Response to consultation on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing
Q1. What are the respondents’ views on the overall amendments and clarifications made to the revised guidelines (across Titles 2 – 12)?
While acknowledging the added value of supervisory judgement, and the need to grant flexibility in supervisory activity, the room for supervisory judgement embedded in the draft Guidelines appears very large and might be reconsidered in order to ensure comparability and level playing field. In this regard, also the lack of a clear underlying methodology, adding subjective valuation criteria to an undisclosed calculation framework, contributes to jeopardizing the overall accountability of supervisory outcomes. Some examples throughout the Guidelines are:
- Para. 34 states that “When assessing risks to capital, competent authorities should also consider relevant subcategories, e.g. concentration risk or country risk as part of the credit and counterparty risk assessment, as set out in Title 6. Depending on the materiality of any of these subcategories to a particular institution, competent authorities may decide to assess and score them individually.”
In order to have reliable, predictable, comparable and understandable scoring, clear drivers should be defined. This is especially relevant because the outcome of such judgement does not only impact scores but also the P2R calculation as a consequence.
- Para. 35 adds that “Competent authorities may use different methods to apply the risk scores, they could score ‘risk’ and ‘risk management and controls’ separately (resulting in an intermediate and final score) or score them together. Competent authorities may also aggregate all the risks to capital into an aggregate score.”
This leaves large discretion to CAs in terms of the method to apply. Criteria should be determined for the sake of clarity and transparency in the methodology applied.
- Para 115 states that “The title also identifies a set of subcategories within each risk category above, which need to be taken into account when risks to capital are assessed. Depending on the materiality of any these subcategories to a particular institution, they can be assessed and scored individually. Annexes I-IV present non-exhaustive lists of sub-categories for credit risk, market risk, operational risk and IRRBB that competent authorities should consider, when relevant”, while Para. 116 states that “The decision on materiality depends on the supervisory judgement. […].”
Even in this case, supervisory judgement should be linked to clear drivers which are at least commensurate to the category an institution falls into.
- Para 124 states that “When performing their assessments, competent authorities should use all available information sources, including regulatory reporting, ad hoc reporting agreed with the institution […]”.
Ad hoc reporting agreed with an institution opens the way to subjectivity, which consequently leads to an unlevel playing field. Moreover, given that the reports are mainly used for benchmarking amongst peers, these shouldn't, in principle, be bilateral but rather be homogeneous per cluster of peers. ABI recommends not including this practice in the assessments.
- Para. 306 states that “The ICAAP and outcomes of its assessment should be taken into account by competent authorities as one of the key inputs for the identification and assessment of risks relevant for the institution. The determination of the amount of capital considered adequate and P2R on a risk-by-risk basis should take into account the ICAAP calculations if deemed reliable or partially reliable, as well as the outcomes of supervisory benchmarking and other relevant inputs as appropriate, including the supervisory judgement.”
Similarly to what is highlighted above, supervisory discretion also applies in the risk-by-risk evaluation, which means that authorities may rely less on the ICAAP. Since ICAAP calculations are performed by the bank and follow defined methodologies, reduced reliance on them introduces greater uncertainty and potentially less consistency across institutions regarding the determination of the amount of capital considered adequate and the P2R, especially when benchmarking exercises are run against peers which comparability criteria are not disclosed to banks.
Moreover, ABI welcomes the mechanism outlined in paragraph 80, which integrates the assessment of an institution’s ability to effectively and timely remedy supervisory concerns into the broader evaluation of internal governance and institution-wide controls, including through an analysis of the institution’s track record in addressing identified deficiencies. For such an assessment to be predictable and robust, it is essential that the deficiencies identified and/or supervisory concerns expressed by competent authorities to be considered “in scope” are clearly and objectively identifiable on the basis of a predefined supervisory taxonomy shared with the industry. Only deficiencies and supervisory concerns “in scope” that are traceable and monitorable over time through a shared supervisory tool or platform should be included in the overall assessment referred to in paragraph 80.
As a general note, there are several instances where the new wording may be unhelpfully vague, for e.g., in paragraph 29 (page 32), it is stated that “The risk scores aim to capture the likelihood that the risks to capital, liquidity and funding will have a significant impact on the institution”. It is unclear what determines whether an impact is significant. Given the link to the risk scores, it is deemed essential that there be transparency and clarity as to what renders an impact significant.
With reference to para. 39 (page 16), ABI suggests the following amendment: “The guidelines also reinforce transparency and communication regarding SREP outcomes. All relevant expectations for competent authorities regarding the communication related to the SREP have been now rationalised and grouped into a single Title. These expectations include, beyond the indication of material risk drivers supporting any additional own funds requirement (P2R and P2R-LR) that should be duly justified to institutions, a description of the overall outcome of the SREP, including a summary of the assessment and the overall SREP score. Furthermore, in line with the principle of risk-based supervision, where appropriate and depending on the specific remedial action required, competent authorities may (*) shall disclose to institutions the SREP scores for relevant elements or sub-elements”. It should be mandatory for authorities to disclose the SREP scores for relevant elements or sub-elements. (*)For the correct answer, please refer to the attached PDF version where the amendment is visible with the strikethrough character
Clearer methodology would be needed also in the determination of risk scores, and in particular in relation to inherent risk and adequate management and controls (ref. para 6.2.4). More precisely, the GLs do not contemplate circumstances where inherent risk is high while management and controls are adequate or vice versa. It is unclear how scoring is determined in these particular cases.
Finally, regarding the implementation date of the revised Guidelines (1 January 2027), ABI notes that the EBA encourages competent authorities to take revised guidance into account, and where possible, to introduce its elements at an earlier stage. ABI would ask to clarify that this should be subsequent to the publication of the final version of the Guidelines.
Q2. What are the respondents’ views on the integration of ESG risks and factors across the existing SREP elements in the revised guidelines?
ABI agrees with the approach stated under paragraph 42: “At the same time, the guidelines acknowledge that competent authorities should adopt a gradual approach to the assessment of social and governance risks, initially prioritizing environmental risks, recognizing the greater capacity to quantify climate-related risks compared to other types of environmental risks, while progressively enhancing supervisory practices as data availability, methodologies and analytical tools evolve”. A gradual approach would be best suited to allow for progress to be made in areas other than climate risk.
It is important that the prioritization of environmental before social and governance risks, and climate before other environmental risks is clearly stated in the Guidelines (GL).
Q3. What are the respondents’ views on the enhanced simplification and proportionality aspects?
ABI welcomes the increased emphasis on the application of the proportionality principle.
However, clear guidance on how the principle should be applied in practice seems not yet present in the revised GL. In the draft under consultation, the approach to proportionality seems to rely predominantly on reduced frequency of assessments. While paragraph 2.4 rightly clarifies that proportionality should also apply to the level of detail and scope, this perspective is only partially reflected in the remainder of the draft Guidelines.
Later in the document, proportionality is mentioned only briefly in a few instances (paragraphs 77, 165, 288, 408 and 473) and/or referenced via section 2.4. However, there are no concrete proposals for how proportionality can be operationalised in practice — beyond the aspect of frequency. As a result, the intended purpose is overshadowed by numerous, highly detailed lists of elements that competent authorities are expected to assess.
Still with regard to proportionality, it would be important for banks to be informed of which category (from 1 to 4) they have been assigned by the competent authority. The category, in fact, affects the supervisory process and therefore predictability in this regard would reduce the operational burden for banks. In light of the above, further clarity regarding the criteria and methodological considerations that determine which category an institution falls into would also be beneficial.
Also, supporting yearly Supervisory Examination Programmes (SEP) with prior impact assessment of their feasibility for both Supervised Entities and Competent Authority would allow orderly execution of activities on both sides, easing accurate supervisory conclusions.
With reference to para. 27 and 46, a further harmonization of assessment methodologies (i.e., underlying the assessment of SREP elements which are then reflected in the scoring system and in the consequent quantitative and qualitative measures) is deemed useful. More precisely, a stronger role of the Supervisory College in harmonizing assessment methodologies across banks in different jurisdictions would be desirable. Currently, methodologies differ, with reference to both SSM and extra-SSM subsidiaries (but particularly the latter), and cross-border groups experience varying approaches applied to their subsidiaries. The ECB could play a central role in such a dialogue fostering harmonization.
In addition, ABI requests further clarification on some aspects:
- What is considered a poor SREP score
- What is the threshold to determine whether the risk profile has materially changed (paragraph 44).
More generally speaking, the opportunity of this review could be taken to consider a more impactful simplification impulse, as is observed in other jurisdictions such as the United States.
Q4. What are the respondents’ views on the introduction of a high-level escalation framework?
The high-level escalation framework seems to leave much room for supervisory discretion, which hinders predictability. Clarity would be desirable in terms of the drivers which lead to the application of one supervisory measure or another (more precisely, clarity regarding the interaction between the actions identified in para. 21 and the considerations listed in para. 22 which said actions depend on). Although the discretion left to the Supervisor is understandable for the sake of flexibility based on specific cases, it is important that the underlying drivers determining the different kind of measures be clarified within the Guidelines.
Moreover, the proposed configuration does not appear to be aligned with the direction outlined in the report “Assessment of the European Central Bank’s Supervisory Review and Evaluation Process – Report by the Expert Group to the Chair of the Supervisory Board of the ECB”, which points to the need to address the use of all the instruments in the Supervisory toolbox to limit the application of capital add-on alone. Thus, it excludes the application of certain measures in addition to existing Pillar 2 requirements, potentially resulting in cumulative supervisory effects for institutions. Ensuring a clear distinction and a coherent interaction between escalation measures and capital-based requirements is therefore essential to preserve the consistency of the SREP framework and to avoid unintended double counting.
In addition, a more structured, transparent and predictable use of supervisory measures is encouraged, including a clearer articulation of escalation mechanisms and their role within the overall SREP framework. The current design of the escalation framework risks moving in the opposite direction, by increasing subjectivity and reducing the clarity of supervisory of supervisory communication to institutions.
Moreover, another concern regards the circumstance where different supervisory teams (e.g., JST, OSI, horizontal teams) investigate the same or overlapping topics. It is important that decisions regarding such topic are centralized avoiding multiple supervisory actions for the same issue.
Last but not least, an incentive for supervisors to provide the industry with a similar escalation ladder would be appreciated, as options for banks’ claims appear currently limited and not very effective (Accountability and Board of Review (ABOR) and Court of Justice of the European Union)
Q5. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?
Para 54.a introduces a set of non-prudential indicators, including DORA (EU 2022/2554) indicators broadening the scope of risk monitoring beyond traditional prudential metrics without explicitly indicating such metrics in detail in the document.
Defining a set of monitoring indicators tailored to each category of institution (1 to 4) would enhance clarity, ensure consistency, and support a level playing field. In general, “key risk indicators” should be clearly defined and shared with institutions given the relevance of such indicators and the usefulness in orienting institutions’ actions in the direction desired by competent authorities.
Q7. What are the respondents’ views on the updated section 5.7 “ICT systems, risk data aggregation and risk reporting”?
Given that some revisions to the Title 5 (see, for example, paragraph 84) are a consequence of the next revisions to the EBA Guidelines on Internal Governance (not yet published in the final version), it is important to ensure consistency and alignment between the implementation timelines of the two Guidelines — Internal Governance and SREP — to avoid that some elements are regulated in the SREP assessment before the Guidelines on Internal Governance have been published in their final version.
Furthermore, should the final EBA Guidelines on Internal Governance significantly deviate from the draft submitted for consultation, it would be opportune to allow for further comments on the related SREP provisions to ensure consistency in the applicability of the rules.
Q8. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?
The revised guidelines include an appendix providing a detailed taxonomy. However, this taxonomy is partial (excludes business risk) and not aligned with existing ones (Pillar 1 risk categories address P2 risks such as credit concentration), and further alignment would be appreciated. Indeed, the different taxonomies are a concern, for example, in the calculation of the diversification effects (intra-risk vs inter risk) in the ICAAP process.
Q10. What are the respondents’ views on the integration of the EBA GL on ICT risk assessment under the SREP (EBA/GL/2017/05) and DORA aspects?
In general, ICT is covered repeatedly throughout the Guidelines and a rationalization and harmonization would be useful and more efficient.
It is recognized the value of further integrating the EBA Guidelines on ICT risk assessment under the SREP with the framework introduced by Regulation (EU) 2022/2554 (DORA), in order to both enhance the consistency and effectiveness of ICT and operational risk supervision and align expectations. At the same time, it is noted that DORA establishes a more comprehensive and detailed framework for the identification, management and testing of ICT-related risks across governance, controls, incident management and third party management.
In this context, it should be carefully evaluated to not duplicate efforts or activities within the overall operational risk management framework, of which ICT risk represents a key, but not exclusive, component.
From an implementation perspective, it is observed that certain aspects currently covered by the EBA Guidelines on ICT risk assessment (EBA/GL/2017/05) and by the operational risk assessment under the SREP substantially intersect with DORA requirements, while others are not fully aligned (e.g. Third-Party ICT Risk management). Without sufficient clarification on the supervisory use of DORA outputs, this could increase frequency, effort and granularity of evaluation activities, with potential implications for proportionality and efficiency, without a real value in both supervisory and governance frameworks. Further clarification on how DORA-based assessments can be leveraged to inform or partially substitute existing ICT and operational risk evaluations under the SREP would be beneficial to reduce unnecessary duplication and ensure supervisory focus on material risk drivers.
The integration of DORA into the SREP should also be supported by a clear, stable and technically coherent risk taxonomy, in which ICT risk is consistently positioned as a component of operational risk, closely linked to:
- business processes,
- critical or important functions,
- and the underlying applications and ICT assets supporting those functions.
Such an approach may facilitate convergence between institutions’ internal risk management frameworks and supervisory assessments, while also enabling supervisors to rely, where appropriate, on DORA-driven artefacts and processes as evidence within the SREP.
Q11. What are the respondents’ views on the introduction of operational resilience (section 6.4.5)?
The introduction of operational resilience as a broad concept in the SREP does not align with the EU regulatory framework. While certain specific elements are included within the EU regulatory framework, such as DORA and the EBA’s draft GLs on the management of third-party risk, these do not fully cover a holistic concept of Operational Resilience as it is expressed in the draft GLs.
The requirements expressed in DORA are specifically targeted at digital resilience. The third-party risk management requirements similarly have a clear and specific focus, rather than providing a framework for an holistic approach to operational resilience. Introducing a regulatory framework with regard to operational resilience would require a dedicated workstream and a consultation with industry.
Q12. What are respondents’ views on the additional section on CSRBB and the combined score for IRRBB and CSRBB?
As regards combined score for IRRBB and CSRBB, ABI would call for transparency on the contributions of each component. Within the combined score, the two components should be properly weighted, in light of the much lower degree of maturity (and limited comparability among banks) in the CSRBB assessment, and in light of the different CRD requirements (being the CSRBB subject to assessment and monitoring, while identification, evaluation, management and mitigation are required for IRRBB).
As regards the two components, the GLs should recognize the articulation between entity and group levels with the consolidated figures playing a key role in the assessment of IRRBB. When addressing the application of the Supervisory Outlier Tests (SOTs), the GLs should clarify that, in those cases where a legal entity appears as an “outlier” based on the solo level indicators, if the SOT thresholds are met at consolidated level, the bank should not be considered as an “outlier” for the purpose of the IRRBB score. The provisions of the draft GL as regards CSRBB - as the GL on IRRBB and CSRBB (EBA/GL/2022/14) – raise concerns. They appear excessive for several reasons, i.e. the lack of commonly accepted methodologies, the wide scope of the assessment and the absence of clear proportionality measures.
Q13. What are the respondents’ views on the proposed assessment of the interaction between Pillar 1 and Pillar 2 requirements and on the proposed approach for operationalizing concerning cases where an institution becomes bound by the output floor?
The proposed amendment seems to concern only the neutralization of the impact of the output floor on the part of the Pillar 2 requirements (P2R) that would be linked to “model deficiencies” (according to the Guidelines, the use of P2R to address these deficiencies should remain residual) and not the part of the P2R covering risks that are not captured by Pillar 1 or not sufficiently covered by Pillar 1. Also, the mechanical increase in the P2R amount due to the increase in unfloored RWA under CRR3 seems not fully addressed as paragraph 297 appears not sufficiently binding.
The following rewording is proposed:
When a material impact on institution’s capital profile is or may be expected due to relevant changes to the regulatory framework for determining P1R or to its implementation on the specific institution, competent authorities should assess such impact in terms of interaction with the P2R. Such assessment may(*) should result systematically in redetermining the quantity or composition of the P2R to make sure the institution’s overall own funds requirements are in line with Article 104a(1) of Directive 2013/36/EU, in particular that P2R cover risks or elements of risks that are not covered or not sufficiently covered by the P1R. This assessment should result in the communication by the JST to the institution of the P2R attached to each risk before and after the P1R change. To perform such an assessment, competent authorities may increase the frequency of the SREP assessment as set out in the SREP engagement model in section 2.4 or of specific elements thereof. (*)For the correct answer, please refer to the attached PDF version where the amendment is visible with the strikethrough character
In addition, given that the output floor can generate overlaps on model deficiencies but is it unclear if there are possible additional cases of double-counting, ABI recommends extending the mechanism proposed in chapter 7.2.2 para 320 to other risk categories and applying also in the years following the year when the banks are bound by the output floor.
Moreover, the EBA could further clarify what P2G is and is not supposed to cover to avoid capital requirement overlaps, such as the overlap between P2g and the Countercyclical Capital Buffer (CCyb). Regarding this overlap, the EBA should consider the recent Basel Committee publication on positive neutral countercyclical buffers (Nov 2024) which notes that
"The CCyB can be raised by authorities in response to periods of excess aggregate credit growth, which have often been associated with the build-up of system-wide risk, and then released during downturns."
It is therefore explicit in the guidance provided by the Basel Committee that countercyclical buffers should be released in stressed situations like the scenario of the EBA stress test. The countercyclical buffer should therefore be always offset from the P2G, otherwise a structural overlap exists between the P2G, which reflects a capital requirement in stress, and the countercyclical buffer, which would be released in such a stress scenario.
Q15. What are the respondents’ views in relation to enhanced communication aspects?
Regarding the overall SREP assessment and its communication, some key concerns remain that should be addressed to facilitate understandability and clarity of said assessment. In particular:
- ABI supports para. 451 and in particular the communication of the link between the score and the underlying material risk drivers. Currently, there is little clarity regarding the methodology employed by the Supervisor in its risk assessment and score calculation.
- The Pillar 2 Requirement (P2R) determination is consequently unclear as well. The related methodology should be disclosed and, in particular, specify how the risk-based approach is ensured especially considering the inclusion of supervisory judgement.
While the communication of the SREP decisions should not be overly lengthy and its streamlining is welcome, it is essential that such effort not be at the cost of sacrificing crucial information (such as specification of severity for each qualitative requirement and recommendation, and scoring per core element for the individual foreign subsidiaries.
Stability and continuity in the documents that banks receive from supervisors following the SREP assessment would also be important for banks, as it would allow the internal structures to be more focused on the content rather than in familiarizing with the changing set of documents (at all level of the bank, including the top management).
Q16. Do you consider the coverage and level of detail of this Title appropriate for its intended purpose?
Regarding para. 473, ABI would support a stronger coordination between competent authorities within the college of Supervisors in:
- guaranteeing the flow of information between competent authorities.
- harmonizing assessment methodologies across banks in different jurisdictions. Currently, methodologies differ, with reference to both SSM and extra-SSM subsidiaries (but particularly the latter), and cross border groups experience varying approaches applied to their subsidiaries. The ECB could play a central role in such a dialogue fostering harmonization.
- planning supervisory actions and intervention measures.