk or newer focus areas such as operational resilience. As previously described in our article, the experience of the 2025 SREP cycle is also a reminder that – if not remediated – weaknesses identified via OSIs can pave the way to escalation measures.

Given the intensity of OSIs and their material implications for banks, understanding the ECB’s current focus areas is key to effective preparation and prioritisation. Recent conversations with clients lead us to believe that the following areas will be among the likelier subjects for OSIs going forward.

Ensuring prudent risk-taking and sound credit standards is one of the ECB’s core priorities for 2026-2028. Credit risk OSIs are expected to focus on key elements of loan origination and credit underwriting such as collateral valuation, pricing risk-based, data quality, and documentation. Refinancing risk measurement, underwriting practices and early warning systems (EWS) have also been identified as needing improvement. With specific reference to credit underwriting, considering the rising geopolitical risk and competitive pressures, the ECB outlined the importance to identify vulnerabilities early on and decided to carry out a thematic review in 2026, including a targeted data collection, focused on the underwriting metrics that properly capture the quality of new lending.

Potential areas of weakness for banks may include:

• Inconsistent IFRS 9 and credit risk frameworks, such as arbitrary overlay management, weak capture of forward-looking risks, and variable staging and provisioning.
• Poorly defined reporting, monitoring and remediation, with under-developed early warning systems that rely almost entirely on e.g. ratings or simple quantitative triggers.
• Deficiencies in the quality and timeliness of reporting, including fragmented data flows and inconsistent information.
• Weak controls supporting credit risk identification and mitigation, with unclear or overlapping roles and responsibilities.

Similarly to the above, the ECB has identified the prudent management of climate and nature‑related (C&N) risks as a key priority and increasingly uses OSIs (either on a standalone basis or as part of reviews of other risks) to assess whether banks effectively identify and manage short, medium and long‑term risks stemming from climate change and nature degradation. Supervisory scrutiny focuses on the integration of C&N risks into governance, risk management frameworks and business decision‑making, as well as the remediation of shortcomings identified through other supervisory initiatives.

Potential areas of weakness for banks may include:

• Weaknesses in risk identification, modelling and quantification (subject to significant underestimations), including data gaps and methodologies which underestimate actual exposures across portfolios or geographies.
• Incomplete integration of C&N risks into governance, risk appetite, credit processes or capital and liquidity planning.
• Insufficient capabilities to manage C&N risks within different time horizons, including limited use of scenario analysis and ability to assess impacts on business model or portfolios.

On these areas it is expected that supervisors will follow up on the shortcomings as part of their regular supervisory activities.

Furthermore, in line with CRD VI requirements, banks will be required to develop prudential transition plans, to be reviewed by supervisors in accordance with the EBA Guidelines on the management of ESG risks. The ECB will apply a gradual and targeted approach, focusing on the new elements introduced by the Guidelines.

Supervisors have already conducted DORA-focused OSIs in countries including Spain, Germany, Belgium and Greece. These are more demanding than previous ICT risk inspections and increasingly focus on the real-world effectiveness of digital and operational resilience frameworks, considering also cybersecurity and third-party risk management capabilities.

Supervisory teams are concentrating on key elements of ICT risk management frameworks (e.g. adequacy of policies, KPIs to track progress around DORA strategy, integration with critical ICT third party providers and “exit” strategies); ICT operations and security (e.g. vulnerability management, backups and recovery processes); ICT incident management (e.g. the quality of incident detection, escalation and reporting); and business continuity planning (e.g. levels of business impact analysis and resilience testing).

Potential areas of weakness for banks may include:

• Absence of a consistent end‑to‑end view of operational resilience across ICT risk, operations, incident management and business continuity management (BCM).
• Underdeveloped ICT incident processes, with BCM frameworks not fully aligned with ICT risks or third‑party dependencies, and testing that is limited in scope and realism.
• Incomplete KPIs, thresholds and monitoring mechanisms, limiting the timely identification of emerging ICT risks.

Long-standing deficiencies in the quality of banks’ RDARR remain one of the ECB’s “prioritised vulnerabilities” for 2026 and 2028, with a particular focus on ensuring that banks comply fully with BCBS 239 principles. Key focus areas are (i) management effectiveness, board accountability and the clarity of governance; (ii) appropriateness of key data quality controls and data quality reporting; (iii) timely reporting under stress and ad-hoc reporting capabilities; (iv) reconciliation with finance data; and (v) the completeness and traceability of data lineage. Any BCBS 239 OSI will scrutinise these areas.

Potential areas of weakness for banks may include:

• Inconsistent or ineffective data quality controls and data quality reporting, with high reliance on manual processing and data shortfalls cutting across e.g. the three lines of defence.
• Delays in regular reporting cycles and limited capacity to produce ad‑hoc risk reports.
• Inability to establish clear data lineage across all critical data elements, or to do so without considerable effort.

Recent months appear to have seen an increase in OSIs focusing on RWA calculation and CRR III implementation, affecting large institutions for example in Germany and Spain. These demanding inspections have scrutinised the calculation, documentation and validation of own funds and calculation of risk weighted assets; regulatory change management processes; governance frameworks around own funds and capital adequacy calculations; and supporting tools in areas like suitability, reliability, data quality and data integrity.

Potential areas of weakness for banks may include:

• Weak control frameworks around RWA calculations, stemming from e.g. incorrect exposure classifications, risk-weight allocations, collateral valuations, especially considering the increasing role that the standardised approach will play in determining banks’ solvency, including through the calculation of the new output floor.
• Inconsistent interpretation of regulatory requirements, resulting in weaknesses in the implementation of requirements across portfolios and methodologies.
• A need for stronger governance around regulatory data inputs, such as procedures to mitigate manual errors, outdated information and process gaps.

To complement the above, observations across our network point to a number of additional areas that feature in OSIs, such as:

• Business model and profitability: focusing on profitability drivers, pricing and cost allocation practices, business plan assumptions and projections, especially considering geopolitical and macroeconomic pressure.
• Digitalisation: focusing on banks’ digital transformation efforts, governance and controls around new technologies, and related risk management to support competitiveness and sustainable transformation.
• Liquidity and funding risks: covering liquidity risk governance frameworks and liquidity stress testing frameworks
• Market risk: pertaining valuation adjustments, independent price verification, limit frameworks and FRTB readiness.
• IRRBB/CSRBB: including deposit behaviour models, prepayment and option modelling, and NII simulation frameworks.
• Compliance function: focusing on the effectiveness of internal procedures, AML/CFT control frameworks, monitoring and escalation processes, and the role of the function in risk‑relevant decision‑making.

Looking further ahead, there are also signs that digitisation, and especially AI, could be the subject of future OSIs. Although we do not yet know how they might work, we would expect that OSIs could be used to scrutinise banks’ AI-related strategies, governance and risk management, including whether governance and control frameworks are effectively embedded in the operational use of AI, rather than existing only at a policy or conceptual level.

In conclusion, banks should expect OSIs in 2026 and beyond to focus on a handful of probable risk areas. They should also remember that any identified weaknesses could trigger SREP score changes and a range of steps on the ECB’s escalation framework. Understanding expectations, anticipating likely OSI procedures, and concentrating resources on the right areas are essential to effective preparation.