By Giorgio Bonomo, Sebastian
Schneider, Paolo Turchetti, and Marco Vettori
The first round of
Europe’s new supervisory process is in the books, and the next one is under
way. Banks are likely to face new challenges from heightened supervisory
expectations.
A new approach to bank
supervision is taking hold in Europe for banks within the purview of the Single
Supervisory Mechanism. This year’s stress tests of the European Banking
Authority (EBA) and European Central Bank (ECB) will soon be over. The results
will help shape this year’s Supervisory Review and Evaluation Process (SREP),
an approach that introduces three fundamentally new principles to banking
supervision: a forward-looking focus on the sustainability of a bank’s business
model (even under stressed conditions), an assessment system that uses industry
best practices as a guide, and an expectation that all banks eventually will
reach the same high standards.
Early this year, the ECB
announced its five supervisory priorities for 2016: business model and
profitability risk, credit risk, capital adequacy, risk governance and data
quality, and liquidity.1 This article will review the lessons from last year’s
process, explain the role of these priorities in this year’s SREP, and outline
banks’ responses. An adequate response is crucial; banks that score poorly may
face increased regulatory capital requirements and more intense supervisory
scrutiny in the future.
Success—but only a trial run
The first SREP took place in
2015, and supervisors have already told banks their findings. Critically, these
findings had the power of peer-to-peer comparison. Previous supervisory reviews
were conducted by different national authorities, using a range of practices,
which made it difficult to compare banks or to draw fair conclusions about
areas such as capital adequacy. The ECB now supervises the 129 largest banking
groups in the eurozone, or about 82 percent of the banking sector’s total
assets, through a common supervisory approach.
The 2015 SREP assessment was a
significant step forward in the creation of a level playing field for banks in
the eurozone, even if disclosures on the process followed and outcomes are
still limited. Bank supervisors are now able to use one yardstick to measure
the capital adequacy of banks in geographies where Pillar 2 implementation
lagged or where banks generally “ticked the box” rather than truly assessed
their capital resilience.
Banks came through the first
review with a broad range of outcomes, as expected from the first-time
application of a standard assessment after years of varied supervision. The ECB
reported in March that many banks did not yet have sound liquidity-management
plans, and capital adequacy remains a concern. But the process also led to the
creation of a cybercrime-incident database and a way for banks to report
cybersecurity lapses. In general, the new process was a learning experience.
Banks were required to devote more time and resources to manage extensive data
and documentation requests than ever before.
Our analysis shows that some of
the areas that are problematic in Europe have also been vexing US bank
supervisors: inadequate corporate governance and risk-management processes and
procedures, particularly as they relate to integrating a risk-appetite
framework into a bank’s strategic planning and operations, and inadequately
involved boards of directors with limited understanding of their
risk-management responsibilities. Coming from very different starting points,
it seems the regions are eventually converging toward common principles.
2016 priorities
Many banks may consider their
2015 SREP experience a success. But before they get too comfortable, they must
recognize that it was limited in scope. While certain topics—particularly the
risk-appetite framework, board-level governance, and cybersecurity—were in the
spotlight, the initial SREP was mainly a test run to get the processes in
motion. This year’s process is framed more broadly. Liquidity management and
capital adequacy, sticking points from the 2015 review, will be examined in
more detail. While no one yet knows the full impact of the recent Brexit vote,
we are assessing potential scenarios. The constant among them is that increased
market volatility will no doubt add further pressure on liquidity and capital
management. Other 2016 priorities include business models and profitability,
credit risk, and risk governance and data quality.
Beyond 2016, we expect the SREP
to continue to evolve. As supervisors delve deeper into banks across borders,
we anticipate that certain best practices will emerge that should be emulated.
Banks’ key processes (such as strategic and capital planning and day-to-day
decision making) will need to show a higher level of integration with
risk-management processes (for example, risk-appetite definition and stress
testing), and the latter will be subject to more robust use tests.
As their risk and business teams
engage with the 2016 priorities, detailed below, bank executives and boards of
directors will have to demonstrate to supervisors that they are in charge of
the SREP assessment dimensions. They should aim for strategic, material
improvements in risk management, rather than formal compliance. They should
project a positive outlook rather than solely focusing on defense of the status
quo. And they should make sure that their SREP efforts are centrally
coordinated, so that strategic implications are integrated into structural
decision making and investments are prioritized by their relevance to the
specificities of the business model. They must also be actively involved in
supervisory discussions, which will improve those relationships.
Viability of business models
Although bank profitability
slightly improved in 2015 and capital positions have further strengthened,
European banks continue to struggle with diminished profitability in the
ultra-low (or even negative) interest-rate environment. This is forcing banks to
transform their business models as they search for alternative sources of
income and re-base their cost structures. In fact, the German Federal Financial
Supervisory Authority said in May that banks might have to consider creating a
business model in which interest income plays only a minor role. While
investors tend to look solely at return on equity, supervisors want to make
sure that the business model and the returns it produces are sustainable, even
in an economic downturn.
To meet supervisory expectations
embedded in the SREP approach—in particular, in the pillar “analysis of the
business model”—we believe banks must upgrade their capabilities on three key
dimensions:
Strategic-planning process. Banks
need to demonstrate that they can promptly adapt their strategy to material
changes in the macroeconomic and competitive environment. To achieve this, the
annual strategic-planning and budgeting process will need to become more
dynamic. The coherence and consistency of the scenarios (baseline and stressed)
used for strategic planning and budgeting must be continually tested and a new
iteration needs to be triggered whenever such scenarios do not hold.
Models and methodologies for
projections. Projections used in banks’ balance sheets and profit-and-loss
statements have dramatically changed, mainly due to the Comprehensive Capital
Analysis and Review exercises. The so-called pre-provision-net-revenue models
(and all other macroeconometric models to project banks’ key economics) have
reached such a level of maturity and detail that they should no longer be
ignored when it comes to running core decision-making processes such as
strategic planning. Their value goes beyond compliance: they can provide banks
with superior understanding of the behavior of their business model under
different scenarios, which in turn will enhance more effective decision making.
Validation and back-testing.
While banks are accustomed to validating and back-testing models in areas such
as credit underwriting, they are not used to doing so in strategic planning. We
expect such validation and back-testing to become key elements in proving the
effectiveness of the strategic-planning and budgeting process. As an example,
banks may be asked to show that the number and materiality of deviations of
results versus budget and strategic plans decreases over time, or to
distinguish scenario-related deviations from those that stem from performance.
Credit risk: Profitability concerns from impaired assets
European banks also face
significant challenges from their high levels of impaired assets. A weak
economy has left banks in many countries with elevated levels of nonperforming
exposures (NPEs). These remain a concern and a potential inhibition to lending
growth and profitability. More important for individual banks, the level of
NPEs is seen as a key factor in SREP. Across the European Union, NPEs are close
to 6 percent of total loans and advances, and about 10 percent of exposures to
nonfinancial corporations. The general trend shows that the smaller the banks,
the higher the NPE ratios.
NPE levels are particularly high
in Southern Europe, as well as in several Eastern European countries. High NPEs
burn up bank capital, deteriorate funding costs, and reduce bank profitability,
all of which serves to dry up credit supply. Reducing NPEs quickly is crucial
to stimulating credit growth, especially for small and medium-size enterprises
that rely heavily on bank financing. But write-off rates for European banks
remain extremely low. Some national supervisors have allowed banks to deal with
large NPE backlogs through business-as-usual processes. In a positive
development, national stress tests in some jurisdictions, coupled with the
EU-wide comprehensive-assessment exercise, led to waves of write-downs. And
markets for distressed debt in Europe are slowly evolving, allowing the entry
of much-needed capital and expertise.
In the future, NPE levels will
remain the focus of supervisors who will want to see that banks can keep the
cost of credit risk under control. In the short to midterm, banks will want to
leverage both organic and inorganic strategies and review their workout
processes and tools to make sure they are in line with supervisory
expectations. Over the longer haul, a material upgrade of credit
risk-management capabilities will require strong investments in IT and
technology—and analytics, which will help banks select the most suitable
portfolios to meet investors’ appetites.
Capital adequacy and liquidity risks
Banks often think of these as two
sides of the same coin, and we will deal with both here. Banks must have
“robust strategies, policies, processes, and systems” to identify, manage, and
monitor liquidity and capital risks, according to the December 2015 draft
guidelines for the Internal Capital Adequacy Assessment Process (ICAAP) and the
Internal Liquidity Adequacy Assessment Process (ILAAP). Banks are expected to
design their own forward-looking, risk-based ICAAP and ILAAP frameworks, based
on both quantitative and qualitative factors.
We expect ICAAP and ILAAP to play
an increasingly important role within SREP. New EBA stress-testing requirements
clearly indicate that 2016 results will be used in SREP to challenge banks’ own
capital plans. Supervisors will also use benchmarking to derive top-down
indications on capital and liquidity adequacy. Ongoing discussions in Europe
also show an increasing skepticism from supervisors and investors about the
possibility of using Pillar 1 capital requirements to measure capital adequacy.
In this context, a sturdy ICAAP and ILAAP will represent the best chance for
banks to adequately measure (and report to the supervisor) their capital and
liquidity risks.
For ICAAP, a robust framework
should allow a reconciliation of banks’ internal stress-test results with
regulatory exercises (for example, based on the EBA methodology and scenarios).
Top management and the board should discuss the results to derive business
implications. Results should be made consistent with the inputs used for
risk-appetite setting and strategic planning, even if calibrated differently.
The findings should be easily disaggregated by risk type and business unit with
sufficient detail (for instance, at the portfolio level). Business-unit leaders
should have a proper understanding of risk drivers, as well as the opportunity
to challenge the results based on the outcomes of risk-identification exercises
conducted at the level of the first line of defense. Most institutions won’t be
able to reach such a level of integration with management processes without
first transforming data, infrastructure, models, methodologies, and their risk
culture. Banks will need a credible program to enhance these skills to meet
supervisory expectations.
Risk governance and data quality
Supervisors want to make sure
that banks are collecting the right risk data and delivering the right reports
to enable effective management and board decision making. Supervisors are
expected to focus on data aggregation and quality this year, as well as to
continue their ongoing thematic reviews of risk appetite and risk governance.
Large financial institutions,
particularly the globally systematically important banks, have already complied
with many of the requirements in the Basel Committee on Banking Supervision’s
2013 risk-data aggregation and risk-reporting guidance (BCBS 239), which were
due in January 2016. Most European banks have kept their BCBS 239 teams in
place, so that they can complete work on supervisors’ priorities, including
infrastructure transformation, quality-control systems (data and reporting),
automation, adaptability in times of stress, and regulatory-response
management. These teams can also ensure compliance with new regulatory
requirements (such as those arising from International Financial Reporting
Standard 9 and from Basel’s new Pillar 3 requirements and its Fundamental
Review of the Trading Book) and independently validate the program.
As the availability, timeliness,
and quality of risk information have improved, top managers and boards have
come to see that their banks are less skilled at anticipating risk. Complete
solutions rely on new infrastructure and models, as mentioned above, though
much can be done by just reengineering the current risk-identification and
measurement processes. Some institutions are moving in this direction by
setting up structured risk-identification and measurement exercises, conducted
at the first line of defense and coordinated by risk management.
Regarding risk appetite and
governance, banks must also focus on supervisory concerns from 2015 that they
have not fully addressed. We see three potential areas of attention.
To start, banks should integrate
the risk appetite with strategic planning and budgeting from the very start of
the strategic-planning process. While many banks have taken formal steps in
this direction, some still fall substantially short of compliance. Strategy and
risk teams should work together to formulate potential risk-return scenarios
for the contemplated strategic directions. These scenarios should produce
specific combinations of risk-return targets and limits and should take account
of stress tests. The scenarios should then be offered to the board for approval
prior to the articulation of a specific business/risk strategy.
Second, risk-appetite policies
and procedures must reach every business unit and portfolio level. This is a
challenge for many institutions, mainly because they haven’t come up with the
proper methodology and analytics to disaggregate risk targets and limits for
each business unit and then align these with the corporate center. We suggest
that banks act on several fronts, including improving risk-appetite metrics,
developing key performance indicators that can link to actual business drivers,
and double-checking that tools, policies, and strategies throughout the company
are consistent with the framework. Banks should also review business-unit
incentive systems and train line managers (and board members of subsidiaries,
where relevant) on the risk-appetite process.
Finally, the risk appetite must
cover all the potential risks a bank might face to avoid the possibility that
an overlooked risk could poison the entire risk-mitigation effort. One of the
lessons learned from the financial crisis was that the institutions that used
multiple measures of risk were able to avoid significant unexpected losses more
than those that focused on a limited set of key metrics. That is why it is so
important for banks to instill a consistent, forward-looking, and especially
multidimensional set of limits across risk types, legal entities, and business divisions.
Identifying uncovered risks and
developing metrics to monitor them is an enormous task; new risk categories
such as nonfinancial, strategic, and model risks are continually emerging.
Banks need to balance the trade-off between comprehensiveness of the risks
covered and effectiveness of the risk-appetite framework as a managerial tool
to steer the bank. A long list of metrics will most likely dilute the board’s
risk discussions, rather than enhance them. One possible way to manage risk
metrics is to consider a two-level risk-appetite approach. Management informs
the board on all the metrics for which it has defined a risk appetite; among
the rest, it selects only representative metrics for board reporting and
discussion. The remaining metrics may be tested each year to decide whether
they should be included, or reported only when certain thresholds are breached.
Perhaps the best thing that banks can do to be ready for SREP is to develop a consistent habit of self-assessment, so that they can identify their own best practices—and weaknesses—before examiners come knocking on the door. Providing a good outlook rather than just defending the status quo requires an integrated program on how to correct deficiencies, have clear sponsorship from top management, and create a positive track record on the advancements. Banks that are able to show that such elements are in place will be able to outperform in the assessment and will eventually be recognized as such by the market.