Risk data aggregation and risk reporting: ramping up supervisory effectiveness

15 March 2024

By Elizabeth McCaul, Member of the Supervisory Board of the ECB

Effective supervision has many facets. An important one is supervisors’ ability to identify banks’ potential shortcomings in a timely manner and make appropriate requests for remedial action to rectify them. When banks fail to put in place adequate remediation plans or meet the deadlines set to remedy deficiencies, effective supervision also means encouraging them to make faster progress in these areas. This includes using the escalation techniques available in the supervisory toolkit to ensure that banks take appropriate, well-timed remedial steps. The objective is to put more pressure on banks to speed up implementation of their remediation plans or correct deficiencies within the allotted time frame.

Our banking supervisors routinely identify issues, raise any concerns they have and ask banks to take prompt and effective remedial action. It is the bread and butter of their daily work and they do it well. In recent years, many banks have failed to fully address the weaknesses identified in risk data aggregation and risk reporting. And some banks have not made adequate progress on implementing their remediation plans. Supervisors at the ECB are taking note and reviewing escalation options.

But what does this mean in practice? How does the ECB tackle banks’ failure to comply with its requests to remedy shortcomings?

European banking supervision’s effectiveness and escalation framework

Banks are responsible for running their business in a prudent manner, managing and monitoring their risks, identifying internal deficiencies and addressing them as quickly as possible. Supervisors are responsible for ensuring that banks strengthen their ability to identify and manage risk in a timely manner if their processes for doing so have been deemed inadequate. When supervisors identify deficiencies, they perform in-depth analyses, evaluate materiality, consider the context and make use of benchmarking where relevant. Importantly, they also apply supervisory judgement based on a particular bank’s circumstances to chart the most suitable way forward to deal with the deficiencies found. This process is at the core of our daily supervisory work. It has intensified in recent years, as we shift gears to move beyond quantitative requirements and use qualitative measures more frequently when not enough progress has been made. The ECB has several supervisory tools at its disposal for this purpose, which are outlined in the escalation framework. You can read more about them on our website or in a recent speech by Frank Elderson, Vice-Chair of the Supervisory Board.

Why is RDARR important and why do we need an escalation framework?

Low-quality information is likely to lead to low-quality risk management decisions. A bank’s ability to manage and aggregate risk-related data effectively is a prerequisite for sound decision-making and strong risk governance. It is hard to imagine any bank being able to appropriately manage and cover its risk exposures without strong risk data reporting.

Since its inception, European banking supervision has considered the governance and quality of risk data to be a priority. From the ECB's perspective this is therefore an area of great importance, to which the banks should pay particular attention. Despite this emphasis, banks have not paid enough attention to RDARR and many structural deficiencies have yet to be tackled. As a result, adequate RDARR capabilities also reflecting the Basel Committee on Banking Supervision’s principles for effective risk data aggregation and risk reporting are still the exception.

Following the recent public consultation on this topic, the ECB will publish a guide on effective risk data aggregation and risk reporting in the near future. It has also developed a specific escalation framework for selected topics to help supervisors encourage banks to make progress in this area. Moreover, the ECB plans to continue upgrading these tools, building on the experience gained along the way, and intends to explore whether more intrusive measures should be used.

When minor weaknesses are identified, joint supervisory teams (JSTs) generally hold informal talks, dedicated meetings and workshops with a bank’s top managers to discuss any shortcomings in plans to increase the management body’s accountability for the bank’s RDARR strategy. JSTs are interested in updates on the steps taken to tackle the deficiencies and can make requests for information about the progress made. JSTs can also inform the bank about steps they intend and the ECB may take in the event of persistent non-compliance. If informal discussions prove to be ineffective – or as a complement to the discussions held – JSTs can issue their recommendations in written form. These usually ask the management body to report regularly on the adequacy of RDARR capabilities and on the remediation of supervisory weaknesses. There are often recommendations to set out a clear action plan containing intermediate and measurable milestones and there may be specific requests to consider RDARR-relevant metrics when deciding on variable remuneration. Supervisors can also ask the management body to appoint a specific board member to monitor and report regularly on the progress being made to deliver an appropriate RDARR strategy and remediation plan.

Should the ECB consider deficiencies in a bank to be sufficiently serious (for example, if weaknesses in data prevent the proper identification, management and coverage of risks to which bank is exposed), it can use its supervisory powers under Article 16 of the SSM Regulation to issue requirements in the decision it sends to the bank at the end of the annual Supervisory Review and Evaluation Process (SREP) (or in another decision). Examples of stronger measures include imposing a cap on total assets and requiring limits for the growth of business activities until remediation has taken place. If a bank repeatedly/consistently fails to comply, supervisors may enforce compliance and, for severe breaches, may launch sanctioning procedures.^[1]

Supervision in action

The persistent lack of progress in improving RDARR capabilities is an example of where banks are falling short of supervisory expectations. The ECB is stepping up pressure on banks to improve by drawing on the full range of its supervisory tools to require compliance. Below are some examples of how effective supervision has encouraged banks to make constructive progress.

One bank had previously managed to collect and deliver most of the data requested by the supervisor. In the past year, however, supervisors found weaknesses in the bank’s data and IT infrastructure that impaired its management of credit and liquidity risks. The ECB subsequently issued a recommendation in its SREP decision to enhance the relevant key processes. The bank then adopted a remediation plan to address the recommendation. While the JST was satisfied with the overall progress made, it noted that some challenges remained regarding the continuous monitoring of the evolving IT architecture. In part to verify that this SREP recommendation has been properly implemented, the ECB initiated an on-site inspection, which is now pending.

Another bank faced challenges and experienced delays in implementing measures to address its RDARR shortcomings and did not progress at the expected pace. In response, the ECB issued a specific requirement, set out in its 2023 SREP decision, asking the bank to adopt temporary measures and take interim steps by the end of 2025, ahead of the bank’s own projected date for RDARR compliance. The bank was required to revise its action plan and report to the ECB every quarter on its progress towards achieving the plan’s milestones. The ECB warned the bank that if the temporary measures were not adopted by the deadline, it would consider issuing a periodic penalty payment to ensure compliance.

In a third recent case, a bank was late in remediating past supervisory findings. During its supervisory dialogue with the bank, the JST stressed that if the existing SREP qualitative measures were not fully implemented within the set deadline, a sanctioning process would be triggered. In addition, the ECB followed up on a recent on-site inspection by issuing a dedicated decision imposing legally binding requirements on the institution.

In another case, a JST informed a bank during the supervisory dialogue that the increase in its Pillar 2 capital requirements imposed by the ECB was partly due to data quality issues. And in cases where bank remediation efforts were especially deficient, JST responses were based on the conclusion that the management body’s collective oversight was ineffective. In these cases, JSTs advised banks to give one or two board members responsibility for monitoring progress, without relieving the management body of its overall responsibility. In specific cases, the ECB also asked the banks’ internal audit departments to carry out a review to spur more progress.

What’s next?

Timely action that includes escalation is important for effective supervision. Supervisors should not hesitate to use the full spectrum of tools at their disposal so that banks take prompt action to remediate the RDARR deficiencies. They should step up pressure expeditiously if banks do not react. This is important because such deficiencies directly affect the quality of data on which banks base their risk management decisions.

We continue to improve our corrective action for some banks, with RDARR being a good example of an area where we have intensified pressure in specific cases, but we still need to do more work in others. We have noted that, when measures are communicated effectively to a bank and set out within a clearly defined escalation process, shortcomings are remediated in a more timely manner. We should also take this approach in other areas of our supervision.

The ECB will continue to draw on its experience by adopting the escalation measures that prove to be most effective in incentivising remediation. A good example we have already seen is that requiring stronger governance oversight by making one or two members of the management body responsible for RDARR progress leads to greater attention being paid at the management body level. This in turn facilitates more timely implementation to strengthen RDARR, largely because closer oversight leads to more resources and greater accountability for implementing the remedial actions.

Many banks are benefiting from better profitability in the current higher interest rate environment. Now is a particularly opportune moment for them to be investing in their RDARR capabilities, which will help them meet supervisory expectations for sound decision-making in relation to risk management.

The views expressed in each blog entry are those of the author(s) and do not necessarily represent the views of the European Central Bank and the Eurosystem.