Since the 2008 global financial crisis (GFC), supervisory monitoring of credit origination and servicing standards as well as consumer protection compliance has increased and COVID-19 presented the next catalyst. EU regulatory and supervisory authorities, including in the Banking Union and the European Central Bank (ECB), acting in its role at the head of the Banking Union's Single Supervisory Mechanism (SSM), are all stepping up thematic and firm-specific reviews of standards. The ECB-SSM had already undertaken extensive action on evaluating credit underwriting standards, as well as introducing rules on non-performing exposures and loans (collectively NPLs). Ultimately, EU supervisory authorities continue to apply increased supervisory scrutiny so as to push regulated financial institutions to improve the quality of their credit origination and monitoring processes as this ultimately results in stronger stability for the banking industry as a whole.

The European Banking Authority (EBA) released its final guidelines for loan origination and supervision on 29 May 2020 (the Guidelines) – these were delayed due to the COVID-19 pandemic and began to apply from 30 June 2021 to retail and non-retail credit origination after that date. The Guidelines have equally been translated into the EU official languages and are thus in full force across the EU-27. 1 The EBA also regularly updates a "compliance table" setting out how respective national competent authorities (NCAs) comply with the Guidelines in supervising respective firms. The Guidelines are equally adopted by and form part of the ECB-SSM's own Banking Union supervisory considerations.

Supervised firms benefited from a series of transitional arrangements namely: (1) from 30 June 2022 the Guidelines began to apply to then already existing loans and advances (including loans that have been renegotiated; and (2) from 30 June 2024 the Guidelines apply in full to the existing stock of loans and advances that were issued before 30 June 2021. Equally supervised firms may redress possible data gaps and adjust their monitoring frameworks and infrastructure until 30 June 2024. Notwithstanding the extended transition period, the EBA notes (as does the ECB-SSM) that all forms of credit origination require effective risk oversight and management.

As discussed in this Client Alert, the Guidelines are the most proactive response to date in harmonising and improving credit origination and monitoring standards. In summary, the Guidelines' operative provisions:

  • stipulate internal governance, process and control framework requirements in relation to the credit-origination and decision-making process. These conceptually build on the EBA's other guidelines on internal governance; 2
  • reinforce existing and introduce new requirements for borrower creditworthiness assessments.3 This includes differentiating between credit origination to consumers, microenterprises, small to medium sized enterprises (SMEs) as well as large corporates and the requirements equally detail how information for those assessments should be handled;
  • set supervisory expectations for the risk-based pricing of credit in particular certain types of loans;
  • provide guidance on the valuation approach(es) to be taken to immovable and movable property collateral both at the point of credit origination as well as the monitoring and review of such valuations as part of on-going monitoring thereafter; and
  • outline specific standards and supervisory expectations that should be complied with as part of the ongoing monitoring of credit exposures, their credit risk as well as periodic monitoring of borrowers.

Despite the EBA's efforts in using the Guidelines to create a (new) harmonised chapter in the EU's Single Rulebook for financial services, they are being applied across a still somewhat fragmented set of national frameworks notably when it comes to specific consumer protection in particular disclosure requirements. Consequently, where national differences continue to exist, these still need to be taken into account so as to ensure that the Guidelines' standards are being correctly applied to the jurisdiction and market specifics applicable in individual and across multiple EU Member States.

The Guidelines' scope of application and relevant exceptions

The Guidelines are formally addressed to the respective competent authorities and to relevant in-scope financial services firms i.e., these being firms engaged in lending and authorised to do so pursuant to regulated activity licensable pursuant to the EU's Capital Requirements Directive, Mortgage Credit Directive and/or Consumer Credit Directive (each as amended. The Guidelines are clear on the supervisory expectation that competent authorities should ensure that firms (summarised in the Guidelines as "institutions" apply the guidelines on individual, sub-consolidated and consolidated basis.

The standards and supervisory expectations set in the Guidelines on internal governance and monitoring obligations apply to all credit risks (Sections 4 to 8 of the Guidelines) but do not apply to debt securities, derivatives and securities financing transactions under the EU's Securities Financing Transactions Regulation (SFTR), which are undertaken by credit institutions, i.e., banks and MiFID investment firms that are subject to the CRR (please see also our dedicated series of Client Alerts covering the changes introduced by the EU's Investment Firms Regulation and Investments Firms Directive to the prudential capital framework applicable to MiFID investment firms).

Section 5 (Loan origination procedures) and Section 6 (Pricing) of the Guidelines in particular apply to loans to consumers, micro and small enterprises as well as SMEs. As a result, Section 5 and 6 of the Guidelines do not apply to loans and advances made where the borrower is a credit institution, investment firm, financial institution, (re-)insurance undertaking or a central bank. Equally, loans and/or advances to sovereigns and public sector entities are equally exempted. Equally Section 5 and 6 of the Guidelines do not apply to those Credit exposures that are forborne or which are categorised as NPLs. These are instead subject to other guidelines as published by the EBA as well as equally, in the context of the Banking Union, by various rulemaking instruments and supervisory expectations, as published by the ECB-SSM (please see also our dedicated series of Client Alerts covering those respective frameworks).

Regardless of the exemptions, the Guidelines place a repeated emphasis throughout the various standards on firms maintaining a robust and resilient IT infrastructure, sufficiently detailed data collection/transparency processes and dedicated efforts to facilitate digital transformation. It is (still in December 2022) not entirely clear from the Guidelines as to how firms are expected to evidence their degree of digital transformation when demonstrating compliance with the Guidelines, even if there are perhaps some best practices that might be applied. While the EBA specifically refers to the Financial Stability Board's definition of FinTech in the Guidelines, and this might provide some goalposts, supervised firms will be in a position where they are concurrently required to be meeting the EU's new Digital Operational Resilience framework (DORA) which will enter into force on 16 January 2023 and will come in to full effect by 17 January 2025 (please see also our dedicated series of Client Alerts covering that development along with the NIS2 Directive).

Lastly, the Guidelines (unsurprisingly) set supervisory expectations that firms should embed the following principles (whether covered in separate existing, proposed reform or forthcoming new rulemaking instruments and/or supervisory expectations) into their overall credit origination and monitoring processes:

  • complying with environmental, social and governance (ESG) factors – specifically incorporating such ESG factors and associated risks in their credit risk appetite and risk management policies, credit risk policies and procedures, adopting a holistic approach. Moreover, firms should take into account the risks associated with ESG factors on the financial conditions of borrowers.
  • facilitating sustainable lending practices (including meeting consumer protection measures as they exist under EU and national law);
  • maintaining robust and resilient financial crime prevention frameworks; and
  • adoption, where practicable and desirable, of automated and/or artificial intelligence as well as machine learning powered processes for credit origination and collateral valuation including with respect to statistical modelling. It should be noted that this will also have to meet standards as they might exist in respective EU Member States as to the (permitted) scope of use of artificial and automation in loan origination and underwriting processes. Importantly, as of the date hereof, the EBA, the ECB-SSM as well as a breadth of other EU-level and national level regulatory and supervisory policymakers and authorities continue their respective efforts in drafting new or reviewing existing rulemaking instruments and principles as to the use of automation, artificial intelligence and machine learning across the EU's Single Rulebook for financial services more generally.

The Guidelines' key requirements

The Guidelines key requirements and its operative provisions are set out in the following five thematic areas – each of these are subject to certain exceptions as set out below:

  1. internal governance arrangements, processes and mechanisms in relation to the granting and monitoring of credit facilities throughout their lifecycle, as well as measures to prevent conflicts of interests and/or alignment of incentives – notably through detailed rules on remuneration;
  2. loan origination procedures that focus on the granularity of quantitative and qualitative information underpinning sound credit risk practices, as well as ESG factors (see below) that apply to originated credit but also to any collateral;
  3. risk-based pricing of originated credit – while the EBA Guidelines do not stipulate one or more specific pricing strategies that firms should follow, they do set out the quantitative and qualitative criteria and methodology that ought to be applied by firms when adopting a "comprehensive pricing process". This should also seek to account for and differentiate according to the specific risks and attributes of the respective credit products, client types and credit qualities that the firm is exposed to. Furthermore, firms are also required to assess linkages between credit products, borrowers and respective entities with whom the firm may have a relationship – see below re "Single Customer View";
  4. on-going monitoring of credit risk and credit exposures detailing the quantitative and qualitative factors and requirements that should flow into firms' monitoring processes and systems and controls, as well as sensitivity analysis exercises for unsecured and secured consumer credit and performance of collateral, i.e., moving this considerably beyond the existing requirements under the MCD; and
  5. approaches to the valuation of immovable and moveable property collateral at the point of credit granting, as well as the periodic monitoring and review of the collateral based on the outcomes of such monitoring. These requirements apply to any valuation, monitoring and revaluation of immovable property and movable property collateral, excluding "financial collateral" (such as title transfer financial collateral and/or security financial collateral arrangements pursuant to the EU's Financial Collateral Directive), put in place and conducted after 30 June 2021.

Key considerations for financial services firms

Given that compliance with the Guidelines remains a supervisory priority of the EBA for the forthcoming supervisory cycle(s) as well as subject to increased supervisory scrutiny by NCAs including, in the context of the Banking Union, the ECB-SSM, financial services firms may want to (re-)assess how they are and can equally evidence their compliance with the Guidelines with sufficient detail both for the "back-book" in gathering/completing retrospective data and information for aged credit facilities as well as for the "front book" i.e., no credit facilities moving forward. This also applies to all firms, including those that have, since the last economic downturn, taken steps to improve their systems and controls, as well as those that have had remedial action plans communicated to them following ECB-SSM on-site supervisory inspections.4

As a result, financial services firms might want to consider periodically:

  1. Conducting a gap analysis to determine what, how, and when the firm needs to meet the relevant compliance obligations (and/or any proportionality measures, where permitted), including the interoperation with the firm's asset-liability management priorities as well as overall strategic steering.
  2. Addressing any issues arising from technological solutions that could complicate compliance with the Guidelines, as well as those solutions that need to be implemented or reinforced so as to map firms' counterparties/ customers' multiple exposures (assets/liabilities) in a "single customer view" (SCV) as well as to establish, where relevant, transparency of cross-subsidies between loans, borrowers or business units within and outside of the firm.
  3. Identifying and remedying any gaps in policies and procedures relating to the Guidelines, including governance and existence of a "credit risk culture" (tone from the top and bottom up) that influence credit origination and monitoring by business units as well as control functions. This includes examining how well property/collateral valuation processes and policies are designed and run, both at the point of origination and throughout the whole credit lifecycle, as well as how this relates to early warning systems (EWS) to detect and address symptoms of declining credit quality. Last but not least, businesses must adhere to rules governing the rotation of collateral value appraisers.
  4. Ensuring their credit risk governance and culture is communicated throughout the entire company and embodied, including in specific management function roles. This may require specialised training for some board members as well as other people who hold "key functions" in particular those in a risk-taking and/or control function role.
  5. Examining the firm's credit risk appetite and credit risk limits to see whether they are consistent with the firm's overall strategy and to explain (especially to regulators) how these metrics align with the firm's overall risk appetite framework (RAF) and strategy.
  6. Ensuring that the business, risk, and control functions can gather, exchange, and verify enough data on creditworthiness and affordability5 under a variety of circumstances before finalising a loan arrangement or considerably raising the amount of a loan. Firms are required to conduct appropriate investigations to confirm the accuracy of information and the traceability, auditability, robustness, and resilience of data inputs and outputs. Additional requirements apply in respect to credit offered to retail customers, microbusinesses and SMEs. The Guidelines offer a detailed list of information that must be gathered prior to and at the latest at the point of credit origination and kept up to date all the way through the credit
  7. Analysing and enhancing their data infrastructure to support the initial credit-granting process, including risk-adjusted pricing as part of an all-encompassing framework for loan pricing6 , as well as ongoing credit risk management and monitoring throughout the life cycle of a loan. This framework should also measure profitability metrics.7 Consequently, firms must gather loan-by-loan data at the point of origination in order to link borrower and collateral data, enabling effective credit risk monitoring and enabling an audit trail.
  8. Reviewing, improving and aligning credit specific policies and procedures on model risk and model governance.
  9. Evaluating the firm's monitoring structure and taking corrective action to ensure that it complies with the Guidelines and any applicable supervisory expectations Importantly, the monitoring parts of the Guidelines are anticipated to result in a significant number of data-driven deliverables that call for thorough, complete, and up-to-date data across the whole credit lifecycle. The monitoring and reporting of credit risks will thus require more automation, tying in the EWS and pertinent internal and regulatory reporting templates with high-quality data.
  10. Verifying whether ESG considerations are already incorporated into the credit origination and monitoring process, or determining the best way to do so.
  11. Establishing a thorough monitoring system that is driven by risk and control functions that interacts with, completes, and so supports the company's current, reliable "three lines of defence" (3LoD) model, including as it was put to the test by COVID-198 and extended pandemic preparedness.9
  12. Aligning their internal capital adequacy assessment procedure (ICAAP), internal liquidity adequacy assessment procedure (ILAAP), and overall risk appetite framework of a firm with their credit risk strategy and the implementation of this strategy through credit granting decisions.
  13. Updating internal reporting (for 3LoD and management-directed strategic steering objectives) as well as external regulatory reporting to comply with the Guidelines' standards and management's expectations.
  14. Examining current skill sets and the sufficiency of human, IT, and data infrastructure resources dedicated to the credit origination, monitoring and related control function processes.
  15. Taking into account general compensation (base pay and bonuses), requirements for employees, and employee incentives, as well as reducing excessive risk-taking for employees in the credit origination and related control functions

Additional monitoring requirements apply to financial services companies that syndicate leveraged credit facilities. Equally additional appraisal criteria apply to "unlikely to pay and NPL exposures, particularly when secured by immovable collateral.

Permitted proportionate application of the Guidelines

While the Guidelines permit NCAs and EU-level authorities to supervise firms according to how they apply pragmatic and proportionate application of the Guidelines, the principle of what is proportionate is defined differently for each specific section of the Guidelines. Part of this is due to each section having different factors on size, nature and complexity of the relevant firms, that in turn define and thus drive to what extent compliance obligations may be applied in a proportionate manner.

In most instances the Guidelines require both the firms wishing to rely on a proportionate application of the Guidelines to satisfy the respective competent authority that it has considered the type, size and complexity of:

  • the firm and its internal governance, risk management and control functions;
  • the credit being originated or monitored, the creditworthiness assessment, collateral valuations and credit risk monitoring; and
  • whether any risk-based proportionate approach would otherwise erode the supervisory outcomes set in the Guidelines and/or otherwise lessen the relevant consumer protection standards applicable to the given circumstances.

Outlook ahead

With the 30 June 2024 deadline by which firms need to evidence full compliance with the Guidelines fast approaching, project teams may want to review their respective processes, internal policies and procedures as well as client and counterparty facing documentation along with relevant data management and regulatory reporting systems so as to identify and remedy any gaps or equally be able to present such a review to respective authorities who may request evidence as part of on-going or more targeted supervisory dialogue.

Given the on-going supervisory scrutiny that both ECB-SSM, in the context of Banking Union, but equally other NCAs in the wider EU-27, as coordinated by the EBA have in respect of overall compliance with the Guidelines as well as remedial action for some already identified and communicated shortcomings at individual firms as well as wider lessons learned drawn therefrom for the wider body of relevant in-scope firms, 2023 is likely to be a busy year for many firms.

Footnotes

1 Available here.

2 See dedicated coverage on those EBA guidelines available from PwC Legal's EU RegCORE.

3 These follow the processes and mechanisms and requirements on credit and counterparty risk set out in Articles 74(1) and 79 of the CRD IV Directive relating to the granting and monitoring of credit facilities throughout their life cycle. The Guidelines also introduce requirements for the borrowers' creditworthiness assessment, together with the collection of information and data for the purposes of these assessments, reflecting provisions on creditworthiness assessments in Articles 18 and 20 of the Mortgage Credit Directive (MCD) and Article 8 of the Consumer Credit Directive (CCD). The Guidelines repeal and replace existing EBA guidelines on creditworthiness assessments issued under the MCD (EBA/GL/2015/11), which were first published in June 2015

4 See coverage for example on the ECB-SSM's updated approach to on-site inspections and internal model investigations available here.

5 This includes reviewing the debt capacity of the borrower, taking into account the sustainable future cashflow, the overall indebtedness and the debt service coverage ratio for the specific exposure. The Guidelines state that collateral by itself should not justify the loan approval if debt capacity is insufficient. Moreover, institutions must address the potential risk of borrowers failing to meet their contractual commitments, which could affect the strength of the institution and financial stability at large. This means that institutions must monitor credit risk using watch lists, quantitative and qualitative metrics that feed into Early Warning Indicators (EWIs) and Key Risk Indicators (KRIs) both at loan origination and throughout the life cycle of the loan, as well as conducting sensitivity analysis and stress testing, together with simple sensitivity analyses, based on internal and external information, in order to reduce the likelihood of negative effects in future.

6 Including the cost of capital, cost of funding, credit risk costs, operating and administrative costs and any other real costs associated with the credit.

7 The profitability of credit facilities should be measured using risk adjusted indicators, like economic value added (EVA), return on risk-adjusted capital (RORAC) and risk-adjusted return on capital (RAROC)

8 See coverage available here.

9 See coverage available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.