Banking Supervision
Banking Supervision
Search
Search Options
Home Publication Explainers Statistics Payments Career Monetary Policy
Suggestions
Sort by
Níl an t-ábhar seo ar fáil i nGaeilge.

1 Introduction

The supervisory priorities for 2025-27 reflect ECB Banking Supervision’s medium-term strategy for the next three years. They are set by the Supervisory Board of the ECB, reviewed annually, and are based on a comprehensive assessment of the main risks and vulnerabilities for supervised entities. They also take account of the outcome of the Supervisory Review and Evaluation Process (SREP),[1] as well as of the progress as compared with the previous years’ priorities. They support efficient allocation of the available supervisory resources and can be adjusted flexibly if warranted by changes to the risk landscape.

Over the past year, the European banking sector has demonstrated resilience in the face of an uncertain external environment and shown its capacity to continue supporting the economic recovery. European banks are reporting strong capital and liquidity positions. Their asset quality has remained broadly resilient to the more challenging macro-financial environment, with their profitability reaching the highest levels seen since the inception of the of the European banking supervision, particularly as a result of higher interest rates.

Notwithstanding the robustness of banks’ balance sheets and risk profiles, prudence is required given the persistently high geopolitical tensions and the associated uncertainty about the macroeconomic outlook. While supervised entities have so far been able to withstand the recent geopolitical shocks, supported inter alia by the broad resilience of the real economy, it is crucial that banks remain vigilant and regularly assess the implications that such events could potentially have for their business, operations and risk profile. In this context, addressing shortcomings in banks’ credit risk management frameworks remains a priority, especially as regards early identification of deteriorating asset quality and the deployment of prudent levels of provisioning. Furthermore, the enhancement of banks’ operational resilience frameworks is key, in order to strengthen their ability to withstand any operational disruptions resulting from sudden events. The cross-cutting nature of geopolitical shocks calls for a holistic supervisory strategy and a special focus on banks’ ability to withstand such shocks within the framework of the supervisory priorities.

At the same time, banks should further strengthen their efforts to effectively address material shortcomings identified by supervisors in previous cycles, remedying them in a timely manner. In areas which have been subject to close supervisory scrutiny in the past, supervisors’ efforts will focus on banks’ effective and timely remediation of identified deficiencies. This is especially true of risk data aggregation and risk reporting (RDARR) – where, despite long-standing engagement with supervisors and acknowledged improvements, some banks have still not addressed major shortcomings. In addition, full compliance with supervisory expectations as regards banks’ management of climate‑related and environmental (C&E) risks will remain a priority.

Finally, with technological advances becoming a priority for the future of the banking sector, it is essential that banks strengthen their digitalisation efforts and ensure prudent management of risks stemming from the adoption of new technologies. While supervised entities are making progress in this area in order to increase their ability to compete successfully in the future, they need to be prepared for new risks stemming from the digitalisation of their operations and services. This will help them to increase the sustainability of their business models and enable them to reap the benefits of innovative technologies.

Against this background, the supervisory priorities for 2025-27 focus on banks’ resilience to immediate macro-financial threats and severe geopolitical shocks (Priority 1), the importance of timely remediation of known material shortcomings (Priority 2) and the need to tackle challenges stemming from digital transformation and new technologies (Priority 3). Each priority targets a specific set of vulnerabilities in the banking sector – referred to as “prioritised vulnerabilities” – for which dedicated strategic objectives have been set and work programmes have been developed. Cross-dependencies between risks are reflected in the design of those work programmes, which aim to strengthen both the efficiency and the effectiveness of supervisors’ engagement with banks. Figure 1 lists five key vulnerabilities in banks and the special focus on geopolitical risks that those three overarching priorities seek to address.

Figure 1

Supervisory priorities for 2025-27, addressing identified vulnerabilities in banks

Source: ECB.
Notes: This figure shows the three supervisory priorities for the period 2025-27 and the corresponding vulnerabilities that banks are expected to address over the next three years. ECB Banking Supervision will carry out targeted activities assessing, monitoring and following up on the vulnerabilities identified. The section on the right-hand side of the figure shows the overarching risk category that is associated with each vulnerability.

The main purpose of ECB Banking Supervision’s strategic planning is to develop a sound strategy for the next three years. The supervisory priorities promote effectiveness and consistency in the planning work of the Joint Supervisory Teams and support the efficient allocation of resources, in line with the corresponding risk tolerance levels. They also help national supervisors to set their own priorities for the supervision of less significant institutions in a proportionate manner. Transparent communication of the priorities clarifies supervisory expectations for banks, enhances the impact that supervision has in terms of further increasing the resilience of the banking sector, and helps to ensure a level playing field.

ECB Banking Supervision will continue to monitor and assess both (i) developments in the risks and vulnerabilities of supervised entities and (ii) the progress that banks make with the implementation of the supervisory priorities. Regular reviews of those strategic priorities will enable ECB Banking Supervision to adjust its focus and activities if required, responding flexibly to changes in the risk landscape.

The following sections provide more details on the outcome of the 2024 risk identification and assessment exercise and set out the supervisory priorities and underlying work programmes for 2025-27. Other regular activities and follow‑up work on past priorities will also be carried out by supervisors as part of their ongoing engagement with banks, complementing the work on the three priorities for 2025-27.

2 Risk assessment and supervisory priorities for 2025-27

2.1 Macroeconomic and operating environment for supervised entities

While real GDP growth in the euro area has gradually started to recover and inflationary pressures have continued to moderate, the short-term outlook for growth remains subdued and subject to considerable geopolitical and policy uncertainty.[2] The moderate pace of economic recovery in the euro area in the course of 2024 was supported mainly by services, while the manufacturing sector remained very weak.[3] While recent indicators suggest a weakening of growth in the short term amid significant uncertainty, real GDP growth is expected to increase over the medium term. The recovery is expected to strengthen on the back of increases in consumers’ real disposable income (which will support private consumption), the strengthening of foreign demand and the fading of the dampening effects of past monetary policy tightening.[4] At the same time, HICP inflation has moderated and is expected to reach its target over the projection horizon. Core inflation is also projected to continue falling, albeit remaining somewhat higher than headline HICP inflation in the short term.

Risks to the growth outlook remain tilted to the downside over the medium‑term horizon given the heightened level of uncertainty. Despite expectations of a return to moderate growth, the likelihood of tail events materialising appears to be higher than it was a year ago, as geopolitical risks have risen.[5] Mounting geopolitical tensions (stemming, for example, from the war in Ukraine and the conflict in the Middle East) and growing deglobalisation trends could push energy prices and freight costs up in the short term and disrupt global trade – which would, in turn, weigh on the growth outlook for the euro area and reignite inflationary pressures.[6] Meanwhile, extreme weather events and the transition to a low-carbon economy could drive up inflation – particularly food price inflation.[7]

Besides their impact on the outlook for growth and inflation more broadly, geopolitical risks and the structural challenges stemming from the climate‑related transition and the digital transformation of the financial system are also expected to have a direct effect on the banking sector. Geopolitical shocks can exacerbate governance, operational and business model risks, particularly through financial sanctions or cyberattacks. Furthermore, there can be material consequences for risk profiles, especially in situations where banks have large direct or indirect balance sheet exposures to counterparties affected by the corresponding risks. At the same time, the relevance of C&E risks for the financial system and the broader economy has grown, helping to shape banks’ operating environments. Given their material exposures to climate-related physical and transition risks, banks need to adjust to the more profound impact of C&E crises, which could potentially lead to a disorderly transition and further increase physical damage.[8] Furthermore, the ongoing technological transformation of the economy requires that banks take proactive steps to speed up their digitalisation efforts, enhance their risk management practices and address growing competition from non-banks.

The benign risk pricing which has prevailed over the past year in financial markets has the potential to result in sudden shifts in market sentiment and reassessments of asset prices triggered by negative surprises. The gradual recovery in economic activity and expectations of monetary policy easing have resulted in a greater appetite for risk, lower risk premiums and several months of relatively subdued equity market volatility. These conditions, along with uncertainty about the future path of growth and inflation in the world’s major economies, could set the stage for abrupt asset price corrections and higher volatility in global financial markets if the macroeconomic outlook worsens or geopolitical shocks materialise.[9] The abrupt and short-lived sell-off that was seen in global financial markets in early August – with negative economic surprises in the United States and concerns around rising interest rates in Japan triggering an abrupt risk-off reaction – illustrates this point.

2.2 Supervisory priorities for 2025-27

Priority 1: Banks should strengthen their ability to withstand immediate macro-financial threats and severe geopolitical shocks

The persistent uncertainty surrounding the macroeconomic outlook and the increasing intensity of geopolitical threats warrant heightened supervisory scrutiny of banks’ ability to withstand any related shocks. Given the persistent downside risks to the outlook for euro area growth and the high levels of uncertainty, it is even more important to account for scenarios other than the baseline and consider different trajectories for economic growth and interest rates. Banks should effectively address shortcomings identified under their credit risk management frameworks, identify any deterioration in asset quality in a timely manner and maintain adequate provisioning levels. Macroeconomic developments can affect the risk of banks’ exposures to non-financial corporations, for example small and medium-sized enterprises (SMEs). Furthermore, they can affect the risks from exposures to non-bank financial institutions, including from spillover effects of shocks to this sector. Therefore, these issues will also remain the focus of future supervisory work.

Owing to their cross-cutting nature, geopolitical risks can result in adverse macro-financial developments and impact the broader operating environment for banks. They can pose direct threats to banks’ operational resilience, especially when they result in increased IT and cybersecurity risks, thus demanding focused supervisory efforts in the coming years to address related deficiencies. Recognising the many different transmission channels for geopolitical risks, supervisors will implement various targeted initiatives to raise awareness and bolster banks' resilience to these shocks. The 2025 EU-wide stress test exercise, which is being coordinated by the European Banking Authority (EBA), is one such initiative.

Prioritised vulnerability: Deficiencies in credit risk management frameworks

Strategic objective: Banks should identify deteriorations in asset quality in a timely manner and translate them into prudent provisions and capital levels. They should step up their efforts to address relevant shortcomings identified by supervisors under previous years’ priorities in a timely and effective manner.

Thus far, European households and firms have shown strong resilience to the changing macroeconomic conditions and the shift towards higher interest rates. Healthy balance sheets and the gradual economic recovery in the euro area are helping to support the outlook for firms, while residential real estate markets are expected to remain resilient, supported by low unemployment, increases in real wages and expectations of further interest rate cuts. Banks’ non-performing loans (NPLs) have, however, started to increase, albeit at a fairly slow pace, with more pronounced developments being observed for portfolios that are more vulnerable to the current macro-financial environment – particularly commercial real estate and SME portfolios. Despite this trend, banks’ coverage ratios have continued to decline, even for riskier segments, driven partly by their continued disposal of legacy NPLs. The slow increases in coverage ratios for new NPLs and underperforming (Stage 2) loans[10] therefore raise concerns that banks’ provisions may not adequately reflect potential emerging risks or the downside risks stemming from the weak economic outlook and the challenging geopolitical environment.

Indeed, supervisory work has highlighted persistent shortcomings in banks’ IFRS 9 frameworks, showing that some banks are still failing to comply with supervisory expectations in this area. Over the past two years, supervisors have conducted two horizontal assessments focusing on banks’ ability to capture emerging risks via their expected credit loss models. These assessments show that banks have made advances when it comes to capturing novel risks, particularly for C&E risks. However, progress with some emerging risks, such as geopolitical risks, has been inadequate.[11] Supervisors have also continued to perform on-site inspections (OSIs) looking at credit risk, making findings in some institutions in relation to matters such as expected credit loss model parameters, staging and provisioning deficits. The 2024 SREP also highlighted persistent deficiencies in areas such as provisioning, loan origination, classification and collateral (re)valuation.[12]

Going forward, ECB Banking Supervision will continue to monitor banks’ ability to identify deteriorations in asset quality in a timely manner and deploy adequate provisioning practices. In this context, supervisors will focus on the use of overlays and coverage of novel risks, including geopolitical risks. In the follow-up phase, supervisors will continue to engage with banks to ensure effective and timely remediation of findings identified in previous supervisory cycles, using all available measures to achieve this objective.[13] In parallel, targeted OSIs will continue to focus on credit provisioning models and policies in SME, retail and commercial real estate portfolios, among others. Supervisors will also assess banks’ early identification and handling of potential borrower distress in vulnerable portfolios, particularly through a targeted review of banks’ SME portfolios.

Main activities as part of the work programme for these supervisory priorities

  • Follow-up phase of the targeted review of IFRS 9 focusing, inter alia, on the use of overlays and coverage of novel risks (including geopolitical risks). Supervisors will monitor banks’ progress with previously identified findings, follow up on their remediation and use escalation measures where necessary.
  • Continuation of credit risk OSIs, focusing on IFRS 9 collective staging and provisioning for corporates/SMEs, retail and commercial real estate portfolios, including collateral valuations.
  • Targeted review of SME portfolios, with a focus on early identification and handling of potential borrower distress, SME models and governance of exposure to SMEs.

Prioritised vulnerability: Deficiencies in operational resilience frameworks as regards IT outsourcing and IT security/cyber risks

Strategic objective: Banks should comply with the legal requirements stemming from the Digital Operational Resilience Act (DORA) as regards ICT risk management, incident reporting, the testing of digital operational resilience and third‑party service providers. They should step up their efforts to address previously identified shortcomings in a timely and effective manner, particularly as regards the management of cybersecurity and outsourcing risks.

Increasing cyber threats and dependence on common third-party service providers continue to pose major challenges to banks. The number of significant cyber incidents reported by supervised entities surged in 2023 and remained at similar levels in the first three quarters of 2024. The ongoing digitalisation of banks’ services and operations and the escalation of geopolitical tensions (which has increased the risk of attacks by state-affiliated groups)[14] have both been key factors in the sharp rise in cyber incidents over the past two decades.[15] Moreover, banks are reporting increased dependence on third-party providers for critical functions, with almost all institutions using cloud services for outsourced critical activities.[16] High levels of concentration in the use of third-party IT providers can further exacerbate contagion and increase the potential systemic impact of cyber incidents.[17]

The unsatisfactory SREP scores for operational risk and the outcomes of supervisory work in the areas of cyber resilience and outsourcing management confirm the deficiencies in banks’ operational frameworks and the need to make progress with their remediation. In the 2024 SREP, operational risk continued to be the area with the worst average score, with ICT-related elements being the main driver.[18] In the area of outsourcing, supervisors have found that more than 10% of contracts covering critical functions are not compliant with the relevant regulations.[19] In this context, banks should assess concentration risks in relation to specific providers, geographical locations (in view of the heightened geopolitical risks) and functionalities and manage those risks accordingly, as well as assessing and managing the risk of potential cascade effects across multiple sectors given the interconnected nature of banking networks.

The 2024 cyber resilience stress test showed that banks do generally have high‑level response and recovery frameworks in place. However, that stress test exercise also revealed key areas where improvement was needed, including business continuity frameworks, incident response planning, back-up security and management of third-party providers.[20] Supervisors will thus follow up on shortcomings related to banks’ ability to recover from a successful cyberattack.[21] Against this background, supervisors will continue with the efforts made in recent years, carrying out targeted reviews and initiatives to assess banks’ operational resilience and their compliance with the corresponding supervisory expectations and regulatory requirements (particularly the requirements under DORA, which will apply as of January 2025).

Main activities as part of the work programme for these supervisory priorities

  • Collection of data on third-party ICT providers to identify links between supervised entities and third-party providers, potential concentration risks, and weaknesses in banks’ outsourcing arrangements
  • Targeted reviews of risk management frameworks for outsourcing risks and of cyber resilience frameworks and risk controls
  • Follow-up work on findings from the cyber resilience stress test
  • Targeted OSIs on operational risk and IT resilience frameworks
  • Implementation of DORA in the supervisory framework

Special focus: Incorporating the management of geopolitical risks in supervisory priorities

The recent escalation of geopolitical tensions requires banks to adopt robust risk management and risk controls and calls for heightened supervisory scrutiny in the short and medium term.

Reflecting the cross-cutting nature of geopolitical risks, banks’ resilience, strategies and risk management will be assessed via a range of activities. First, geopolitical risk is captured by the abovementioned priority activities relating to banks’ management of credit risk and operational risk. Supervisors will also assess the risk management processes and risk appetite frameworks that banks use to monitor and mitigate geopolitical risks. This will be done through targeted benchmarking exercises on risk appetite and risk culture, with a focus on reflecting the implications that geopolitical risks have for banks’ risk identification and risk appetite frameworks. In addition, geopolitical risks will be a key component of the 2025 EU‑wide stress test, which will include exploratory scenario analysis assessing banks’ ability to model counterparty credit risk while under stress.

In order to strengthen their understanding of how banks approach geopolitical risks and further clarify the supervisory expectations in this area, supervisors will review current practices, focusing inter alia on risk management frameworks, capital and liquidity planning, and internal stress testing.

Priority 2: Banks should remedy persistent material shortcomings in an effective and timely manner

The progressive shift in focus from risk identification to risk remediation is an essential feature of the SSM-wide supervisory strategy. Accordingly, banks with unresolved material shortcomings will be asked to step up their efforts to fully comply with supervisory expectations and implement sound remedial action plans in a timely manner. The extensive supervisory work performed in previous years has resulted in the identification of major shortcomings in terms of (i) banks’ business strategies and management of C&E risks and (ii) their RDARR capabilities. Against the background of emerging risks (including geopolitical risks), it is of the utmost importance that banks have adequate and effective RDARR frameworks in place to ensure timely decision-making and effective strategic steering. While ECB Banking Supervision acknowledges that major progress has already been made in this regard, the remediation process is not yet complete and will require follow-up work in forthcoming supervisory cycles.

Prioritised vulnerability: Deficiencies in business strategies and risk management as regards climate-related and environmental risks

Strategic objective: Banks should fully comply with supervisory expectations relating to the management of C&E risks, as well as requirements stemming from the new CRR3/CRD6 banking package (including those related to prudential transition plans), and should address identified shortcomings in a timely manner.

Banks’ ability to adequately manage C&E risks remains high on the supervisory agenda owing to rising physical and transition risks, the fact that banks do not yet fully comply with the associated supervisory expectations, and the new requirements stemming from the entry into force of the new banking package in 2025. The rising physical risks reflect the continuing increase in global temperatures (with 2024 expected to be the warmest year on record) and the fact that numbers of climate-related disasters (such as wildfires and flooding) have surged in recent years. At the same time, slow progress towards achieving net‑zero targets is raising concerns regarding transition risks. A large percentage of global listed companies are not aligned with the pathway to reduce global warming to 2°C or less.[22] Looking at the banking sector, a recent assessment shows that 90% of the banks surveyed are still not aligned with the EU’s climate objectives, exposing them not only to higher levels of credit risk but also, among other things, to legal risks in the absence of further deployment of good practices to address these risks.[23] At the same time, 70% of European banks are exposed to reputational risks owing to the risk of environment-related litigation.[24]

Supervisory assessments show that banks are still in the process of complying with supervisory expectations regarding the management of C&E risks.[25] Most – but not all – of the banks under the ECB’s supervision made significant efforts to advance their materiality assessments by the March 2023 deadline. For those that did not, the ECB moved further up the escalation ladder and issued binding supervisory decisions, with the potential to impose periodic penalty payments if banks failed to comply by the specified deadlines.[26] An assessment in December 2023 – the deadline set for incorporating C&E risks into banks’ governance, strategies and risk management – showed that foundational frameworks for C&E risks were broadly in place, but were missing in a number of banks (where supervisors are now taking follow-up action). At the same time, weaknesses impairing the adequate management of C&E risks remain prevalent. These have been communicated in further feedback letters to banks, and the ECB continues to monitor the relevant institutions’ progress closely. Supervisors will also keep a close eye on banks’ adherence to the final deadline of end-2024 for full compliance with supervisory expectations, including as regards integration into the internal capital adequacy assessment process and stress testing.

Supervisory assessments and OSIs will continue to shed light on the adequacy of banks’ strategies and management of C&E risks, and their compliance with upcoming regulatory changes. The assessment of supervised entities’ Pillar 3 disclosures has highlighted substantial scope for improvement.[27] As banks’ disclosure practices mature, supervisors will continue to review and assess the adequacy of those practices on a regular basis. The forthcoming CRR3/CRD6 banking package will impose stricter disclosure obligations and require banks to develop prudential transition plans to be reviewed by supervisors in accordance with the upcoming EBA guidelines. Furthermore, C&E risks will continue to be assessed through OSIs. These will be performed both on a standalone basis and as part of certain risk-specific inspections, and supervisors will perform deep dives on banks’ ability to address reputational and litigation risks.

Main activities as part of the work programme for these supervisory priorities

  • Monitoring of full alignment with supervisory expectations and implementation of escalation ladder
  • Horizontal assessment of banks’ compliance with Pillar 3 disclosure requirements relating to environmental, social and governance-related (ESG) risks
  • Deep dives on banks’ ability to address reputational and litigation risks associated with C&E-related commitments
  • Review of banks’ transition planning in line with mandates expected from CRD6
  • Targeted OSIs on C&E aspects, either on a standalone basis or as part of planned reviews of individual risks (e.g. credit, operational and business model risks)

Prioritised vulnerability: Deficiencies in risk data aggregation and reporting

Strategic objective: Banks should step up their efforts to remediate long-standing shortcomings in their RDARR frameworks and align their practices with supervisory expectations. If banks fail to meet supervisory expectations, this could trigger escalation measures.

Progress in tackling long-standing deficiencies in RDARR frameworks remains insufficient. A significant number of supervised entities are still not fully complying with supervisory expectations and the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting. The 2024 SREP, the targeted review of RDARR capabilities and the on-site campaign have highlighted weaknesses relating to (i) management bodies’ involvement and expertise, (ii) the comprehensiveness of RDARR frameworks, (iii) adequacy of data architecture and IT infrastructure, (iv) complex and fragmented IT systems, and (v) the management of data quality.

In line with last year’s supervisory priorities, ECB Banking Supervision will intensify its efforts to ensure that supervised entities adhere to the supervisory expectations laid down in its “Guide on effective risk data aggregation and risk reporting”. Supervisors will further step up pressure on banks that fail to remedy deficiencies within the deadlines set, making full use of the supervisory escalation toolkit (including sanctions) as appropriate.[28] This remediation strategy will cater for banks’ individual circumstances and will be tailored to the materiality of their unresolved shortcomings, their position in the remediation cycle and their track record in addressing supervisory concerns. Supervisors will also continue their targeted review of RDARR capabilities and perform targeted OSIs, engaging closely with banks when shortcomings are identified.

Main activities as part of the work programme for these supervisory priorities

  • Follow-up work on the targeted review of RDARR practices and adherence to the supervisory expectations set out in the “Guide on effective risk data aggregation and risk reporting”, and remediation of previously identified findings, making full use of available escalation tools where necessary
  • Targeted OSIs looking at overarching governance and IT infrastructure issues, risk data aggregation capabilities and risk reporting practices
  • Management Report on Data Governance and Data Quality – an annual questionnaire aiming to ensure that banks’ management bodies are adequately accountable for internal, financial and supervisory reporting

Priority 3: Banks should strengthen their digitalisation strategies and tackle emerging challenges stemming from the use of new technologies

Banks face many structural and longer-term trends, and digitalisation is one of them. Technological advances are rapidly reshaping many industries, including the banking sector, creating plenty of new business opportunities, but also new challenges and risks for incumbents. Digital transformation has become a priority for many banks in a bid to remain competitive, and it is essential that those banks have adequate safeguards in place to limit potential risks stemming from those new business practices and technologies. In this context, the challenging cyber threat landscape also plays a key role, as progress in the area of digitalisation could undermine banks’ operational resilience. In the long run, digitalisation is expected to strengthen banks’ competitiveness, enhance their business models and make them more resilient to competition from outside the banking sector.

The rapid advances observed in the area of technology – such as the emergence of generative artificial intelligence (AI) – and the strong increases seen in the deployment of such technology in banks (with AI being used, for example, in both prudential and non-prudential settings) call for a structured approach. Banking supervisors need to develop targeted strategies in order to better understand banks’ responses to the structural trends shaping the future of their sector, such as digital platforms, strategic partnerships and the use of AI. Therefore, the ECB promotes adequate management of the risks associated with digitalisation and the adoption of industry best practices.

Prioritised vulnerability: Deficiencies in digital transformation strategies

Strategic objective: Banks should strengthen their digitalisation strategies and the related execution plans in order to properly mitigate the underlying risks, including risks stemming from the use of new/advanced technologies such as cloud services and AI.

Supervised entities have benefited from record high profitability levels, driven primarily by the shift from a low interest rate environment to positive interest rates, which has boosted net interest margins. Banks have leveraged higher incomes while managing to limit cost increases, thereby improving cost efficiency (as reflected in the recent decline in the cost-to-income ratio). Nevertheless, these improvements are largely linked to exogenous factors related to the macro-financial environment in which banks operate, while structural challenges relating to banks’ business models persist. Against this background, supervised entities may be encouraged to leverage these windfall profits to further advance their digitalisation and step up their operational resilience framework.

In recent years, ECB Banking Supervision has prioritised the assessment of risks relating to the digitalisation of the banking sector. Supervisory activities such as market intelligence, targeted reviews and OSIs have allowed it to take stock of banks’ good practices and identify important aspects for a sustainable, well-governed and risk‑aware steering of banks’ digitalisation. In July 2024, ECB Banking Supervision published a report on key assessment criteria and good practices in the area of digitalisation,[29] giving supervisors the foundations they need to establish a holistic assessment framework for digitalisation. Going forward, ECB Banking Supervision will continue its efforts in this area, conducting targeted OSIs and reviews focusing on key technologies, use cases and business lines with the aim of further deepening its understanding and continuing to refine its supervisory approach. Supervisors will engage with banks in order to follow up on their findings, following a clearly established escalation approach.

Main activities as part of the work programme for these supervisory priorities

  • Targeted activities focusing on the impact that banks’ digital activities have on their business models/strategies and the risks stemming from the use of innovative technologies
  • Targeted OSIs on digital transformation, looking at both IT-related and business model-related aspects of banks’ strategies

2.3 Further supervisory activities and follow-up work on past priorities

In addition to the supervisory priorities that have been outlined for 2025-27, ECB Banking Supervision will continue to conduct other regular and ad hoc activities.

Follow-up remediation activities performed as part of regular supervisory work

With extensive supervisory reviews having been carried out in previous years, some past priorities have now reached a mature stage where the supervisory focus shifts from the identification of key vulnerabilities to actual remediation of the corresponding findings. This section looks at the progress that has been achieved over the past few years and highlights areas where attention is still required, which will be followed up on via regular supervisory activities.

Over the past three years, supervisors have focused on banks’ credit risk management frameworks. Particular emphasis has been placed on the resilience of portfolios that are more sensitive to the macro-financial situation and/or exposed to refinancing risk, such as residential and commercial real estate portfolios. As a result, banks have improved their ability to deal with a potential surge in the numbers of distressed debtors in real estate portfolios. However, some banks still have more work to do in order, for instance, to fully comply with the EBA guidelines on loan origination and monitoring, take adequate account of borrowers’ refinancing risks and update collateral valuations in a timely manner. Moreover, supervisors have continued to perform reviews of internal models, resulting in a large stock of findings and measures related to internal ratings-based models.

The targeted review of counterparty credit risk management that was carried out in 2022 and the various OSIs that have been conducted in the last few years have identified material vulnerabilities in banks’ risk management practices (stress testing, default management process and documentation, etc.). Following that targeted review, the banks in question have presented targeted action plans with a deadline of end-2025 for final remediation. In addition, in October 2023, the ECB published guidance on sound practices in counterparty credit risk governance and management.[30]

Substantial supervisory work has also been undertaken in 2024 to tackle shortcomings in asset and liability management (ALM) frameworks. Targeted reviews have been carried out looking at liquidity contingency planning and collateral optimisation capabilities, the feasibility of funding plans, ALM governance and strategies, and interest rate and credit spread risks. These have led to the identification of deficiencies among others in (i) the assessment of collateral and monetisation (unknown central bank eligibility of collateral, overly optimistic time to liquidity, etc.); (ii) assumptions used in modelling projections for deposits (overly optimistic future deposit growth, reliance on simplistic modelling assumptions, etc.); (iii) ALM models’ back-testing, validation and recalibration processes; and (iv) general ALM governance frameworks (data governance, adaptability of information systems, calibration of limits in risk appetite statements, etc.).

Tackling deficiencies in the functioning of banks’ management bodies has been a supervisory priority since 2020. Supervisory activities (which have included targeted reviews of management bodies’ effectiveness and diversity, OSIs and annual data collection exercises) have uncovered key weaknesses and mapped the progress made in addressing them. Despite some progress in the area of diversity, some banks still show weaknesses when it comes to collective suitability (including as regards IT expertise and board independence), succession planning, and the functioning and composition of committees. Insights from this analysis have informed the update to the ECB’s “Guide on governance and risk culture”, which is due to be published in early 2025 and outlines supervisory expectations for banks.

Going forward, supervisors will focus on consolidating and remediating existing findings in the above areas, with a view to ensuring full compliance with supervisory and regulatory expectations. Supervisors will follow up on the outcomes of supervisory activities and engage with relevant banks on an individual basis in order to address outstanding issues (especially long-standing issues). If remediation efforts are not timely or sufficient, supervisors may employ escalation strategies, making full use of the supervisory toolkit available to them if need be.

European Central Bank, 2024

Postal address 60640 Frankfurt am Main, Germany
Telephone +49 69 1344 0
Website www.bankingsupervision.europa.eu

All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.

For specific terminology please refer to the SSM glossary (available in English only).

PDF ISBN 978-92-899-6908-6 ISSN 2599-8420 doi:10.2866/7431137 QB-01-24-029-EN-N
HTML ISBN 978-92-899-6907-9 ISSN 2599-8420 doi:10.2866/1264891 QB-01-24-029-EN-Q

  1. See Aggregated results of the 2024 SREP, ECB, December 2024.

  2. See “Eurosystem staff macroeconomic projections for the euro area”, ECB, December 2024.

  3. See “Eurosystem staff macroeconomic projections for the euro area”, ECB, December 2024.

  4. See “Eurosystem staff macroeconomic projections for the euro area”, ECB, December 2024.

  5. See Financial Stability Review, ECB, November 2024.

  6. See the ECB’s monetary policy statement of 12 December 2024.

  7. See Economic Bulletin, Issue 7, ECB, 2024.

  8. See “Sustainable finance: from ‘eureka!’ to action”, keynote speech by Frank Elderson at the Sustainable Finance Lab Symposium on Finance in Transition, 4 October 2024.

  9. See Financial Stability Review, ECB, November 2024.

  10. See “Same same but different: credit risk provisioning under IFRS 9”, Working Paper Series, No 2841, ECB, 2023.

  11. See “IFRS 9 overlays and model improvements for novel risks”, ECB, July 2024.

  12. See “Aggregated results of the 2024 SREP”, ECB, December 2024.

  13. See also Section 2.3 for information on other planned and ongoing supervisory activities in relation to credit risk.

  14. See Anneli Tuominen’s interview with Börsen-Zeitung on 21 November 2023.

  15. See Global Financial Stability Report, IMF, April 2024.

  16. See “Rise in outsourcing calls for attention”, Supervision Newsletter, ECB, February 2024.

  17. See Global Financial Stability Report, IMF, April 2024.

  18. See “Aggregated results of the 2024 SREP”, ECB, December 2024.

  19. See “Rise in outsourcing calls for attention”, Supervision Newsletter, ECB, February 2024.

  20. See “Global rifts and financial shifts: supervising banks in an era of geopolitical instability”, keynote speech by Claudia Buch at the eighth ESRB annual conference on “New Frontiers in Macroprudential Policy”, 26 September 2024.

  21. See “ECB concludes cyber resilience stress test”, press release, ECB, 26 July 2024.

  22. See the MSCI Sustainability Institute’s Net-Zero Tracker.

  23. See Risks from misalignment of banks’ financing with the EU climate objectives, ECB, January 2024.

  24. See “‘Failing to plan is planning to fail’ – why transition planning is essential for banks”, The Supervision Blog, ECB, 23 January 2024.

  25. As set out in the ECB’s 2020 “Guide on climate-related and environmental risks”.

  26. See also “You have to know your risks to manage them – banks’ materiality assessments as a crucial precondition for managing climate and environmental risks”, The Supervision Blog, ECB, 8 May 2024, and “Nature-related risk: legal implications for central banks, supervisors and financial institutions”, keynote speech by Frank Elderson at the ESCB Legal Conference 2024, 6 September 2024.

  27. See “ESG data quality: Pillar 3 disclosures in focus”, Supervision Newsletter, ECB, February 2024.

  28. See “Risk data aggregation and risk reporting: ramping up supervisory effectiveness”, The Supervision Blog, ECB, 15 March 2024.

  29. See “Digitalisation: key assessment criteria and collection of sound practices”, ECB, 2024.

  30. See “Sound practices in counterparty credit risk governance and management”, ECB, October 2023.

Related topics

Disclaimer
Please note that related topic tags are currently available for selected content only.

Sceithireacht