Financial Services
QuickTake
Every year, usually during the fourth quarter, the Banking Union
relevant supervisory authorities, comprised of the European Central
Bank (ECB), acting at the helm of the Single
Supervisory Mechanism (SSM) and the Single
Resolution Board (SRB), acting at the helm of the
Single Resolution Mechanism (SRM), individually
publish their Annual Work Programmes (AWPs)
setting out their priorities and resourcing for the coming calendar
year and through to two years after. The ECB-SSM's AWP for the
period 2025-2027 (for simplicity hereinafter the 2025
AWP), aims to foster cross-sectoral regulatory consistency
and supervisory convergence and is thus of relevance to national
competent authorities (NCAs) and more importantly
the relevant firms within the scope of ECB-SSM's and NCAs'
Banking Union mandate as exercised by joint supervisory teams
(JSTs).
On 17 December 2024, the ECB-SSM published its 2025 AWP. The
document builds upon the goals of the previous AWP for the period
2024-2026, yet in 2025 focuses on readdressing key strategic
priorities and implementation of new mandates.1 On the
same day the ECB-SSM equally published a number of more detailed
descriptions of the methodology for assessing the (i) market risk,
(ii) credit risk, (iii) interest rate and credit spread risk in the
banking book, (iv) the internal governance and risk management as
well as the operational and information and communication
technology (ICT) risk of those entities that for
SSM purposes are designated as 'significant institutions'
(SIs), as part of the ECB-SSM-run Supervisory
Review and Evaluation Process (SREP) along with
aggregated results of the 2024 SREP, details of which are assessed
in a separate Client Alert. Importantly, on 13 December 2024, the
ECB-SSM had equally published its 2024 Supervision Report setting
out observations relating to those Banking Union supervised
institutions (BUSIs) that for SSM purposes are
categorised as 'less significant institutions'
(LSIs).
This Client Alert discusses the key requirements and
expectations as well as legal and regulatory considerations for
relevant market participants as well as the key differences between
the ECB's 2025 AWP and that previously for the period
2024-2026. This Client Alert should be read together with other
thematic deep dives on reforms and developments as well as our
standalone analysis of all relevant 2025 AWPs from the SRB as well
as the European Commission, the European Systemic Risk Board
(ESRB), the European Supervisory Authorities
(ESAs), comprised of the European Banking
Authority (EBA), the European Securities and
Markets Authority (ESMA) and the European
Insurance and Occupational Pensions Authority
(EIOPA) – both when acting individually as
well as through the Joint Committee (JC) of the
ESAs. Readers may also find benefit in consulting "Navigating
2025", a comprehensive playbook providing a more granular
annual outlook from PwC Legal's EU RegCORE on the forthcoming
regulatory policymaking agenda, the supervisory cycle and
assessment of any commonalities and trends across plans for 2025
and beyond.
Key takeaways from the ECB-SSM's 2025
AWP
As in previous years the ECB-SSM's 2025 AWP has outlined an
ambitious and comprehensive work programme for 2025, aimed at
enhancing regulatory consistency, supervisory convergence and
addressing identified vulnerabilities across the Banking Union. In
summary the 16 pages of the 2025 AWP communicate the ECB-SSM's
requirements and expectations of BUSIs as well as improvements to
the ECB-SSM's functioning across the following three key
priorities for 2025-2027:
Priority 1: Banks should strengthen their ability to
withstand immediate macro-financial threats and severe geopolitical
shocks – with a focus on the following
vulnerabilities amongst BUSIs:
- Credit risk: addressing deficiencies
in credit risk management frameworks;
- Operational risk: addressing
deficiencies in operational resilience frameworks as regards ICT
outsourcing, security and cyber-risks including risks relating to
artificial intelligence (AI); and
- Multiple risk categories:
incorporating the management of geopolitical risks in supervisory
priorities. In particular, this includes reviewing:
- Risk Management Frameworks: Assessing the
adequacy of BUSIs' frameworks for managing geopolitical
risks;
- Capital and Liquidity Planning: Evaluating how
BUSIs incorporate geopolitical risks into their capital and
liquidity planning processes; and
- Internal Stress Testing: Reviewing BUSIs'
internal stress testing practices to ensure they adequately account
for geopolitical risks;
Priority 2: Banks should remedy persistent material
shortcomings in an effective and timely manner –
with a focus on the following vulnerabilities amongst BUSIs:
- Climate-related and environmental
risks: addressing deficiencies in business strategies
and risk management around climate-related and environmental risks;
and
- Governance: addressing deficiencies
in risk data aggregation and reporting but equally in redressing
continuing weaknesses when it comes to collective suitability
(including as regards IT expertise and board independence,
succession planning and the functioning and composition of
committees). These weaknesses have been analysed in further detail
in the ECB-SSM's revised supervisory Guide on Governance and
Risk Culture which will be published in final form in early
2025.2
Priority 3: Banks should strengthen their digitalisation
strategies and tackle emerging challenges stemming from the use of
new technologies – with a focus on the following
vulnerability amongst BUSIs:
- Business models: addressing
deficiencies in digital transformation risks.3
As in past years and in addition to the findings from the 2025
Stress Test4, the ECB-SSM plans to carry out targeted
supervisory activities assessing, monitoring and following up on
the vulnerabilities identified. Specifically, the ECB-SSM will
carry out targeted reviews and on-site inspections
(OSIs)5 on areas such as credit risk
management, operational resilience and digital transformation as
well as outsourcing of critical functions to third-party providers
including in light of the implementation of the EU's Digital
Operational Resilience Act (DORA) (see separate
series of coverage from our EU RegCORE on DORA).
In summary, while the ECM-SSM's 2025 AWP is comprehensive
and forward-looking there have been some changes between the focus,
scrutiny and tone of what the ECB-SSM focused on in its 2024 AWP
compared to what it plans to do in furtherance of its 2025
AWP's objectives and the longer-term goals set in the path to
2026 or indeed 2027.
Key messages and differences between the ECB-SSM's
2024 AWP and 2025 AWP
In addition to the above, it is important to review how the
focus, tone and expected level of scrutiny differs, even if ever so
slightly, between the ECB-SSM's 2024 and 2025 AWPs:
Topic – running order as used in
publications |
ECB-SSM's 2024 AWP – had the
ECB-SSM
focusing on: |
ECB-SSM's 2025 AWP – will have the
ECB-SSM
focusing on: |
Supervisory framework and
priorities |
- The focus included digital transformation and cyber threats,
with seven key vulnerabilities identified.
- Specific deadlines were set for banks to meet certain
requirements by the end of 2024.
- The text included detailed information about internal model
investigations, counterparty credit risk (CCR)
management, and targeted OSIs on CCR management.
- There was a focus on the extension of deep dives on forbearance
and unlikely to pay (UTP) policies.
- The supervisory priorities included an OSI campaign on interest
rate risk in the banking book (IRRBB),
investigating asset and liability management (ALM)
positioning and strategy, IRRBB behavioural models, and hedging
strategy.
- Prioritised vulnerability included deficiencies in operational
resilience frameworks, particularly ICT outsourcing and ICT
security/cyber risks.
|
- The focus shifted to include strategic objectives, work
programmes, and the identification of five key vulnerabilities with
a special focus on geopolitical risks.
- Emphasis was placed on the importance of digitalisation,
managing risks from new technologies, and the supervisory
priorities for 2025-27, including banks' resilience to macro-
financial threats and geopolitical shocks.
- The text now includes targeted OSIs on operational risk and ICT
resilience frameworks, implementation of DORA, and a special focus
on geopolitical risks.
- The revised text includes a detailed explanation of ongoing and
future supervisory activities, including follow-up remediation
activities and progress in credit risk management frameworks.
|
Risk management and compliance |
- Credit risk and ALM frameworks, ensuring both liquidity and
funding risks and also IRRBB.
- Shortcomings in asset and liability management frameworks,
liquidity and funding risk, IRRBB, and credit risk and counterparty
credit risk management.
- Shortcomings in credit risk and counterparty credit risk
management frameworks.
- Follow-up on the IFRS 9 targeted review, monitoring progress on
the ability of banks' expected credit loss models to capture
emerging risks, with a focus on overlays.
- Extension of the OSIs, focusing on IFRS 9 collective staging
and provisioning for small to medium sized enterprises
(SMEs), retail, and commercial real estate
(CRE) portfolios, including collateral
valuations.
- Detailed passage about deposit insurance, targeted longer-term
refinancing operations (TLTRO) exit strategies,
and various supervisory activities related to ALM and
liquidity.
- Deficiencies in risk data aggregation and reporting, with a
focus on addressing long-standing deficiencies and having adequate
and effective risk data aggregation and risk reporting
(RDARR) frameworks in place.
- Timely and accurate risk-related data aggregation and reporting
are essential for sound decision-making and effective strategic
steering by banks.
- Substantial progress in remedying long- standing shortcomings
identified in RDARR, with a structured escalation mechanism,
possibly including enforcements and sanctions.
- Refinement of supervisory expectations related to the
implementation of RDARR principles and publication of the
respective ECB-SSM's RDARR Guide.
- Supervisors will perform targeted reviews and OSIs and will
engage with banks.
- Detailed information on supervisory activities, findings, and
actions related to internal models, counterparty credit risk
management, ALM, and the functioning of banks' management
bodies.
|
- Credit risk management frameworks, however the focus on ALM and
related risks will be removed.
- Deficiencies in credit risk management frameworks.
- Identify deteriorations in asset quality in a timely
manner.
- Follow-up phase of IFRS 9 focusing on the use of overlays and
coverage of novel risks, including geopolitical risks, with
detailed supervisory follow- up processes.
- Continuation of credit risk OSIs, focusing on IFRS 9 collective
staging and provisioning for corporates/SMEs, retail, and
commercial real estate portfolios.
- Added a new focus area on SME portfolios, emphasising early
identification and handling of borrower distress, SME models, and
governance.
- Removed detailed passage about deposit insurance, TLTRO exit
strategies, and various supervisory activities related to ALM and
liquidity.
- Emphasis on remediating long-standing shortcomings in RDARR
frameworks and aligning practices with supervisory expectations,
with potential escalation measures.
- Progress in tackling long-standing deficiencies in RDARR
frameworks remains insufficient, highlighting non-compliance with
supervisory expectations.
- Adherence to supervisory expectations laid down in the
ECB-SSM's RDARR Guide.
- Increased supervisory pressure on banks that fail to remedy
deficiencies, with tailored remediation strategies and use of
sanctions.
- Follow-up work on the targeted review of RDARR practices and
adherence to the ECB-SSM's RDARR Guide, with targeted OSIs
looking at overarching governance and ICT infrastructure
issues.
- Continuation of targeted reviews of RDARR capabilities and
proactive engagement with banks when shortcomings are
identified.
- Detailed information on supervisory activities, findings, and
actions related to internal models, counterparty credit risk
management, ALM, and the functioning of banks' management
bodies, with specific areas of concern and actions taken.
|
Digital transformation and ICT
risks |
- Banks should comply with the legal requirements stemming from
DORA as regards ICT risk management, incident reporting, the
testing of digital operational resilience, and third-party service
providers.
- Shortcomings in asset and liability management were identified
as a prioritised vulnerability.
- Targeted reviews of the soundness and reliability of funding
plans, contingency planning, and the adequacy of collateral
optimisation capabilities, as well as of ALM governance and
strategies.
- Targeted OSIs assessing the robustness and appropriateness of
funding and recovery plans.
- Follow-up work on the findings from the targeted review on
interest rate and credit spread risks, extending this review also
to a wider scope of institutions.
- Banks should develop and execute sound digital transformation
plans through adequate arrangements (e.g., business strategy and
risk management) to strengthen their business model. sustainability
and mitigate risks related to the use of innovative
technologies.
- Targeted reviews focusing on the impact of banks' digital
transformation on their business model/strategy, governance, and
risk identification/management, complemented by JSTs' follow-up
with banks where material deficiencies are identified.
- Targeted OSIs on digital transformation, combining the business
model dimension with the ICT aspect of banks' digital
transformation strategies.
- Banks need to strengthen and, where needed, adjust their
operational resilience frameworks to mitigate potential risks,
especially in light of increasing cyber threats stemming from the
current geopolitical environment.
|
- Banks should comply with DORA and address ICT risk management,
incident reporting, and digital operational resilience
testing.
- Deficiencies in operational resilience frameworks as regards
ICT outsourcing and ICT security/cyber risks were identified as a
prioritised vulnerability.
- Collection of data on third-party ICT providers to identify
links between supervised entities and third-party providers,
potential concentration risks, and weaknesses in banks'
outsourcing arrangements.
- Reviews of risk management frameworks for outsourcing risks and
of cyber resilience frameworks and risk controls.
- Follow-up work on the findings from the cyber resilience stress
test.
- Detailed passage about the 2024 cyber resilience stress test
and its findings, including areas for improvement and future
supervisory actions.
- Specific areas of focus related to ICT systems and data quality
were added.
- New priority focusing on banks strengthening their
digitalisation strategies and addressing challenges from new
technologies.
- Emphasis on digital transformation, cyber threats, and the role
of AI in banking, highlighting the need for safeguards, structured
approaches, and targeted strategies.
- Banks should strengthen their digitalisation strategies and the
related execution plans to properly mitigate the underlying risks,
including risks stemming from the use of new/advanced technologies
such as cloud services and AI.
- Detailed discussion on the profitability of banks, the impact
of the macro-financial environment, and the importance of
leveraging profits for digitalisation and operational
resilience.
- Targeted activities focusing on the impact that banks'
digital activities have on their business models/strategies and the
risks stemming from the use of innovative technologies.
- Targeted OSIs looking at both ICT-related and business
model-related aspects of banks' digital transformation
strategies.
- The passage discussing the need for banks to strengthen
operational resilience frameworks, address vulnerabilities from
third-party providers, and improve ICT security in light of
geopolitical cyber threats was removed.
|
Economic and geopolitical
context |
- Detailed description of past challenges, including the COVID-19
pandemic, Russia's war in Ukraine, and failures of US and Swiss
banks, and their impact on the banking sector.
- Forward-looking assessment of challenges, including the impact
of rising interest rates, potential asset quality deterioration,
and geopolitical risks.
- Discussion of the resilience of firms and households, early
signs of asset quality deterioration, and various market conditions
affecting asset quality.
- Emphasis on the need for banks to strengthen their resilience
to immediate macro-financial and geopolitical shocks.
- Detailed discussion of specific risks to banks' asset
quality, including geopolitical tensions, interest rates, and
economic slowdown.
- Analysis of inflationary pressures, ECB- SSM's actions, and
banks' liquidity and funding resilience.
- Discussion on the recent profitability of supervised
institutions, their structural weaknesses, and the challenges posed
by high cost-to-income ratios and inflationary pressures.
|
- Current assessment of the banking sector's resilience and
performance, emphasising recent achievements and stability.
- Call for prudence and vigilance in light of ongoing
geopolitical tensions and macroeconomic uncertainties.
- Detailed economic outlook, including real GDP growth,
inflationary pressures, and the impact of geopolitical risks and
structural challenges.
- Emphasis on the need for heightened supervisory scrutiny and
proactive risk management practices.
- Comprehensive analysis of various risks and challenges facing
the banking sector, including geopolitical shocks, climate-related
crises, technological transformation, and market conditions.
- Updated references to the most current ECB projections and
publications, providing more relevant and up-to-date
information.
- Introduction of a new discussion on the profitability of
supervised entities due to the shift from low to positive interest
rates, highlighting the impact on net interest margins and cost
efficiency.
|
Governance and strategic
planning |
- Highlighted the need for strong internal governance and
effective risk controls, particularly in response to recent bank
failures.
- Emphasized the importance of timely and effective supervisory
responses and escalation mechanisms.
- Detailed deficiencies in management bodies' functioning,
RDARR capabilities, and digital transformation strategies.
- Stressed the need for banks to address material deficiencies in
management bodies' functioning, oversight, and
composition.
- Identified deficiencies in governance and the management of
climate-related and environmental risks as a priority.
- Mentioned the update and publication of supervisory
expectations on governance and risk management.
- Included a comprehensive discussion on climate change risks,
governance, and the impact of geopolitical tensions on transition
risks.
|
- Emphasises the need for banks to address major shortcomings and
comply fully with supervisory expectations.
- Focuses on the importance of addressing material deficiencies
and meeting supervisory expectations, particularly related to
C&E risks.
- Provides a detailed assessment of banks' compliance with
supervisory expectations regarding C&E risks, including
deadlines, supervisory decisions, and future monitoring.
- Highlights the shift from risk identification to risk
remediation, stressing the need for banks to remedy persistent
material shortcomings promptly and effectively.
- Updates the reference to a blog post, indicating a shift in
focus to the importance of transition planning.
- Expands the content to include specific references to ESG risks
and future supervisory priorities, providing more detailed guidance
and context for banks.
- Clarifies the purpose of the Management Report, emphasising
accountability.
- Removes the emphasis on climate change risks and the need for
banks to incorporate these risks into their business strategies and
governance frameworks, shifting the focus to other priorities.
|
Other action points |
- Included both regular and ad hoc activities, allowing for a
broader scope of supervisory actions.
- Referenced past reports and specific supervisory priorities for
2024-2026, providing historical context and continuity.
- Detailed discussion of CCR management, highlighting material
shortcomings and specific supervisory activities.
- Identified key deficiencies related to management bodies, data
architecture, and ICT landscapes, emphasising the need for strong
prioritisation by management bodies.
- Included specific references and citations, enhancing the
document's credibility and verifiability.
|
- Narrowed the scope to only regular activities, excluding ad hoc
activities, which may limit the flexibility of supervisory
responses.
- Emphasised the importance of addressing material shortcomings,
particularly in risk data aggregation and reporting, and updated
the timeline for supervisory priorities.
- Broadened the focus to include emerging risks and expected
credit loss models, highlighting progress and deficiencies in
banks' risk management practices.
- Provided a more structured and detailed account of identified
weaknesses, emphasising findings from recent supervisory
reviews.
|
Outlook
The ECB-SSM's 2025 AWP sets out a comprehensive agenda aimed
at enhancing the resilience and robustness of BUSIs. With the
ECB-SSM set to step up its scrutiny, in particular on a number of
points where its patience is wearing thin, BUSIs need to adapt to
these new requirements and actively participate in the
ECB-SSM's but also other Banking Union-specific and EU-wide
initiatives to ensure compliance and readiness in the evolving
regulatory as well as supervisory landscape.
More crucially, as the regulatory landscape continues to evolve,
BUSIs are encouraged to actively engage with supervisory
authorities, leverage technological advancements and implement
sound risk mitigation strategies including expectations of the
ECB-SSM in light of digital transformation and business model
reinvention. The ECB-SSM will continue to monitor and assess the
progress of supervised entities, adapting its supervisory approach
as necessary to address emerging risks and vulnerabilities.
Accordingly, some of the issues highlighted above may also require
changes to as well as strengthening of systems and controls,
policies and procedures as well counterparty, client and customer
facing documentation during the 2025 supervisory cycle.
Footnotes
1 Available here.
2 See our analysis on the draft of this ECB-SSM Guide
available here.
3 See our analysis on recent ECB-SSM's expectations
available here.
4 The 2025 EU-wide stress test, coordinated by the EBA,
will include exploratory scenario analysis to assess banks'
ability to model counterparty credit risk under stress conditions
influenced by geopolitical factors. This analysis aims to identify
vulnerabilities in banks' risk management frameworks and ensure
preparedness for potential geopolitical shocks on the following key
focus areas:
- Geopolitical Scenarios: The stress test
will consider various geopolitical events, such as conflicts,
sanctions, and trade disruptions, and their potential impact on the
financial sector.
- Counterparty Credit Risk: A primary
focus will be on banks' ability to model counterparty credit
risk under stress conditions influenced by geopolitical factors,
particularly exposures to counterparties in sensitive
regions.
- Provisioning and Capital Levels: The
adequacy of banks' provisioning and capital levels in response
to geopolitical risks will be assessed.
- Risk Management Frameworks: The
robustness of banks' risk management frameworks in
incorporating geopolitical risks will be evaluated, including how
banks identify, monitor, and mitigate these risks.
- Capital and Liquidity Planning:
Banks' capital and liquidity planning processes will be
scrutinized to determine their ability to account for geopolitical
risks, including the impact on funding sources, liquidity
positions, and overall financial stability.
- Internal Stress Testing Practices: The
stress test will review banks' internal stress testing
practices to ensure they adequately account for geopolitical risks,
enhancing their preparedness for geopolitical shocks.
5 For an overview of how the ECB-SSM carries out on-site
inspections and internal model investigations please see here.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.