Response to consultation on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing

Go back

Q1. What are the respondents’ views on the overall amendments and clarifications made to the revised guidelines (across Titles 2 – 12)?

We believe these changes head in a positive direction, but several issues remain. At a time when the EU is focused on simplification, the GLs have not gone sufficiently far in the simplification effort. Repetition in the draft SREP GLs of requirements that are embedded in a large number of other guidelines both complicates compliance efforts and raises the risk of emerging disconnects between the underlying GLs and the elements repeated in the SREP guidelines. While the format of the guidelines has been modified to streamline processes, it falls short of industry expectations for simplification efforts focused on prioritising risk management.

Further clarifications in some areas, such as proportionality, Environment, Social and Governance (ESG) integration, SREP/Digital Operational Resilience Act (DORA) articulation, the evaluation of international subsidiaries, and the operationalisation of the output floor, would be welcomed. Detailed comments can be found in the relevant sections of this consultation response.

Moreover, there are several instances where the new wording may be unhelpfully vague. For example, in paragraph 29 (page 32), it is stated that “the risk scores aim to capture the likelihood that the risks to capital, liquidity and funding will have a significant impact on the institution.” It is unclear what determines whether an impact is significant. Given the link to the risk scores, we deem essential that there be transparency and clarity as to what renders an impact significant.

Regarding the implementation date of the revised GLs (1 January 2027), we note that the EBA encourages competent authorities (CAs) to take revised guidance into account, and where possible, to introduce its elements at an earlier stage. We ask for clarification that this should be subsequent to the publication of the final version of the GLs.

In addition, while the added value of supervisory judgement - which grants flexibility in the activities of the supervisor - is understood, the current GLs attribute a level of supervisory judgement to CAs which risks compromising comparability and a level playing field. This is combined with a lack of a clear underlying methodology which adds subjective valuation criteria to an undisclosed calculation framework, thereby jeopardising the overall accountability of supervisory outcomes. Some examples throughout the GLs are:

Paragraph 34 states that “when assessing risks to capital, CAs should also consider relevant subcategories, e.g. concentration risk or country risk as part of the credit and counterparty risk assessment, as set out in Title 6. Depending on the materiality of any of these subcategories to a particular institution, CAs may decide to assess and score them individually.”

In order to have reliable, predictable, comparable and understandable scoring, clear drivers should be shared with institutions. This is especially relevant because the outcome of such judgement does not only impact scores but also the Pillar 2 Requirement (P2R) calculation as a consequence.

Paragraph 35 adds that “CAs may use different methods to apply the risk scores, they could score ‘risk’ and ‘risk management and controls’ separately (resulting in an intermediate and final score) or score them together. CAs may also aggregate all the risks to capital into an aggregate score.”

This leaves large discretion to CAs in terms of the method to apply. Criteria should be determined for the sake of clarity and transparency in the methodology applied.

Paragraph 115 states that “the title also identifies a set of subcategories within each risk category above, which need to be taken into account when risks to capital are assessed. Depending on the materiality of any these subcategories to a particular institution, they can be assessed and scored individually. Annexes I-IV present non-exhaustive lists of sub-categories for credit risk, market risk, operational risk and Interest Rate Risk in the Banking Book (IRRBB) that CAs should consider, when relevant,” while paragraph 116 states that “The decision on materiality depends on the supervisory judgement […].”

Even in this case, supervisory judgement should be linked to clear drivers, publicly shared with institutions, which are at least commensurate to the category an institution falls into.

Paragraph 124 states that “when performing their assessments, CAs should use all available information sources, including regulatory reporting, ad hoc reporting agreed with the institution […].”
Ad hoc reporting agreed with an institution opens the way to subjectivity, which consequently leads to an unlevel playing field. Moreover, given that the reports are mainly used for benchmarking amongst peers, these shouldn't, in principle, be bilateral but rather be homogeneous per cluster of peers. We recommend not including this practice in the assessments.
Paragraph 306 states that “the Internal Capital Adequacy Assessment Principles (ICAAP) and outcomes of its assessment should be taken into account by CAs as one of the key inputs for the identification and assessment of risks relevant for the institution. The determination of the amount of capital considered adequate and P2R on a risk-by-risk basis should take into account the ICAAP calculations if deemed reliable or partially reliable, as well as the outcomes of supervisory benchmarking and other relevant inputs as appropriate, including the supervisory judgement.”
Similarly to what is highlighted above, supervisory discretion also applies in the risk-by-risk evaluation, which means that authorities may rely less on the ICAAP. Since ICAAP calculations are performed by the bank and follow defined methodologies, reduced reliance on them introduces greater uncertainty and potentially less consistency across institutions regarding the determination of the amount of capital considered adequate and the P2R, particularly when benchmarking exercises are run between peers and comparability criteria are not disclosed to banks.

Moreover, we welcome the mechanism outlined in paragraph 80, which integrates the assessment of an institution’s ability to effectively and timely remedy supervisory concerns into the broader evaluation of internal governance and institution-wide controls, including through an analysis of the institution’s track record in addressing identified deficiencies. For such an assessment to be predictable and robust, it is essential that the deficiencies identified and/or supervisory concerns expressed by CAs to be considered “in scope” are clearly and objectively identifiable on the basis of a predefined supervisory taxonomy shared with the industry.

As a consequence, only deficiencies and supervisory concerns “in scope” that are traceable and monitorable over time through a shared supervisory tool or platform should be included in the overall assessment referred to in paragraph 80.

Additionally, it should be mandatory for authorities to disclose the SREP scores for relevant elements or sub-elements. With reference to paragraph 39 (page 16), we suggest the following amendment:

“The GLs also reinforce transparency and communication regarding SREP outcomes. All relevant expectations for CAs regarding the communication related to the SREP have been now rationalised and grouped into a single Title. These expectations include, beyond the indication of material risk drivers supporting any additional own funds requirement (P2R and P2R-Leverage Ratio (LR)) that should be duly justified to institutions, a description of the overall outcome of the SREP, including a summary of the assessment and the overall SREP score. Furthermore, in line with the principle of risk-based supervision, where appropriate and depending on the specific remedial action required, competent authorities shall disclose to institutions the SREP scores for relevant elements or sub-elements.”

Clearer methodology would be needed also in the determination of risk scores, and in particular in relation to inherent risk and adequate management and controls (ref. para 6.2.4). More precisely, the GLs do not contemplate circumstances where inherent risk is high while management and controls are adequate or vice versa. It is unclear how scoring is determined in these particular cases.

Additionally, the consultation paper on the SREP GLs already acknowledges that both the EBA GLs on internal governance and the Joint European Securities and Markets Authority (ESMA) and EBA GLs on the assessment of the suitability of members of the management body and key function holders are under review. The contents of certain paragraphs of the SREP EBA GLs may be dependent on the final text of the GLs on internal governance and of the said Joint ESMA Guidelines on the assessment of suitability. Therefore, to achieve a consistent review on SREP GLs, it is essential to formerly be aware of the final text of the EBA GLs on internal governance and of the said Joint ESMA Guidelines on the assessment of suitability.

Alternatively the SREP GLs should introduce a clear mechanism whereby the assessment on internal governance under the SREP GLs and its interpretation will be based on the final version of the EBA GLs on internal governance EBA/GL/2021/05 and of the Joint ESMA and EBA GLs on the assessment of the suitability of members of the management body and key function holders EBA/GL/2021/06.

Q2. What are the respondents’ views on the integration of ESG risks and factors across the existing SREP elements in the revised guidelines?

We welcome the proposed phased approach on social and governance risk as outlined in paragraph 42. However, we believe that a progressive implementation is also necessary for nature-related factors given the lack of maturity of the methodologies and data.

We propose the following reformulation of paragraph 42, to clarify the EBA’s intent of prioritising environmental before social and governance risks, and climate before other environmental risks:

This approach enables competent authorities to assess the prudential impact of ESG risks within the established SREP framework, including in the assessment of the business model, the assessment of internal governance and institution’s wide controls and risks to capital, liquidity and funding. At the same time, the guidelines acknowledge that competent authorities should adopt a gradual approach to the assessment of ESG risks, initially prioritizing environmental risks over social and governance risks [unless specifically justified by their materiality], recognizing the greater capacity to quantify climate-related risks compared to other types of environmental risks, while progressively enhancing supervisory practices as data availability, methodologies and analytical tools evolve, including on nature, social and governance risk.

Additionally, the current drafting uses the terms “climate and environmental risk”(C&E), “environmental risk” and “ESG” interchangeably without a clear justification as to why different terms have been used in each instance. Reflecting the focus on C&E risks above, we would support aligning the wording to climate and environmental risk throughout the document.

As a broad point, the time horizons considered for C&E risks, particularly any projections out to 10 years, include significant amounts of uncertainty. There should be no direct capital determinations made from these projections.

It is also notable that in the scoring tables, ESG is a separate bullet point throughout the document, while other cross-cutting factors are not. This may indicate an excessive focus on ESG risk, which may be disproportionate for those institutions less exposed to C&E risk.

Paragraph 71.h. includes as a supervisory measure the CA requiring institutions to adjust their business strategy to address ESG risks. Given the nascent nature of the prudential transition plans (PTPs), requiring firms to adjust their strategies on the basis of an assessment of a firm’s PTP may be premature, and could have significant negative impacts both on firms’ abilities to set their own strategies, and on the quality of those strategies.
Furthermore, there is a clear delineation in both the level 1 (L1) legislation and the underlying EBA GLs between the PTP required under the Capital Requirements Directive (CRD) Article 76(2), and broader transition plans. It is important that the Guidelines are clear to CAs that the PTPs do not require the institution to be aligned to either EU or Member State transition objectives or trajectories, to avoid the supervision under the SREP Guidelines leading to divergence between members states / CAs.

Q3. What are the respondents’ views on the enhanced simplification and proportionality aspects?

As referenced in the introduction, the simplification effort described could be more ambitious, not only focusing on removal of outdated references, combining GLs into a single one and incorporating new aspects to existing SREP elements. Instead of resource-intensive, overly technical and uniform approaches, the GLs should put more emphasis on institution-specific, risk-based assessments that take into account the business model of the institution rather than strict benchmarking-based assessments with implied automaticity in terms of further steps and escalation.

The GLs should also address issues related to continuous supervision, such as reducing the operative burden related to the intense scrutiny on internal models and their up-to-datedness and scope, as well as the related portfolios. This could be carried out already as part of this review, as there is nothing in the L1 text that would prevent more extensive changes.

Also, supporting yearly Supervisory Examination Programmes (SEP) with prior impact assessment of their feasibility for both Supervised Entities and CAs would allow orderly execution of activities on both sides, easing accurate supervisory conclusions.

As regards proportionality, we welcome the EBA’s increased emphasis on the application of the proportionality principle. However, we note that the bundling does not reduce administrative burden, and the proposed streamlining mainly relates to removing outdated text rather than to reducing supervisory activity.

It is difficult to identify the reflection of the following statement within the GLs:

The minimum supervisory engagement model has been revised to allow for a lighter assessment of SREP elements or risk areas that are considered immaterial or unchanged since the last assessment.

Furthermore, it would indeed be important that banks are informed of which category (from 1 to 4) they have been assigned by the CA. The category assigned affects the supervisory process, therefore, predictability in this regard would reduce the operational burden on banks. In addition, we deem that it would be beneficial to include further clarity regarding the criteria and methodological considerations that determine which category an institution falls into.

Members observe that the approach to proportionality seems to only apply to a subset of category 4 institutions, and relies predominantly on reduced frequency of assessments. While paragraph 2.4 rightly clarifies that proportionality should also apply to the level of detail and scope, this perspective is only partially reflected in the remainder of the draft GLs.

Later in the document, proportionality is mentioned only briefly in a few instances (paragraphs 77, 165, 288, 408 and 473) and/or referenced via section 2.4. However, there are no concrete proposals for how proportionality can be operationalised in practice—beyond the aspect of frequency. For example, the GLs should address the question of how proportionality should be applied in groups with different risk profiles between subsidiaries and parent entities?

As a result, the intended purpose is overshadowed by numerous, highly detailed lists of elements that CAs are expected to assess.

In addition, further clarification is needed on several questions:

What is considered a poor SREP score?
What is the threshold to determine whether the risk profile has materially changed (paragraph 44)?
For Category 1 institutions, can the assessment of a risk area (SREP sub-score) rely on an evaluation conducted two years prior—meaning that the current assessment is based on the previous year’s evaluation for two consecutive years?

Moreover with reference to paragraph 27 and 46, we deem useful that there be a further harmonisation of assessment methodologies (i.e., underlying the assessment of SREP elements which are then reflected in the scoring system and in the consequent quantitative and qualitative measures). More precisely, there is a need for a stronger role of the Supervisory College in harmonising assessment methodologies across banks in different jurisdictions. Currently, methodologies differ, with reference to both Single Supervisory Mechanism (SSM) and extra-SSM subsidiaries (but particularly the latter), and cross-border groups experience varying approaches applied to their subsidiaries. The European Central Bank (ECB) could play a central role in a dialogue aimed at fostering harmonisation, and the use this opportunity to consider a more impactful simplification impulse, as is observed in other jurisdictions such as the United States.

Q4. What are the respondents’ views on the introduction of a high-level escalation framework?

The formalisation of the escalation framework is appreciated, particularly the structured articulation of supervisory responses. However, there is a concern that the framework significantly expands supervisory discretion and could reduce the predictability for institutions.

The introduction of a more flexible, judgment-based escalation framework has the potential to improve supervisory effectiveness, but its success will depend heavily on supervisory culture. Because escalation decisions increasingly rely on qualitative assessments and the identification of “root causes,” a high degree of trust and open dialogue between supervisors and institutions is essential. Without this, there is a risk that discretion translates into inconsistent expectations or unnecessary escalation. To realise the intended benefits, the framework should be applied in a manner that is outcomes-focused and proportionate, avoiding box-ticking approaches and ensuring that interventions target genuinely material issues.

To this end, the framework could be further improved by introducing a scale that clearly defines the criteria for moving from one action to the next within the escalation ladder, as the absence of these criteria makes it difficult for firms to anticipate supervisory expectations. More precisely, clarity is needed regarding the interaction between the actions identified in paragraph 21 and the considerations listed in paragraph 22, which said actions depend on. Although the discretion left to the supervisor is understandable for the sake of flexibility based on specific cases, it is fundamental that the underlying drivers determining the Supervisor’s decision be clarified within the GLs. There should also be acknowledgement of institutions’ history of remediation when evaluating the necessity for escalation.

From a practical perspective, an increase in supervisory judgement would be welcomed, provided there is an assurance of equal treatment across the industry rather than a unilateral application of benchmarking against an idealised standard. However, the proposed configuration does not appear to be aligned with the direction outlined in the report “Assessment of the European Central Bank’s Supervisory Review and Evaluation Process – Report by the Expert Group to the Chair of the Supervisory Board of the ECB”, which points to the need to address the use of all the instruments in the supervisory toolbox to limit the application of capital add-ons. Thus, it excludes the application of certain measures in addition to existing Pillar 2 requirements, potentially resulting in cumulative supervisory effects for institutions. Ensuring a clear distinction and a coherent interaction between escalation measures and capital-based requirements is therefore essential to preserve the consistency of the SREP framework and to avoid unintended double counting.

If defining clear criteria is not feasible, providing illustrative examples would be highly beneficial. Moreover, another concern relates to the circumstance where different supervisory teams (e.g. Joint Supervisory Teams (JSTs), On-site Inspections (OSIs), horizontal teams) investigate the same or overlapping topics. It is fundamental that decisions regarding such topics are centralised to avoid multiple supervisory actions for the same issue.

In addition, Paragraph 22 does not indicate that ECB priorities are a factor in selecting the appropriate measure. However, we have observed, for instance in the context of ESG, that escalation occurred and progressed rapidly up the ladder, partly because it was aligned with supervisory priorities.

It should be further clarified whether this escalation framework also applies outside the SREP context. In other words, can escalation occur on a specific topic (for example, when an OSI results in a decision letter instead of a follow-up letter) without being listed as a requirement within the SREP? If so, why keep it in this guideline? We would appreciate an incentive for European regulatory authorities to provide the banking industry with a similar escalation ladder, which is currently too limited and too ineffective [Administrative Board of Review (ABOR) and Court of Justice of the European Union].

We encourage a more structured, transparent and predictable use of supervisory measures, including a clearer articulation of escalation mechanisms and their role within the overall SREP framework. The current design of the escalation framework risks moving in the opposite direction, by increasing subjectivity and reducing the clarity of supervisory of supervisory communication to institutions. Finally, more clarity is necessary on the ways in which this framework aligns with existing governance and remediation practices.

Q5. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

This section bears similarities with the 2022 guidelines. The new version includes a broader set of indicators in paragraph 54a without explicitly detailing the specific metrics to be used, including internal governance and controls, business model analysis, risk of excessive leverage, and newer regulation references (EU 2022/2554), while the old version focuses on core prudential indicators.

The criteria for what constitutes a 'material change' and an 'anomaly' should be clearly defined to ensure consistency and maintain a level playing field. The industry notes that strict definitions of criteria by the EBA lead to stricter ECB assessment of banks’ activities. This has led to more mechanical rather than risk-based inspections (such as the ICAAP guide and ECB guides on governance and risk culture), which contradicts the objectives of the revised GLs.

In general, “key risk indicators” should be clearly defined and shared with institutions given the relevance of such indicators and the usefulness in orienting institutions’ actions in the direction desired by competent authorities. Additionally, the GLs would benefit from being more prescriptive by defining monitoring systems with a minimum set of indicators and thresholds tailored to each category of institution (1 to 4). The level of details could be further increased by sharing the set of indicators or examples of indicators to be monitored for each category of institution (1 to 4), thereby improving clarity, ensuring consistency and supporting a level playing field.

The scoring should be holistic and risk-based, ensuring that no single consideration, nor risk indicator disproportionately influences the outcome unless it fundamentally undermines the effectiveness of the element as a whole.

CAs should regularly revisit and back test the relevance of the selected key risk indicators or combination of those and benchmarks, especially if they are used to determine risk level scores. There should be a feedback loop from cases when the indicator has not been relevant for specific situations or business models to ensure adequate monitoring and SREP assessment methodologies.

Q6. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

We consider the coverage and level of detail of the proposed design to be appropriate in principle, particularly in the context of risk-oriented supervision. The focus on materiality is welcomed. This supports targeted and efficient supervisory practice. The option of using previous year's assessments, provided that no significant changes have occurred, is sensible and helps to reduce the burden on institutions.

The focus on materiality and efficiency should be further strengthened through targeted adjustments to the text. These include defining material assessment areas, deleting or clarifying unclear terms and redundancies, and providing specific guidelines on the use of results from previous audits, provided there are no material changes, and on the use of financial reporting as a basis, provided that information can be derived from it.

Concrete proposals on amendments to the wording of the text follow. Please refer to the attached pdf for further details (i.e. strikethrough of text).

Par 60

This paragraph suggests that competent authorities conduct the Business Model Assessment (BMA) by using “recovery plans” (e) and “resolution plans, including the work and outcome of resolvability assessment” (f) as a source of information. The industry would welcome clarifications on how the works in Recovery and Resolution planning could impact BMA.

Indeed, the BMA is meant to provide understanding of the institutions’ operations in current and forward-looking perspectives and not in the very specific context of Recovery or Resolution planning, both of which address crises of extreme severity, justifying the implementation of measures impacting the BM if ever occurring.

Whereas the recovery scenarios are designed based on the institutions ‘business model and could highlight their potential vulnerabilities or weaknesses, the recovery plan is meant to demonstrate the ability of a bank to overcome such crises even if it affects their BM. Accordingly it may not be a perfect angle to assess the BM itself, but rather the resilience it allows.

On its side, the approach in Resolution Planning is scenario-agnostic, resolution plans are prepared and defined by the resolution authorities without any apparent link to the BM and, in our view, the resolvability assessment does not bring any added-value to the BMA.

Finally, the resolvability assessment is expected to impact the Minimum Requirement for Own Funds and Eligible Liabilities (MREL) or subordinated MREL calibration and not the P2R / P2G capital stack, which would introduce a clear double counting and have snowball effects due to the way MREL objectives are set. Hence we strongly advice against such proposal.

Par 61

A definition of the most material assessment areas should be included:

“In accordance with the engagement model set out in Title 2, competent authorities should focus their analysis on the most material assessment areas for the business model of the institution. Most material assessment areas include business lines with a significant contribution to the institution's operations and key for the institution in terms of generating profits (or losses). The scope and depth of the BMA may be differentiated depending on the number and nature of supervisory reviews already performed on that institution. This assessment should in any case allow competent authorities to form a view on the overall institution’s business model viability and sustainability”

Par 61

In the absence of any material changes the prior assessment should be used as the baseline:

"In forming such a view, competent authorities should in particular consider whether there have been relevant changes in the following areas of the institution:

a. the previously communicated and assessed strategic plan; [...]

c. governance and operations, including acquisition or merger of other entities, the opening of new business lines, and changes to IT infrastructure.

In the absence of any material changes, the prior supervisory assessment will be used as the baseline for the BMA"

Par 62

The wording on changes in the business in comparison to the prior supervisory review should also make reference to divestment or exit of existing business:

"Competent authorities should form a view on the materiality of the changes to the institution’s business model compared to prior supervisory review, in order to decide the scope and depth of their assessment [...]

b. the structure and composition of the balance sheet, including changes in sources of profit and their concentration, asset growth, changes in the liabilities structure, or shift in the relevant financial and risk indicators, also considering the results of the indicator monitoring outlined in Title 3; and

c. governance and operations, including acquisition or merger or divestment of other entities, the opening of new business lines / geographies or the exit of existing business lines and changes to IT infrastructure"

Par 63

The wording is too unspecific with regard to the definition of "peers." We would like the EBA to explicitly include third-country groups active in EU/EEA and relevant peers in countries outside the EU/EEA where the supervised institution operates:

"Competent authorities should carry out a materiality assessment of the institution’s business lines to determine the key areas for the BMA to focus on. When performing this assessment, competent authorities should take into account: [...] peer comparisons – whether a business line has performed atypically (been an outlier) compared to peers, where such information is available to competent authorities. To identify relevant peers for the BMA, competent authority should consider the rival product/business lines targeting the same source of profits/customers, also including third-country groups active in the EU/EEA and relevant peers in countries outside the EU/EEA where the supervised institution operates. "

Par 63

The assessment of the business lines should be in line with the current external reporting of segments and geographies by the institution:

a. the relevance of the business lines in line with current external reporting of segments and geographies by the institution. The relevance will be assessed in terms of generating profits/ losses, including the segments and geographies, subsidiaries/branches and product lines that are most material based on their contribution to the overall revenues/costs in the P&L, risk (e.g. based on TREA or other measures of risk) and/or organisational/statutory priorities (e.g. specific obligations for public sector banks to offer specific products);"

Par 65

The reference to competitive landscape as this is highly qualitative, open ended and judgement driven should be removed:

"Competent authorities should perform an analysis of qualitative features of the institution’s current business model to understand its success drivers and key dependencies. Areas for analysis by competent authorities should include: [...]

a. business environment, by assessing the forward-looking environment in which the institution operates based on its main or material geographic and business exposures. As part of this assessment, competent authorities should develop an understanding of the key macroeconomic variables, market trends, and other relevant developments (such as regulatory and legal changes);"

Par 65

The reference to competitive advantage should be removed as this is highly qualitative, open ended and judgement driven. Focus should be on factual based and measurable characteristics which measure the strength of the business which is stated in 64:

c. franchise and areas of competitive advantage, by assessing reputation of the institution and the strength of relationships with customers, suppliers and partners, as well as whether there are areas in which the institution has a competitive advantage over its peers; and"

Par 66

The reference to management track record should be removed as it is back dated and unduly penalises institutions despite change in management:

"Competent authorities should complement the analysis by carrying out a forward-looking analysis (both quantitative and qualitative) of the institution’s financial projections and strategic plan to understand the underlying assumptions and dependencies, plausibility and riskiness of its business strategy. Areas for analysis by competent authorities should include: [...]

c. execution capabilities, by assessing management’s track record on delivering previous strategies and forecasts, as well as the overall ability of the institution to make use of its positioning competitive advantages and success drivers in carrying out its business and to generate returns in an effective way.[...]"

Par 67/68

References to crypto-asset activities in the BMA section should be removed as details on crypto-assets are covered in the risks section later (operational risk (6.4; paragraph 200) and liquidity risk (8.2; paragraph 379)) and as it singles out a single product whereas institutions have multiple other products:

“In the analysis, competent authorities should consider any indications that the business model and activities give rise to increased ML/TF risks, including crypto-asset activities or deposit taking or establishment or use of legal entities in high-risk third countries, as identified in [...]”

And:

"Competent authorities should assess the resilience of the institution’s business model to external shocks and its adaptability to structural changes in terms of its capacity to absorb them and adapt to exogenous factors that could threaten business and strategic objectives. Areas for analysis by competent authorities should include: […]

e. crypto-asset activities, if applicable, by assessing the institution’s exposures to crypto-assets or the provision of crypto-asset services and any other activities related to crypto-assets, considering the related evolving risks"

Par 68:

The reference to "plausibility of the strategic and financial plan" should be removed given this is highly judgment driven:

"Based on the performed analysis, competent authorities should form, or update, their view on the following elements:

c. sustainability of the institution’s strategy, as defined in paragraph 56, based on the plausibility of its strategic plan and financial forecasts and given the supervisory assessment of the projected financial performance"

68 point D

We propose to refer to “geopolitical risks” instead of “events.”

Par 69c

The time horizon for the viability of the institution to be assessed is – according to the possible horizons of ESG risks materializing – 10 years and longer. Notwithstanding that such time horizons may be necessary to incorporate ESG risks properly into the risk management framework, planning and analysing business models for such horizons is not sensibly feasible.

Par 71 table 3 (points D and H)

The business model and strategies are in the responsibility of the institution and its management body. The supervisory authority may only issue specific requirements in exceptional cases, although this is not clear from the wording. The table should therefore be omitted. A general reference to the supervisory powers under Article 104 CRD would be sufficient.

Q7. What are the respondents’ views on the updated section 5.7 “ICT systems, risk data aggregation and risk reporting”?

The integration of DORA requirements and the enhanced assessment of Information and Communication Technology (ICT) systems are appropriate (paragraphs 102-104, 216-235, 199, 244-245). However we suggest:

Harmonization of information/reporting requests between DORA, SREP and other regulations to avoid redundancies.
Guidance on the articulation between SREP and DORA assessments.

Paragraph 83c states that “the management body collectively has an appropriate understanding of the institution’s business model and activities and keeps up to date sufficient knowledge and skills on relevant skills, including on IT risks, ESG risks and other emerging risks, through regular training.” We propose to delete "and other emerging risks” as it is not clear what should be covered by this phrase. .

In addition, paragraph 90 proposes that the compliance function manages the “legal risk stemming from non-compliance ...” In contrast, the wording of paragraph 5 of Article 76 of the CRD, introduced by the CRD VI, maintains the concept of “compliance risk” instead of legal risk and establishes that the compliance function “assesses and mitigates compliance risk and ensures that the institution’s risk strategy takes into account compliance risk and that compliance risk is adequately taken into account in all material risk management decisions”.

In our view, the proposal in paragraph 90 of the revised SREP GLs - by stating that CAs must assess whether the compliance function effectively “assesses and mitigates risks from non-compliance with applicable legal and regulatory requirements…” [in line with the proposed amendment to paragraph 204 of the Internal Governance Guidelines - “204. Institutions should establish a permanent and effective compliance function to manage legal risk stemming from non-compliance“ but such a proposed amendment is still under discussion] - would be inconsistent with the CRD VI, which refers to “compliance risks.” Therefore, the wording of paragraph 90 is not aligned with the purpose of the revied SREP GLs revision, which is, among other things, to take into account the changes resulting from the CRD VI (paragraph 5 of “Background and rationale”). It is also important to note that this pertains to a broader issue regarding the relationship between compliance risk and legal risk in the CRD and CRR, which remains unresolved – namely that the CRR refers to legal risk and provides a definition which is aligned with the concept generally associated to compliance risk.

Given that some revisions to Title 5 (ex. paragraph 84) are a consequence of the next revisions to the EBA Guidelines on Internal Governance (not yet published in the final version), it is important to ensure consistency and alignment between the implementation timelines of the two GLs — Internal Governance and SREP — to avoid that some elements are regulated in the SREP assessment before the Guidelines on Internal Governance have been published in their final version. Should the final EBA Guidelines on Internal Governance significantly deviate from the draft submitted for consultation, it would be opportune to allow for further comments on the related SREP provisions to ensure consistency in the applicability of the rules.

Finally, paragraph 104 stipulates that CAs should determine whether the management body of the institution and senior management review and approve the institution’s risk data aggregation and risk reporting framework. We propose to delete “and senior management,” as only the Management Body can take decisions.

Q8. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

The revised GLs include an appendix providing a detailed taxonomy. However, this taxonomy is partial (excludes business risk) and not aligned with existing ones (Pillar 1 risk categories address Pillar 2 (P2) risks such as credit concentration), and we would appreciate a further alignment. Indeed, the different taxonomies are a concern, for example, in the calculation of the diversification effects (intra-risk vs inter risk) in the ICAAP process.

Q9. Do you agree with the treatment proposed to account for transfer pricing risk in the context of trading book activities? Please elaborate.

N/A

Q10. What are the respondents’ views on the integration of the EBA GL on ICT risk assessment under the SREP (EBA/GL/2017/05) and DORA aspects?

The value of further integrating the EBA Guidelines on ICT risk assessment under the SREP with the framework introduced by Regulation (EU) 2022/2554 (DORA), in order to both enhance the consistency and effectiveness of ICT and operational risk supervision and align expectations, is recognised. At the same time, we note that DORA establishes a more comprehensive and detailed framework for the identification, management and testing of ICT-related risks across governance, controls, incident management and third party management.

In this context, the revised GLs should not duplicate efforts of activities within the overall operational risk management framework, of which ICT risk represents a key, but not exclusive component. We recommend that ICT risk continues to keep its normal weight within operational risk.

From an implementation perspective, we observe that certain aspects currently covered by the EBA Guidelines on ICT risk assessment (EBA/GL/2017/05) and by the operational risk assessment under the SREP substantially intersect with DORA requirements, while others are not fully aligned (e.g. Third Party ICT Risk management). Without sufficient clarification on the supervisory use of DORA outputs, this could increase frequency, effort and granularity of evaluation activities, with potential implications for proportionality and efficiency, without a real value-add in both supervisory and governance frameworks. Further clarification on how DORA-based assessments can be leveraged to inform or partially substitute existing ICT and operational risk evaluations under the SREP would be beneficial to reduce unnecessary duplication and ensure supervisory focus on material risk drivers.

The integration of DORA into the SREP should also be supported by a clear, stable and technically coherent risk taxonomy, in which ICT risk is consistently positioned as a component of operational risk, closely linked to:

business processes,
critical or important functions,
and the underlying applications and ICT assets supporting those functions.

Such an approach may facilitate convergence between institutions’ internal risk management frameworks and supervisory assessments, while also enabling supervisors to rely, where appropriate, on DORA-driven artefacts and processes as evidence within the SREP.

Q11. What are the respondents’ views on the introduction of operational resilience (section 6.4.5)?

The text can further clarify that the risk measured is the residual risk and not inherent risk.

The introduction of operational resilience as a broad concept in the SREP does not align with the EU regulatory framework. While certain specific elements are included within the EU regulatory framework, such as DORA and the EBA’s draft GLs on the management of third party risk, these do not fully cover an holistic concept of Operational Resilience as it is expressed in the draft GLs.

The requirements expressed in DORA are specifically targeted at digital resilience. The third party risk management requirements similarly have a clear and specific focus, rather than providing a framework for an holistic approach to operational resilience.

Similarly while some jurisdictions, such as Ireland, do have an operational resilience framework, the absence of a clear and consistent approach across member states will lead to fragmented and varying implementation, damaging the level playing field.

Members do not consider that the SREP Guidelines are an appropriate approach to develop and implement what amounts to a far-reaching, broad and highly demanding set of supervisory expectations. A change of this scope would likely justify separate, specific consultation with industry and possibly even require Commission regulation to form the basis of it.

These concerns are further compounded by the extremely broad and loose definition of ‘Operational Resilience’ leveraged by the EBA, which also deviates significantly from existing definitions of operational resilience in jurisdictions such as Ireland.

Members would propose that references to operational resilience are restated to be framed around digital operational resilience, to ensure that it is aligned with the regulatory framework.

Some specific comments include:

Paragraph 68.c. refers to a CA’s assessment of a firm’s “operational resilience, by reviewing the institution’s operational resilience framework.” In line with our wider comments, there is no current regulatory requirement for firms to have an holistic operational resilience framework in place.
Paragraph 92.g. refers to “appropriate and consistent links between the business strategy, risk strategy, digital operational resilience strategy.” During the development of the technical standards under DORA, it was made clear that a separate DORA / ICT strategy would not be required, as long as the requirements were covered under existing or other strategies. This requirement could lead to supervisors requiring a separate DOR strategy in contravention to the prevailing approach. For those firms which do have a separate DOR strategy, there is no current requirement under DORA for links between it and the business strategy beyond the requirement that the firm be able to describe how the DOR strategy supports the business strategy. Such links may be more common in IT strategies. The supervisory expectation as currently drafted could be seen as moving the goalposts, and lead to a duplication of strategies which would increase the complexity of governance.
Paragraph 197 states that, “Competent authorities should assess the materiality of operational risk arising from third-party service providers (TPSPs).” This goes against the fundamental approach to both the assessment of third-party service providers, and established supervisory practice. Requiring supervisors to independently assess the materiality of risks associated with third parties would be a significant operational demand on both supervisors and firms, and would likely lead to the CA coming to inaccurate conclusions. It would be more appropriate for CAs to assess the institution’s approach to determining the materiality of operational risk arising from TPSPs.
Paragraph 208 refers to CAs using reports of significant cyber threats as a source of information. We emphasise that the reporting of significant cyber threats is on a voluntary basis under DORA, and may not be available for all CAs. We would welcome the EBA clarifying that this may be a source of information where available.
Paragraph 216.i. states that CAs should review the institution’s level of adoption and integration of digital technologies. Digital technologies is not a clearly defined term, and could refer to anything from the use of digital calculators to the deployment of sophisticated artificial intelligence (AI). Furthermore, a general expectation that the CA review firms’ use of digital technologies, without links to a specific desired outcome, risks overstepping the boundary of supervisory responsibility into taking a direct hand in firms’ IT Strategy.
Paragraph 216.o. requires CAs to review institutions’ vulnerabilities. However it does not define what sort of vulnerabilities this refers to. For example, software vulnerabilities are usually normally very point-in-time, and often resolved quickly after they are identified. As such, the specific vulnerabilities which might exist at the point of the SREP are unlikely to be representative of the steady state. Furthermore, the sharing of vulnerabilities outside of the institution can pose a material security risk to institutions, as any sharing of this information increases the likelihood that these vulnerabilities will become known to bad actors. We would propose that instead, CAs should consider the institution’s approach to identifying the external threat environment, rather than seek to identify the threats and vulnerabilities themselves.
Paragraph 217 states that CAs should “form an opinion on which ICT systems and ICT services support critical or important functions.” In line with our other comments, this runs counter to established supervisory processes. It would be more appropriate for CAs to review the approach that institutions have taken to determining which ICT systems and ICT services support their CIFs.
The title, “Identification and mapping of material ICT risks to critical ICT systems and ICT services” on page 89 uses terminology which is not present in the existing regulatory framework. Rather than referring to critical ICT systems and ICT services, we would propose that this be amended to “ICT systems and ICT services supporting critical or important functions.”
Paragraph 218 states that CAs should “form an opinion on the material ICT risks that can have a significant prudential impact on the institution’s ICT systems and services that support critical or important functions”. It would be more appropriate for the CA to review the institution’s approach to determining the material ICT risks to which they are exposed.
Paragraph 232.c. does not recognise that the management body may delegate some of its responsibilities for follow-up and response to audit findings, nor does it consider the materiality of audit findings in question. We propose that this be amended to read, “adequate follow-up and response by the management body or its delegates on material ICT related audit findings and findings reported under Article 13(5) of DORA.”
Paragraph 245 refers to monitoring of the maturity level of an institution’s operational resilience. Maturity isn’t clearly defined in this context, and there is a risk that this could decouple the expectations from the degree of risk faced by the institution. A firm’s approach to resilience should be proportionate to the risks to which it is exposed. As such, we propose that the wording be updated to instead refer to the effectiveness or the appropriateness of the institution’s operational resilience.

Q12. What are respondents’ views on the additional section on CSRBB and the combined score for IRRBB and CSRBB?

Whilst there is understanding why credit spread risk in the banking book (CSRBB) was added, the interest rate risk in the banking book (IRRBB) and CSRBB are traditionally and more holistically covered by ICAAP. In addition to criteria in Table 12, potential double counting between CSRBB & IRRBB assessment and ICAAP assessment should be avoided; and / or ICAAP coverage of the risk in the banking book (BB) should be considered.

To be consistent, with the above, IRRBB and CSRBB should be combined for the SREP scoring process while being transparent on the contributions of each component. Within the combined score, the two components should be properly weighted, in light of the much lower degree of maturity (and limited comparability among banks) in the CSRBB assessment. It should be noted that CSRBB is considered almost only in Europe regulatory / supervisory framework, and that CSRBB is not subject to the same CRD requirements as IRRBB, with CSRBB being subject to assessment and monitoring (cf. CRD.Art.84(6)(c) ) while IRRBB subject to identification, management and mitigation (cf. CRD.Art.84(6)(c) ). Hence, the supervisory framework should be adapted to the different treatment envisaged in the Level 1 text, without unduly gold-plating the process. Attention should be paid to avoid creating additional burden on European banks and magnify the uneven playing field.

As regards the two components, the GLs should recognize the articulation between entity and group levels with the consolidated figures playing a key role in the assessment of IRRBB. When addressing the application of the Supervisory Outlier Tests (SOTs), the GLs should clarify that, in those cases where a legal entity appears as an “outlier” based on the solo level indicators, if the SOT thresholds are met at consolidated level, the bank should not be considered as an “outlier” for the purpose of the IRRBB score.

As regards CSRBB, provisions of the draft GL raise concerns. They appear excessive for several reasons, i.e. the lack of commonly accepted methodologies, the wide scope of the assessment and the absence of clear proportionality measures.

In addition, it is now important to ensure stability of the supervisory framework on both IRRBB and CSRBB, after the many changes occurred over the last few years (2018, 2022 and 2024) on the very same issue.

We call for limiting such changes to what would be strictly necessary and be substantiated by facts. Those changes are detrimental to actual management and such volatility represents in itself a competitive disadvantage vis-à-vis other jurisdictions.

Q13. What are the respondents’ views on the proposed assessment of the interaction between Pillar 1 and Pillar 2 requirements and on the proposed approach for operationalizing concerning cases where an institution becomes bound by the output floor?

Further transparency is needed on the general interaction between Pillar 1 Requirements (P1R) and P2R and how competent authorities determine P2R in the light of output floor and beyond. To ensure institutions have a clear understanding of SREP assessment and interaction between P1R and P2R, considering the output floor, the components of P2R have to be made transparent to institutions in SREP assessment.

The proposed amendment seems to concern only the neutralisation of the impact of the output floor on the part of the P2R that would be linked to “model deficiencies” (according to the guidelines, the use of P2R to address these deficiencies should remain residual) and not the part of the P2R covering risks that are not captured by Pillar 1 or not sufficiently covered by Pillar 1.

The EBA is consistent with its opinion from earlier this year (EBA/Op/2025/01), but these revised guidelines do not address the mechanical increase in the P2R amount when the output floor becomes binding in most cases. Therefore, clarification on the operalisation of the output floor is fundamental. We are in favour of the integration of the EBA Opinion on the output floor and more general provisions on the interaction between P1R and P2R (“option 2”).

We appreciate that EBA has provided paragraph 297, which states that CAs should assess the impact of relevant changes to the regulatory framework for determining P1R on P2R. Unfortunately, some competent authorities have not performed this assessment after recent Capital Requirements Regulation 3 (CRR3) implementation, which has - in some instances - triggered some highly significant and undue increases of risk-weighted assets (RWAs). Thus, while the paragraph intends to address the issue of the mechanical increase in the P2R amount linked to the increase in unfloored RWAs under CRR3, the wording of the guidelines is not sufficiently binding.

As a consequence, we recommend an amended wording as follows:

When a material impact on institution’s capital profile is or may be expected due to relevant changes to the regulatory framework for determining P1R or to its implementation on the specific institution, competent authorities should assess such impact in terms of interaction with the P2R. Such assessment should result systematically in redetermining the quantity or composition of the P2R to make sure the institution’s overall own funds requirements are in line with Article 104a(1) of Directive 2013/36/EU, in particular that P2R cover risks or elements of risks that are not covered or not sufficiently covered by the P1R. This assessment should result in the communication by the JST to the institution of the P2R before and after the P1R change. To perform such an assessment, competent authorities may increase the frequency of the SREP assessment as set out in the SREP engagement model in section 2.4 or of specific elements thereof.

EBF members highlight that the output floor can generate overlaps on model deficiencies but is it unclear if there are possible additional cases of double-counting. We recommend that the mechanism proposed in chapter 7.2.2 para 320 be extended to other risk categories covering the entire P2R and to be applied all the years following the year the banks are bound by the output floor, to maintain fairness and proportionality.

Furthermore, within section 7.2.2, paragraph 320, it is unclear whether the EBA intends the neutralization of arithmetic effects of the output floor to apply only to the part of P2R covering regulatory model deficiencies or to the entire P2R (given that institutions do not have detailed P2R breakdowns). We believe the neutralization should apply to the full P2R thus be located either in:

Additional own funds to cover unexpected losses (section 7.2.1), or/and
Own funds or other measures to cover other deficiencies (section 7.2.3).

As regards the automatic neutralisation of arithmetic effects, current wording (“consider whether there are undue arithmetic effects […] and remove them as appropriate”) leaves discretion to CAs, which may lead to inconsistent application across jurisdictions. We recommend introducing an automatic neutralization mechanism for the arithmetic effect as long as the institution is constrained by the output floor. This would align with the legislator’s intent (Recital §55 CRD6 and Art. 104a(8)), previous expectations expressed by EBA (2019) and ECB (2022), the principle of risk-based regulation and the need for a level playing field within and outside Europe.

Within the communication requirements, current obligations as outlined by paragraphs 320(C) and 451 focus only on double-counting elements (model risk) rather than on arithmetic effects. We suggest adding a mandatory communication requirement for CAs to inform institutions about arithmetic effect and its treatment. This would ensure transparency and allow constructive dialogue during P2R determination.

In addition, as concluded by EBA, there is no assurance that on the EU level, CAs have comparable or aligned practices in assessing P2R.^[1] Therefore, more transparency and guidelines on P2R components should be put in place going forward. As one solution, EBA could define guidelines on rudimentary calibration of P2R based on the collective feedback from supervisory authorities and their practices (define best practices). With regard to the automatic recalibration of certain risks, we recommend introducing an automatic recalibration mechanism for risks whose calculation methodology and capital requirements have significantly evolved under CRR3 to ensure proportionality and avoid unintended capital inflation. This should ensure aligned assessment on EU level.

Furthermore, paragraph 301c) should be amended to emphasise the fact that P2R should be seen as a measure of last resort when it comes to deficiencies in the individual SREP elements, and only used where it is unlikely that other supervisory measures would be sufficient to ensure that those requirements can be met within an appropriate timeframe.

The EBA could further clarify and provide stronger statements on what Pillar 2 Guidance (P2G) is and is not supposed to cover to avoid capital requirement overlaps, such as the overlap between P2G and the Countercyclical Capital Buffer (CCyB). Regarding this overlap, the EBA should consider the recent Basel Committee publication on positive neutral countercyclical buffers (Nov 2024) which notes that:

"The CCyB can be raised by authorities in response to periods of excess aggregate credit growth, which have often been associated with the build-up of system-wide risk, and then released during downturns."

It is therefore explicit in the guidance provided by the Basel Committee that countercyclical buffers should be released in stressed situations like the scenario of the EBA stress test. As a reminder, in the 2025 EBA stress test, banks in the EBA sample generate losses of €547bln in the adverse scenario. Stock prices lose 50% in the first year of the scenario in the European Union, commercial real estate prices lose over 30% over three years compared to their baseline growth. It is not possible not to characterize the scenario and its impact on banks as a downturn. The countercyclical buffer should therefore be always offset from the P2G, otherwise a structural overlap exists between the P2G, which reflects a capital requirement in stress, and the countercyclical buffer, which would be released in such a stress scenario.

Finally, we suggest adding a mandatory communication requirement for the outcome of the Pillar 1 and P2R interaction assessment to institutions. This would foster transparency and allow institutions to understand the rational behind any P2R adjustments.

Overall Recovery Capacity (ORC)

Banks have reservations about the consideration of the ORC score as regards to capital and liquidity adequacy assessment for the following reasons :

There could be redundancies or double counting in terms of scoring ; for instance, ORC takes into account measures to be implemented in BAU (ie ICAAP management actions and LCP measures).
It would imply taking into account limited time horizons (6 months for liquidity ORC or 18 months for capital ORC), which do not reflect the actual full capacity of a bank to recover from a severe crisis,
It would introduce a degree of subjectivity into the overall SREP assessment since the ORC is a theoretical measure which is based on scenarios, themselves specific to each bank, and, furthermore, ORC is not really comparable between banks due to their differences in size, geographical footprint and business model.
It would add further complexity to the SREP process at a time when regulators are engaged in a simplification process.
As regards the ORC assessment itself: what are the criteria used for the assessment of the ORC, considering both qualitative and quantitative aspects? Among others, clarifications would be welcome as regards the methodology applied for the “adjusted ORC” and notably for the haircuts applied to the quantitative impacts reported by institutions. More transparency on this matter - with banks having access to their respective “adjusted ORC” individually, and to explanations for their final ORC score assessment - would be welcome and would facilitate discussions between banks and their supervisors.
Paragraph 355 : to which extent and how would the ORC score impact the final P2 assessments ?

If nevertheless included, banks would request clarifications:

As regards the ORC assessment itself: what are the criteria used for the assessment of the ORC, considering both qualitative and quantitative aspects? Among others, clarifications would be welcome as regards the methodology applied for the “adjusted ORC” and notably for the haircuts applied to the quantitative impacts reported by institutions. More transparency on this matter - with banks having access to their respective “adjusted ORC” individually, and to explanations for their final ORC score assessment - would be welcome and would facilitate discussions between banks and their supervisors.
Paragraph 355 : to which extent and how would the ORC score impact the final P2 assessments ?

[1] EBA’s report on convergence of supervisory practices in 2023: https://www.eba.europa.eu/sites/default/files/2024-07/84952d29-8217-4a06-9ea2-f05be3898f06/2023%20Convergence%20Report.pdf

Q14. What are the respondents’ views on the merger with the ‘SREP liquidity assessment’ and the merger of the scores into a combined liquidity and funding adequacy score?

The merger of liquidity and funding assessments is positive, but we suggest adapting the indicators to the reality of the markets where a banking group operates.

It is important that supervisory assessment maintains an adequate level of granularity, and that the communication of the final outcome allows banks to clearly identify which components had the greatest influence on the overall score, thereby supporting the development of targeted and effective corrective actions.

Q15. What are the respondents’ views in relation to enhanced communication aspects?

Regarding the overall SREP assessment and its communication, some key concerns remain, clarification of which would facilitate understandability and clarity of the assessment. In particular:

We support paragraph 451 and in particular the communication of the link between the score and the underlying material risk drivers. Currently, there is little clarity regarding the methodology employed by the Supervisor in its risk assessment and score calculation.
The P2R determination (stemming from the ambiguous scores mentioned above regarding the algorithm employed for the SREP) is consequently unclear as well. The related methodology should be disclosed and, in particular, specify how the risk-based approach is ensured, especially considering the inclusion of supervisory judgement.

CAs should include the regulation and supervisory expectations on which their assessments are based in the final SREP decision, as well as the regulatory basis for those expectations and how they align with the EBA guidelines. We welcome the effort to streamline the outcome of the SREP decision, but such effort should not be at the cost of scarifying crucial information:

Severity is not specified for each qualitative requirement and recommendation in the SREP letter communicated to the bank, but only in the context of the supervisory dialogue. An intermediate level of detail should be observed in the SREP letter, which should be clear enough for supervised entities to unequivocally recognise the concerns and be able to act on their improvement or remediation.
Scoring per core element is not specified for the individual foreign subsidiaries.

Predictability and continuity in the documents that banks receive from supervisors following the SREP assessment is also important for banks, as it would allow the internal structures to be more focused on the content, rather than on familiarising with the changing set of documents (at all levels of the bank, including the top management).

Q16. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

Regarding paragraph 473, we would support a stronger coordination between CAs within the college of Supervisors in:

Guaranteeing the flow of information between CAs.
Harmonising assessment methodologies across banks in different jurisdictions. As mentioned previously, methodologies differ with reference to both SSM and extra-SSM subsidiaries (but particularly the latter), and cross border groups experience varying approaches applied to their subsidiaries. The ECB could play a central role in such a dialogue fostering harmonization.
Planning supervisory actions and intervention measures.

Additionally, clear guidance on the links between local and consolidated assessments is recommended, as well as the identification of explicit criteria for the independence and autonomy of subsidiaries.

Q17. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?

The proposed adjustments are a step in the right direction toward strengthening the principles of proportionality and practicability. We recommend that these approaches be consistently implemented and further expanded in supervisory practice. In doing so, it must be made transparent to institutions at all times how their respective results are arrived at, i.e., supervisory stress tests must not be a black box.

We appreciate the flexibility to adjust to stress scenario, but recommend that the guidelines explicitly acknowledge the need to tailor these scenarios to the specific markets within which the group operates.

Regarding paragraph 488 (c), we recommend a clearer framing regarding the timing of a first supervisory exercise on business model resilience, for example, the addition that this exercise should not take place before the 2029 EU-wide Stress Test.

Q18. Do respondents consider the guidance for the assessment of third-country branches appropriate and sufficiently clear?

Further clarity is requested on whether this paragraph applies only to the list of third country branches published on 13 October 2025.

Upload files

EBF_046901_FINAL EBF Response to EBA Consultation on SREP.pdf (500.43 KB)

Name of the organization

European Banking Federation

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre