ARTICLE
25 March 2025

ECB Publishes Its SSM Annual Work Programme 2025

PL
PwC Legal Germany

Contributor

In today’s rapidly evolving marketplace, our clients are increasingly concerned with business collaborations, restructuring, mergers and acquisitions, financing and questions of social responsibility. They need legal security when dealing with such complex issues. That is why we work closely with PwC’s tax, human resources and finance experts and draw on the resources of our legal network in more than 100 countries to deliver comprehensive advice. Whether a global player, a public body or a wealthy individual, each client can rely on a personal account manager to address his or her specific legal needs. This dedication helps us ensure our client’s long-term business success. PwC Legal. More than 220 lawyers at 18 locations. Integrated legal advice for the real world.
Every year, usually during the fourth quarter, the Banking Union relevant supervisory authorities, comprised of the European Central Bank (ECB), acting at the helm of the Single Supervisory Mechanism (SSM)...
Germany Finance and Banking

Financial Services

QuickTake

Every year, usually during the fourth quarter, the Banking Union relevant supervisory authorities, comprised of the European Central Bank (ECB), acting at the helm of the Single Supervisory Mechanism (SSM) and the Single Resolution Board (SRB), acting at the helm of the Single Resolution Mechanism (SRM), individually publish their Annual Work Programmes (AWPs) setting out their priorities and resourcing for the coming calendar year and through to two years after. The ECB-SSM's AWP for the period 2025-2027 (for simplicity hereinafter the 2025 AWP), aims to foster cross-sectoral regulatory consistency and supervisory convergence and is thus of relevance to national competent authorities (NCAs) and more importantly the relevant firms within the scope of ECB-SSM's and NCAs' Banking Union mandate as exercised by joint supervisory teams (JSTs).

On 17 December 2024, the ECB-SSM published its 2025 AWP. The document builds upon the goals of the previous AWP for the period 2024-2026, yet in 2025 focuses on readdressing key strategic priorities and implementation of new mandates.1 On the same day the ECB-SSM equally published a number of more detailed descriptions of the methodology for assessing the (i) market risk, (ii) credit risk, (iii) interest rate and credit spread risk in the banking book, (iv) the internal governance and risk management as well as the operational and information and communication technology (ICT) risk of those entities that for SSM purposes are designated as 'significant institutions' (SIs), as part of the ECB-SSM-run Supervisory Review and Evaluation Process (SREP) along with aggregated results of the 2024 SREP, details of which are assessed in a separate Client Alert. Importantly, on 13 December 2024, the ECB-SSM had equally published its 2024 Supervision Report setting out observations relating to those Banking Union supervised institutions (BUSIs) that for SSM purposes are categorised as 'less significant institutions' (LSIs).

This Client Alert discusses the key requirements and expectations as well as legal and regulatory considerations for relevant market participants as well as the key differences between the ECB's 2025 AWP and that previously for the period 2024-2026. This Client Alert should be read together with other thematic deep dives on reforms and developments as well as our standalone analysis of all relevant 2025 AWPs from the SRB as well as the European Commission, the European Systemic Risk Board (ESRB), the European Supervisory Authorities (ESAs), comprised of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – both when acting individually as well as through the Joint Committee (JC) of the ESAs. Readers may also find benefit in consulting "Navigating 2025", a comprehensive playbook providing a more granular annual outlook from PwC Legal's EU RegCORE on the forthcoming regulatory policymaking agenda, the supervisory cycle and assessment of any commonalities and trends across plans for 2025 and beyond.

Key takeaways from the ECB-SSM's 2025 AWP

As in previous years the ECB-SSM's 2025 AWP has outlined an ambitious and comprehensive work programme for 2025, aimed at enhancing regulatory consistency, supervisory convergence and addressing identified vulnerabilities across the Banking Union. In summary the 16 pages of the 2025 AWP communicate the ECB-SSM's requirements and expectations of BUSIs as well as improvements to the ECB-SSM's functioning across the following three key priorities for 2025-2027:

Priority 1: Banks should strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks – with a focus on the following vulnerabilities amongst BUSIs:

  • Credit risk: addressing deficiencies in credit risk management frameworks;
  • Operational risk: addressing deficiencies in operational resilience frameworks as regards ICT outsourcing, security and cyber-risks including risks relating to artificial intelligence (AI); and
  • Multiple risk categories: incorporating the management of geopolitical risks in supervisory priorities. In particular, this includes reviewing:
    • Risk Management Frameworks: Assessing the adequacy of BUSIs' frameworks for managing geopolitical risks;
    • Capital and Liquidity Planning: Evaluating how BUSIs incorporate geopolitical risks into their capital and liquidity planning processes; and
    • Internal Stress Testing: Reviewing BUSIs' internal stress testing practices to ensure they adequately account for geopolitical risks;

Priority 2: Banks should remedy persistent material shortcomings in an effective and timely manner – with a focus on the following vulnerabilities amongst BUSIs:

  • Climate-related and environmental risks: addressing deficiencies in business strategies and risk management around climate-related and environmental risks; and
  • Governance: addressing deficiencies in risk data aggregation and reporting but equally in redressing continuing weaknesses when it comes to collective suitability (including as regards IT expertise and board independence, succession planning and the functioning and composition of committees). These weaknesses have been analysed in further detail in the ECB-SSM's revised supervisory Guide on Governance and Risk Culture which will be published in final form in early 2025.2

Priority 3: Banks should strengthen their digitalisation strategies and tackle emerging challenges stemming from the use of new technologies – with a focus on the following vulnerability amongst BUSIs:

  • Business models: addressing deficiencies in digital transformation risks.3

As in past years and in addition to the findings from the 2025 Stress Test4, the ECB-SSM plans to carry out targeted supervisory activities assessing, monitoring and following up on the vulnerabilities identified. Specifically, the ECB-SSM will carry out targeted reviews and on-site inspections (OSIs)5 on areas such as credit risk management, operational resilience and digital transformation as well as outsourcing of critical functions to third-party providers including in light of the implementation of the EU's Digital Operational Resilience Act (DORA) (see separate series of coverage from our EU RegCORE on DORA).

In summary, while the ECM-SSM's 2025 AWP is comprehensive and forward-looking there have been some changes between the focus, scrutiny and tone of what the ECB-SSM focused on in its 2024 AWP compared to what it plans to do in furtherance of its 2025 AWP's objectives and the longer-term goals set in the path to 2026 or indeed 2027.

Key messages and differences between the ECB-SSM's 2024 AWP and 2025 AWP

In addition to the above, it is important to review how the focus, tone and expected level of scrutiny differs, even if ever so slightly, between the ECB-SSM's 2024 and 2025 AWPs:

Topic – running order as used in publications ECB-SSM's 2024 AWP – had the ECB-SSM
focusing on:
ECB-SSM's 2025 AWP – will have the ECB-SSM
focusing on:
Supervisory framework and priorities
  • The focus included digital transformation and cyber threats, with seven key vulnerabilities identified.
  • Specific deadlines were set for banks to meet certain requirements by the end of 2024.
  • The text included detailed information about internal model investigations, counterparty credit risk (CCR) management, and targeted OSIs on CCR management.
  • There was a focus on the extension of deep dives on forbearance and unlikely to pay (UTP) policies.
  • The supervisory priorities included an OSI campaign on interest rate risk in the banking book (IRRBB), investigating asset and liability management (ALM) positioning and strategy, IRRBB behavioural models, and hedging strategy.
  • Prioritised vulnerability included deficiencies in operational resilience frameworks, particularly ICT outsourcing and ICT security/cyber risks.
  • The focus shifted to include strategic objectives, work programmes, and the identification of five key vulnerabilities with a special focus on geopolitical risks.
  • Emphasis was placed on the importance of digitalisation, managing risks from new technologies, and the supervisory priorities for 2025-27, including banks' resilience to macro- financial threats and geopolitical shocks.
  • The text now includes targeted OSIs on operational risk and ICT resilience frameworks, implementation of DORA, and a special focus on geopolitical risks.
  • The revised text includes a detailed explanation of ongoing and future supervisory activities, including follow-up remediation activities and progress in credit risk management frameworks.
Risk management and compliance
  • Credit risk and ALM frameworks, ensuring both liquidity and funding risks and also IRRBB.
  • Shortcomings in asset and liability management frameworks, liquidity and funding risk, IRRBB, and credit risk and counterparty credit risk management.
  • Shortcomings in credit risk and counterparty credit risk management frameworks.
  • Follow-up on the IFRS 9 targeted review, monitoring progress on the ability of banks' expected credit loss models to capture emerging risks, with a focus on overlays.
  • Extension of the OSIs, focusing on IFRS 9 collective staging and provisioning for small to medium sized enterprises (SMEs), retail, and commercial real estate (CRE) portfolios, including collateral valuations.
  • Detailed passage about deposit insurance, targeted longer-term refinancing operations (TLTRO) exit strategies, and various supervisory activities related to ALM and liquidity.
  • Deficiencies in risk data aggregation and reporting, with a focus on addressing long-standing deficiencies and having adequate and effective risk data aggregation and risk reporting (RDARR) frameworks in place.
  • Timely and accurate risk-related data aggregation and reporting are essential for sound decision-making and effective strategic steering by banks.
  • Substantial progress in remedying long- standing shortcomings identified in RDARR, with a structured escalation mechanism, possibly including enforcements and sanctions.
  • Refinement of supervisory expectations related to the implementation of RDARR principles and publication of the respective ECB-SSM's RDARR Guide.
  • Supervisors will perform targeted reviews and OSIs and will engage with banks.
  • Detailed information on supervisory activities, findings, and actions related to internal models, counterparty credit risk management, ALM, and the functioning of banks' management bodies.
  • Credit risk management frameworks, however the focus on ALM and related risks will be removed.
  • Deficiencies in credit risk management frameworks.
  • Identify deteriorations in asset quality in a timely manner.
  • Follow-up phase of IFRS 9 focusing on the use of overlays and coverage of novel risks, including geopolitical risks, with detailed supervisory follow- up processes.
  • Continuation of credit risk OSIs, focusing on IFRS 9 collective staging and provisioning for corporates/SMEs, retail, and commercial real estate portfolios.
  • Added a new focus area on SME portfolios, emphasising early identification and handling of borrower distress, SME models, and governance.
  • Removed detailed passage about deposit insurance, TLTRO exit strategies, and various supervisory activities related to ALM and liquidity.
  • Emphasis on remediating long-standing shortcomings in RDARR frameworks and aligning practices with supervisory expectations, with potential escalation measures.
  • Progress in tackling long-standing deficiencies in RDARR frameworks remains insufficient, highlighting non-compliance with supervisory expectations.
  • Adherence to supervisory expectations laid down in the ECB-SSM's RDARR Guide.
  • Increased supervisory pressure on banks that fail to remedy deficiencies, with tailored remediation strategies and use of sanctions.
  • Follow-up work on the targeted review of RDARR practices and adherence to the ECB-SSM's RDARR Guide, with targeted OSIs looking at overarching governance and ICT infrastructure issues.
  • Continuation of targeted reviews of RDARR capabilities and proactive engagement with banks when shortcomings are identified.
  • Detailed information on supervisory activities, findings, and actions related to internal models, counterparty credit risk management, ALM, and the functioning of banks' management bodies, with specific areas of concern and actions taken.
Digital transformation and ICT risks
  • Banks should comply with the legal requirements stemming from DORA as regards ICT risk management, incident reporting, the testing of digital operational resilience, and third-party service providers.
  • Shortcomings in asset and liability management were identified as a prioritised vulnerability.
  • Targeted reviews of the soundness and reliability of funding plans, contingency planning, and the adequacy of collateral optimisation capabilities, as well as of ALM governance and strategies.
  • Targeted OSIs assessing the robustness and appropriateness of funding and recovery plans.
  • Follow-up work on the findings from the targeted review on interest rate and credit spread risks, extending this review also to a wider scope of institutions.
  • Banks should develop and execute sound digital transformation plans through adequate arrangements (e.g., business strategy and risk management) to strengthen their business model. sustainability and mitigate risks related to the use of innovative technologies.
  • Targeted reviews focusing on the impact of banks' digital transformation on their business model/strategy, governance, and risk identification/management, complemented by JSTs' follow-up with banks where material deficiencies are identified.
  • Targeted OSIs on digital transformation, combining the business model dimension with the ICT aspect of banks' digital transformation strategies.
  • Banks need to strengthen and, where needed, adjust their operational resilience frameworks to mitigate potential risks, especially in light of increasing cyber threats stemming from the current geopolitical environment.
  • Banks should comply with DORA and address ICT risk management, incident reporting, and digital operational resilience testing.
  • Deficiencies in operational resilience frameworks as regards ICT outsourcing and ICT security/cyber risks were identified as a prioritised vulnerability.
  • Collection of data on third-party ICT providers to identify links between supervised entities and third-party providers, potential concentration risks, and weaknesses in banks' outsourcing arrangements.
  • Reviews of risk management frameworks for outsourcing risks and of cyber resilience frameworks and risk controls.
  • Follow-up work on the findings from the cyber resilience stress test.
  • Detailed passage about the 2024 cyber resilience stress test and its findings, including areas for improvement and future supervisory actions.
  • Specific areas of focus related to ICT systems and data quality were added.
  • New priority focusing on banks strengthening their digitalisation strategies and addressing challenges from new technologies.
  • Emphasis on digital transformation, cyber threats, and the role of AI in banking, highlighting the need for safeguards, structured approaches, and targeted strategies.
  • Banks should strengthen their digitalisation strategies and the related execution plans to properly mitigate the underlying risks, including risks stemming from the use of new/advanced technologies such as cloud services and AI.
  • Detailed discussion on the profitability of banks, the impact of the macro-financial environment, and the importance of leveraging profits for digitalisation and operational resilience.
  • Targeted activities focusing on the impact that banks' digital activities have on their business models/strategies and the risks stemming from the use of innovative technologies.
  • Targeted OSIs looking at both ICT-related and business model-related aspects of banks' digital transformation strategies.
  • The passage discussing the need for banks to strengthen operational resilience frameworks, address vulnerabilities from third-party providers, and improve ICT security in light of geopolitical cyber threats was removed.
Economic and geopolitical context
  • Detailed description of past challenges, including the COVID-19 pandemic, Russia's war in Ukraine, and failures of US and Swiss banks, and their impact on the banking sector.
  • Forward-looking assessment of challenges, including the impact of rising interest rates, potential asset quality deterioration, and geopolitical risks.
  • Discussion of the resilience of firms and households, early signs of asset quality deterioration, and various market conditions affecting asset quality.
  • Emphasis on the need for banks to strengthen their resilience to immediate macro-financial and geopolitical shocks.
  • Detailed discussion of specific risks to banks' asset quality, including geopolitical tensions, interest rates, and economic slowdown.
  • Analysis of inflationary pressures, ECB- SSM's actions, and banks' liquidity and funding resilience.
  • Discussion on the recent profitability of supervised institutions, their structural weaknesses, and the challenges posed by high cost-to-income ratios and inflationary pressures.
  • Current assessment of the banking sector's resilience and performance, emphasising recent achievements and stability.
  • Call for prudence and vigilance in light of ongoing geopolitical tensions and macroeconomic uncertainties.
  • Detailed economic outlook, including real GDP growth, inflationary pressures, and the impact of geopolitical risks and structural challenges.
  • Emphasis on the need for heightened supervisory scrutiny and proactive risk management practices.
  • Comprehensive analysis of various risks and challenges facing the banking sector, including geopolitical shocks, climate-related crises, technological transformation, and market conditions.
  • Updated references to the most current ECB projections and publications, providing more relevant and up-to-date information.
  • Introduction of a new discussion on the profitability of supervised entities due to the shift from low to positive interest rates, highlighting the impact on net interest margins and cost efficiency.
Governance and strategic planning
  • Highlighted the need for strong internal governance and effective risk controls, particularly in response to recent bank failures.
  • Emphasized the importance of timely and effective supervisory responses and escalation mechanisms.
  • Detailed deficiencies in management bodies' functioning, RDARR capabilities, and digital transformation strategies.
  • Stressed the need for banks to address material deficiencies in management bodies' functioning, oversight, and composition.
  • Identified deficiencies in governance and the management of climate-related and environmental risks as a priority.
  • Mentioned the update and publication of supervisory expectations on governance and risk management.
  • Included a comprehensive discussion on climate change risks, governance, and the impact of geopolitical tensions on transition risks.
  • Emphasises the need for banks to address major shortcomings and comply fully with supervisory expectations.
  • Focuses on the importance of addressing material deficiencies and meeting supervisory expectations, particularly related to C&E risks.
  • Provides a detailed assessment of banks' compliance with supervisory expectations regarding C&E risks, including deadlines, supervisory decisions, and future monitoring.
  • Highlights the shift from risk identification to risk remediation, stressing the need for banks to remedy persistent material shortcomings promptly and effectively.
  • Updates the reference to a blog post, indicating a shift in focus to the importance of transition planning.
  • Expands the content to include specific references to ESG risks and future supervisory priorities, providing more detailed guidance and context for banks.
  • Clarifies the purpose of the Management Report, emphasising accountability.
  • Removes the emphasis on climate change risks and the need for banks to incorporate these risks into their business strategies and governance frameworks, shifting the focus to other priorities.
Other action points
  • Included both regular and ad hoc activities, allowing for a broader scope of supervisory actions.
  • Referenced past reports and specific supervisory priorities for 2024-2026, providing historical context and continuity.
  • Detailed discussion of CCR management, highlighting material shortcomings and specific supervisory activities.
  • Identified key deficiencies related to management bodies, data architecture, and ICT landscapes, emphasising the need for strong prioritisation by management bodies.
  • Included specific references and citations, enhancing the document's credibility and verifiability.
  • Narrowed the scope to only regular activities, excluding ad hoc activities, which may limit the flexibility of supervisory responses.
  • Emphasised the importance of addressing material shortcomings, particularly in risk data aggregation and reporting, and updated the timeline for supervisory priorities.
  • Broadened the focus to include emerging risks and expected credit loss models, highlighting progress and deficiencies in banks' risk management practices.
  • Provided a more structured and detailed account of identified weaknesses, emphasising findings from recent supervisory reviews.

Outlook

The ECB-SSM's 2025 AWP sets out a comprehensive agenda aimed at enhancing the resilience and robustness of BUSIs. With the ECB-SSM set to step up its scrutiny, in particular on a number of points where its patience is wearing thin, BUSIs need to adapt to these new requirements and actively participate in the ECB-SSM's but also other Banking Union-specific and EU-wide initiatives to ensure compliance and readiness in the evolving regulatory as well as supervisory landscape.

More crucially, as the regulatory landscape continues to evolve, BUSIs are encouraged to actively engage with supervisory authorities, leverage technological advancements and implement sound risk mitigation strategies including expectations of the ECB-SSM in light of digital transformation and business model reinvention. The ECB-SSM will continue to monitor and assess the progress of supervised entities, adapting its supervisory approach as necessary to address emerging risks and vulnerabilities. Accordingly, some of the issues highlighted above may also require changes to as well as strengthening of systems and controls, policies and procedures as well counterparty, client and customer facing documentation during the 2025 supervisory cycle.

Footnotes

1 Available here.

2 See our analysis on the draft of this ECB-SSM Guide available here.

3 See our analysis on recent ECB-SSM's expectations available here.

4 The 2025 EU-wide stress test, coordinated by the EBA, will include exploratory scenario analysis to assess banks' ability to model counterparty credit risk under stress conditions influenced by geopolitical factors. This analysis aims to identify vulnerabilities in banks' risk management frameworks and ensure preparedness for potential geopolitical shocks on the following key focus areas:

  • Geopolitical Scenarios: The stress test will consider various geopolitical events, such as conflicts, sanctions, and trade disruptions, and their potential impact on the financial sector.
  • Counterparty Credit Risk: A primary focus will be on banks' ability to model counterparty credit risk under stress conditions influenced by geopolitical factors, particularly exposures to counterparties in sensitive regions.
  • Provisioning and Capital Levels: The adequacy of banks' provisioning and capital levels in response to geopolitical risks will be assessed.
  • Risk Management Frameworks: The robustness of banks' risk management frameworks in incorporating geopolitical risks will be evaluated, including how banks identify, monitor, and mitigate these risks.
  • Capital and Liquidity Planning: Banks' capital and liquidity planning processes will be scrutinized to determine their ability to account for geopolitical risks, including the impact on funding sources, liquidity positions, and overall financial stability.
  • Internal Stress Testing Practices: The stress test will review banks' internal stress testing practices to ensure they adequately account for geopolitical risks, enhancing their preparedness for geopolitical shocks.

5 For an overview of how the ECB-SSM carries out on-site inspections and internal model investigations please see here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More