Fostering a compliance culture in the European banking system

Blog post by Edouard Fernandez-Bollo, Member of the Supervisory Board of the ECB, and Pedro Gustavo Teixeira, Director General SSM Governance and Operations

Frankfurt am Main, 14 May 2021


The establishment of the Single Supervisory Mechanism (SSM) introduced many tools for effectively supervising banks at the European level. One of those tools, which is possibly not always highlighted enough, allows the ECB to impose sanctions on supervised banks that fail to comply with prudential requirements. This power of the ECB was conceived in the SSM founding regulation as one of the preconditions for European banking supervision to be credible and impactful. In particular, our sanctioning power is expected to foster a culture of prudential compliance among institutions subject to European regulatory requirements and the ECB’s supervision.

That is why sanctions are part of the ECB supervisory toolkit, together with enforcement measures which, unlike sanctions, can only be used when a breach of prudential requirements is still ongoing. The aim of these tools is threefold.

First, they contribute to effective supervision: direct enforcement powers help the ECB ensure and restore compliance with prudential requirements. This, in turn, creates confidence in the soundness of the banking system and promotes its stability.

Second, they stop banks benefiting from breaching prudential requirements: non-compliance should not provide undue benefits to banks, including competitive advantages.

Third, and very importantly from a prudential forward-looking point of view, the deterrence penalties discourage banks from committing similar breaches in the future, which promotes a compliance culture in the banking system and thus contributes to its stability.

In the European context there are a number of challenges for the implementation of a compliance culture. First, the previous fragmentation of supervisory jurisdictions implied different approaches to compliance. For example, some jurisdictions were more likely to impose sanctions, while others perhaps preferred other types of interventions. Second, the enforcement and sanctioning legal framework can be complex in certain instances, especially in terms of the interplay between European and national laws and powers.

Against this background, this blog post aims to clarify the framework in place for the exercise of the ECB’s enforcement and sanctioning powers in the area of prudential supervision. More specifically, it focuses on the recent publication of the ECB Guide to the method of setting administrative pecuniary penalties.

Scope of the ECB’s enforcement and sanctioning powers

Let us begin by recalling which prudential requirements are under the supervision of the ECB. We are entrusted with ensuring banks comply with prudential requirements in the areas of own funds, capital requirements, large exposure limits, liquidity, leverage and reporting, and the public disclosure of information on those areas. These requirements are laid down in directly applicable EU law, such as the Capital Requirements Regulation (CRR).

In addition, we are tasked with ensuring that banks comply with prudential requirements in the area of governance, including fit and proper criteria, risk management, internal controls and remuneration policies and practices. These requirements are laid down in national law implementing the Capital Requirements Directive (CRD).

The scope of our enforcement and sanctioning powers in banking supervision is, therefore, limited to breaches identified in the abovementioned areas. In contrast, the supervision and enforcement of the requirements imposed on banks in the areas of consumer protection or anti-money laundering fall exclusively under the remit of the national authorities. The ECB cooperates with those authorities to ensure a high level of consumer protection and to fight against money laundering. In our prudential assessment, we also consider the shortcomings identified in those areas when they reveal failures in banks’ internal control and governance arrangements. However, the ECB has no enforcement or sanctioning power to ensure compliance with consumer protection or anti-money laundering rules.

Allocation of sanctioning powers within the framework of the SSM

The allocation of sanctioning powers within the framework of the SSM is complex, as it depends on three different elements: (i) the type of provision breached (i.e. directly applicable EU law or national law implementing directives imposing prudential requirements); (ii) the persons responsible for the breach (i.e. legal persons or individuals); and (iii) the type of penalty to be imposed (i.e. pecuniary or non-pecuniary).

The ECB can sanction both significant and less significant institutions in the event of breaches of ECB regulations or decisions. In addition, we can sanction significant institutions for breaches of directly applicable EU banking law (e.g. the CRR).

The direct enforcement and sanctioning powers of the ECB are limited to pecuniary penalties imposed on legal persons. In other words, the ECB cannot directly impose other types of penalties, such as a public warning, on legal persons, nor can it sanction natural persons in any manner.

To ensure the effectiveness of these powers throughout the banking union, the ECB is entitled by law to request that the national competent authorities (NCAs) open proceedings. This may happen in three situations. First, in the case of breaches of national law implementing directives (e.g. the CRD). Second, if the ECB considers that non-pecuniary penalties, as provided for in national laws (i.e. a public warning), should be imposed. Third, if the ECB considers that natural persons should be sanctioned. NCAs remain fully competent to impose sanctions on both significant and less significant institutions in the case of breaches of national law not implementing EU directives or of national law implementing EU directives unrelated to the ECB’s supervisory tasks.

Figure 1

Allocation of sanctioning powers within the SSM: significant institutions

Source: ECB Banking Supervision

Identification of breaches: day-to-day supervision and whistleblowing mechanism

As soon as we identify shortcomings in a bank, we may adopt supervisory measures, such as capital add-ons, restriction of business or operations, divestment of activities that pose excessive risks to the bank’s soundness, restriction or prohibition of dividend distribution, ask the bank to reinforce its governance arrangements, etc. These measures focus on preventing breaches and aim to ensure that banks address their weaknesses at an early stage.

While supervisory measures are initiated by Joint Supervisory Teams (JSTs), enforcement and sanctioning measures are handled by the ECB’s Enforcement and Sanctions Division (ESA), which is an independent unit in ECB Banking Supervision. As ESA is not involved in day-to-day supervision, suspected breaches of prudential requirements are normally identified by the JSTs or other relevant business areas responsible for the direct and indirect supervision of banks, who then refer these suspected breaches to ESA for further investigation.

In addition, any European citizen can contribute to the identification of breaches. If you are a bank customer or employee who suspects that your bank has breached EU banking supervision law, you can share your suspicions with us via our whistleblowing platform, which is also operated by ESA. The ECB never reveals the identity of a person who makes a report without first obtaining that person’s explicit consent, unless such disclosure is required by a court order. We are also constantly improving the security of our platform and its technical capacities. For example, we offer European citizens the possibility to report suspected breaches of prudential requirements in several languages, and we continue to expand the number of languages available on the platform.

Investigation of suspected breaches and subsequent steps

As soon as a suspected breach is identified and referred to ESA, it conducts all the necessary investigation to clarify the facts and relevant circumstances of the case, including those relating to the impact of the breach and the level of misconduct of the bank. For this purpose, ESA may request documents and explanations. It may also examine books and records, conduct interviews and exercise other investigatory powers if necessary.

After the investigation, the ECB Banking Supervision decides on the appropriate measures to be adopted while taking into account the need to ensure a credible and effective deterrent to avoid similar breaches or degrees of misconduct being committed or displayed by banks in the future.

Although they have varying aims, the tools we have available are compatible. We choose them on a case-by-case basis based on our supervisory judgement and the possible spillover effects of the breach. In practice, this means that enforcement and/or sanctioning proceedings could be initiated regardless of the adoption of any supervisory measure that may be considered appropriate to address the situation. JSTs and ESA can also agree upon a single joint decision combining supervisory and enforcement measures. In other cases, an escalation from supervisory measures to sanctioning measures is chosen as the most appropriate way to address non-compliance.

Calculation of pecuniary penalties

In cases where sanctions are considered necessary, ESA prepares a proposal for a decision to impose a pecuniary penalty. Banks are given the opportunity to comment on the facts and objections raised against them, as well as on the amount of the penalty ESA intends to propose to the SSM decision-making bodies.

This year we have further enhanced the transparency of our supervisory policies and practices by explaining our methods for calculating pecuniary penalties used to sanction banks for breaches of prudential requirements.

As explained in our Guide to the method of setting administrative pecuniary penalties, we follow a two-step approach. First, we determine the base amount of the penalty in view of the severity of the breach and the size of the bank in terms of its total assets. The severity of the breach is classified under one of five categories (minor, moderately severe, severe, very severe and extremely severe) depending on its impact and the degree of misconduct of the bank.

For breaches classified as very severe or below, we set the base amount for the penalty either with reference to a predefined penalty grid according to the severity of the breach and the size of the institution, or by multiplying the total profits gained or losses avoided with the breach (if they can be determined) by an amount corresponding to the severity of the breach. Where breaches are classified as extremely severe, we set the base amount as a percentage of the bank’s total annual turnover.

Table 1

Penalty grid in EUR millions for the average bank in each group per category of severity


(size in total assets – EUR billions)

Severity of the breach


Moderately severe


Very severe


(x > 500)






(100 < x ≤ 500)






(20 < x ≤ 100)






(3 < x ≤ 20)






(x < 3)





Source: ECB Banking Supervision
Note: A scaling factor will be applied to the relevant average base amount to ensure a proportionate outcome for each specific bank.

Second, we may adjust the base amount of the penalty, increasing or reducing it to take account of: (i) all mitigating and aggravating circumstances (e.g. the degree of cooperation of the bank or the adoption of effective remedial actions on its own initiative); (ii) whether multiple breaches are derived from the same set of facts; and (iii) the need to ensure that the penalty is proportionate, effective and dissuasive, and that the legal limits are not exceeded. In practice, we can impose pecuniary penalties of up to 10% of the total annual turnover of the bank in the preceding year (resulting from the consolidated accounts of the ultimate parent undertaking, in the case of subsidiaries) or up to twice the amount of the profits gained or losses avoided with the breach, if these can be determined.

How does European banking supervision use its enforcement and sanctioning powers?

European banking supervision focuses on preventing breaches. Consequently, most of our efforts to ensure compliance with banking prudential requirements result in supervisory measures. This was especially the case in 2014 and 2015, when no pecuniary penalties were imposed by the ECB.

In 2016 we asked various NCAs to open proceedings. Consequently, we imposed €1.5 million of penalties on banks for different types of non-compliance. In the course of 2017-2020, we directly exercised our sanctioning powers ten times and asked NCAs to initiate proceedings leading to another ten sanctions being imposed on banks. The following overview of the penalties we imposed does not demonstrate trends or systematic behaviour. This is in itself not surprising, as sanctioning proceedings conducted by a supervisory authority address individual circumstances of non-compliance by banks, which are not representative of the overall situation of the banking sector.

Table 2

Imposed sanctions from 2017 to 2020


Pecuniary sanctions imposed by ECB

Pecuniary sanctions imposed by NCAs at ECB’s request



€6.8 million


€7.6 million

€1.38 million


€5.4 million

€1.33 million


€15.3 million

€6.62 million

Source: ECB Banking Supervision

A detailed list of all the sanctions imposed by European banking supervision can be viewed on our website.


European banking supervision has been equipped with different enforcement tools since its inception. We are addressing breaches of law in the course of our supervisory activities, also with the help of European citizens. As prudential supervisors whose main objective is the stability of the banking system, we are focused on preventing breaches, which in some cases requires us to impose sanctions with a view to deterring future infringements. Once we sanction a bank, we stick strictly to the principle of penalties being effective, proportionate and dissuasive. In our Guide to the method of setting administrative pecuniary penalties, which we published this year, we explain how, when applying these principles, the penalty is set in relation to the size of the bank and the severity of the breach, which is in turn assessed on the basis of its impact and the degree of the bank’s misconduct. Transparency on sanctioning is as important as clarity of supervisory expectations. These criteria show the importance the ECB attaches to preventing breaches that may have an impact on the financial situation of a bank, and to the cooperative behaviour of the banks towards the fulfillment of ECB tasks. A good compliance culture in the banking system is an essential part of the financial stability that is the overarching objective of ECB Banking Supervision.