Response to consultation on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing
Q11. What are the respondents’ views on the introduction of operational resilience (section 6.4.5)?
Under Section 6.4.5, the revised SREP Guidelines propose competent authorities:
"leverage on their existing assessments on operational risk management, business continuity, change management capabilities, third-party services and the ICT upon which the institution relies to holistically evaluate whether these elements collectively support the institution's operational resilience" (Paragraph 244).
In addition, Paragraph 245 requires competent authorities to assess whether management bodies and senior management monitor "the maturity level of the institution's operational resilience."
Taken together, these provisions introduce a new, qualitative, and holistic supervisory assessment of operational resilience that goes beyond the traditional prudential scope of SREP.
The IIF contends that including an operational resilience evaluation within the SREP Guidelines lacks a clear legal or regulatory mandate under the Capital Requirements Directive (CRD) framework. The SREP is fundamentally designed to assess risks to institutions' capital adequacy and liquidity to ensure prudential soundness. While operational risk has long been a component of SREP, the introduction of a standalone, holistic operational resilience assessment represents a qualitative shift in scope beyond established prudential metrics.
The requirements proposed in Section 6.4.5 - particularly the expectation that competent authorities conduct a "holistic evaluation" of interconnections (Paragraph 244) and assess the "maturity level" of operational resilience (Paragraph 245) - are not grounded in explicit CRD provisions and introduce subjective, forward-looking assessments that differ from traditional SREP methodologies. There is currently no legislative or regulatory text at the EU level that defines "operational resilience maturity" or provides a mandate for its assessment within SREP. By introducing this concept through Guidelines rather than formal legislation, the EBA is establishing a new qualitative benchmark without undergoing the usual rulemaking process. Any material expansion of SREP scope should be explicitly mandated through legislative amendment, as introducing such requirements through Guidelines risks creating legal uncertainty and leading to divergent supervisory interpretations and inconsistent implementation across member states.
The SREP guidelines should focus on supervising existing legally binding risk management frameworks that benefit operational resilience. The Digital Operational Resilience Act (DORA), for example, establishes detailed requirements across ICT risk management, incident management, resilience testing, third-party risk management (TPRM), information sharing, and management body oversight, complemented by the EBA's forthcoming updated Guidelines on TPRM. Introducing parallel SREP requirements creates supervisory overlap between SREP competent authorities and DORA supervisors. The absence of a policy debate on how existing expectations should collectively support an institution's operational resilience could result in conflicting expectations, duplicative information requests, and contradictory remediation priorities. In addition, Section 6.4.5 introduces subjective assessment layers that create uncertainty about supervisory expectations, divert resources from DORA implementation, and undermine the harmonization objectives DORA was designed to achieve - adding complexity without tangible benefits to operational resilience.
Because SREP guidelines apply solely to the EU banking sector, they would create an unlevel playing field for banks, which would face duplicative and potentially more stringent requirements compared to the rest of the financial sector without commensurate benefits to operational resilience. Operational disruptions frequently originate from shared infrastructure and cross sectoral boundaries. The banking sector cannot achieve resilience in isolation nor implement resilience standards effectively if other market participants are not subject to the same guidelines. DORA was developed through extensive legislative process precisely because operational resilience is inherently ecosystem-wide, with individual institutions' resilience inextricably linked to their counterparties, service providers, and the broader financial ecosystem. DORA's broad applicability across the entire financial sector - encompassing not only banking but also investment firms, payment institutions, insurers, crypto-asset providers, credit rating agencies, administrators of critical benchmarks, and critical ICT third-party service providers - reflects the recognition that operational resilience requires coordinated standards across the complete financial ecosystem. Introducing SREP-specific requirements bypasses DORA's comprehensive policy development process and application and creates regulatory arbitrage opportunities and supervisory inconsistencies across member states.
Should the EBA determine that additional operational resilience requirements are necessary beyond DORA, the introduction of such requirements into SREP would represent a material expansion of the framework's scope and merit further, dedicated industry consultation. Any resulting consultation should focus on the underlying rationale and legal basis, relationship with DORA and other operational risk guidelines, assessment criteria, resource implications, and potential unintended consequences. Supervisory guidelines are not the appropriate channel for requirements carrying such extensive implications - embedding this change within a broader SREP revision limits thorough examination and risks establishing new requirements without necessary policy debate. Any such requirements should be developed through dedicated consultation with clear problem definition, supported by explicit legislative mandate, carefully calibrated to avoid DORA duplication, and applied consistently across the financial sector.
For the reasons outlined above, the IIF strongly recommends that the EBA remove Section 6.4.5 in its entirety from the revised SREP Guidelines. DORA provides the appropriate regulatory framework for operational resilience. Given DORA's comprehensive approach to operational resilience across the financial sector, supervisory focus should be on robust DORA implementation and effective application of the EBA's Guidelines on TPRM, and strong oversight of critical ICT third-party service providers.
IIF members are firmly committed to strengthening the resilience of the EU financial sector through focused implementation of the comprehensive DORA framework, supported by clear, consistent, and harmonized supervisory expectations across all financial sector participants. The IIF looks forward to continued engagement with the EBA on supervisory approaches that strengthen resilience while maintaining regulatory coherence, proportionality, and a level playing field.
We thank the EBA for its consideration of our comments and welcome any additional stakeholder engagement around the EBA's objective to enhance the SREP framework to reflect evolving risks and supervisory practices. If you have any questions, please do not hesitate to contact Martin Boer at mboer@iif.com or Melanie Idler at midler@iif.com.