Interview with Verslo žinios
Interview with Andrea Enria, Chair of the Supervisory Board of the ECB, conducted by Naglis Navakas on 3 March
9 March 2023
Let’s start with something easy: who are you and why are you here? Sorry for the blunt question, but I find it a very nice way to start.
I realise that understanding what the Single Supervisory Mechanism (SSM) is, when you start talking in acronyms and the like, is not easy. I chair the Supervisory Board of the ECB, which is the board of the ECB that takes decisions concerning the supervision of banks across 21 EU Member States: the 20 of the euro area and the one in close cooperation, Bulgaria. The ECB is entrusted with supervision and works closely with the National Competent Authorities (NCAs), including Lietuvos bankas. So we have supervisory teams that supervise all the significant banks, and these teams include staff from the ECB and staff from the NCAs. That’s why I tend to visit all the capitals of the banking union every year to meet the supervisory teams, discuss the work we are doing together and have meetings with the banks we directly supervise.
In the broadest terms, what’s the health of Lithuanian banks like as we head into economic turmoil?
Let me start from the European perspective. In general, 2022 was a very good year for European banks. One could say almost surprisingly good because, at the start of the year, especially when Russia launched its invasion of Ukraine, we were very concerned about all the repercussions this would have on the economy, on the outlook for growth, with an energy shock coming and the possibility that the banks’ asset quality could suffer as a result. In reality, we are seeing that the banks closed the year with very strong capital positions. Asset quality continued to improve. Towards the fourth quarter of the year we saw some slight signs of increases in default rates, but nothing that would be cause for alarm. The liquidity position remains very good. Asset quality, as I said, kept improving, and profitability in particular became much stronger, because the normalisation of interest rates had a positive effect on banks’ interest margins and on their profits. So the year ended with very positive news.
This was also true for Lithuanian banks. Lithuanian banks have a stronger capital position than other European banks, their asset quality is better than average and their profitability is very strong. They are among the few banks that are in double digits in terms of return on equity, so that’s a very positive starting point.
Looking ahead, there are still a lot of uncertainties, and we are still in a slowdown situation. We were fearing a harsh recession. The likelihood is now maybe lower, but we could still be negatively surprised by the macroeconomic developments. Monetary policy normalisation has been faster and stronger than expected. So far, this has been a positive development for banks. But beyond a certain point, it could become an issue, because higher inflation and higher interest rates affect borrowers’ ability to pay back their loans. If you start to see households and corporates struggling in that regard, then this could very easily become an asset quality problem for the banks. So we are asking banks to be very vigilant about this, to identify signs of deterioration in asset quality and intervene early, and to offer solutions to customers.
The other areas on which we are increasingly focusing our attention are IT risk and cyber risk. And climate and environmental risk is another area of close supervisory attention.
Specifically for Lithuanian banks, the market is very concentrated, with a few banks having a very dominant position. There have been some attempts by new, smaller banks, especially digital banks, to enter the market, which is of course very positive. When you have these banks, you need to be very sure from a supervisory point of view that you have sustainable business models and that you set up the right governance and compliance. But, in general, having greater competition in the market is also a good thing from the supervisory point of view.
Should banks make the internal models they use to measure their own risk exposure more sensitive to the economic downturn? Is this economic downturn and banks’ preparedness for it connected to the internal models issue that you have mentioned quite a few times in the press?
On internal models, we put a lot of effort into our targeted review of internal models (TRIM), a dedicated project which lasted several years. When the SSM was established, there were very different practices across Member States for supervising internal models, and there were lots of complaints that there was no consistency between the risk-weighted assets of different banks, and in similar portfolios. So this work is over. This was the first cycle. We devoted a lot of effort there, to make sure that all the internal models of banks were in the right place, were respecting the regulations, and were robust enough. This led to significant strengthening also in terms of capital, because when we did find weaknesses in banks’ internal models, we said “until you remedy this weakness, we will apply a multiplier to your risk-weighted assets” – so higher capital charges, basically.
Now we are in a second phase, in which we are reviewing the models and approving changes that banks are making to their models to comply with the new regulatory framework. Banks are currently implementing the regulatory requirements of the European Banking Authority’s roadmap to repair internal ratings-based models, and we are checking that the banks are in line with these rules and that risks are appropriately covered with capital.
Sometimes I see that banks complain, or they say “there was an on-site investigation on my model, and this led to a surprising increase in capital charges”. Sometimes there is also the allegation that we are using these investigations to raise the bar in terms of capital, which is definitely not true. We go there and we really try to make sure that the models of the banks are in line with the rules. That’s all we do. If they are, there is no news and nobody notices. When they aren’t, the banks need to fix them. But this is business as usual. There is nothing out of the ordinary in terms of our supervision in this area.
You mentioned fears about Russia’s war against Ukraine having an effect on the real economy, and talking to banks myself, I have the impression that the new sanctions regime connected to the war actually put quite a sudden strain on banks’ anti-money laundering (AML) protocols. Is it difficult for banks to deal with international sanctions with the resources they have?
It is very important for banks to make sure that they are respecting sanction regimes, because the reputational impact for a bank, if they are found wanting in this area, could be huge. In the past, we have seen banks involved in money laundering activities that have been under the scrutiny of US authorities, and this led to banks failing overnight. So it can become a stability issue. It is very important that the banks are diligent in this area. I understand this is a burden, no question about it. They need to establish processes to make sure that they do the proper checks.
Our focus is very much on internal controls and governance. Banks which have a stronger internal control framework and proper governance with good checks and balances overall are better at complying with sanctions regimes. This is also very important for us as supervisors, because if a bank does not respect these regimes, the consequences can be lethal.
There are a couple of European banks that are still working in Russia. Could this create a contagion of reputational risk to other banks which have, for example, investments in banks with a presence in Russia? How do you see the situation of banks that still have activities in Russia?
European banks’ exposures to Russia are not very material overall. The latest figure, which is for the third quarter of last year, is around €87 billion for all European banks, which is not a huge amount. Many banks that still have a presence there have taken action to reduce their exposures, and most have significantly increased their provisions against their exposures in Russia. Some have also introduced a sort of “dual steering” of the banks, monitoring the bank without Russia and the bank with Russia separately. So, in terms of risk management, there have been positive developments. Still, it’s not easy for a bank or for us as a supervisor if there are establishments in Russia that might take local risks, and at a time when the visibility on that market also starts to be lower.
But we also understand that selling might be difficult at the moment. There are a number of local requirements that need authorisations, and there is a new regime there. What is important for us is that banks keep closely monitoring the business there, and ideally, reducing it and winding it down as much as possible.
Are you satisfied with the speed at which this is happening? You mentioned that there have been positive developments for European banks getting out of Russia, but is it fast enough?
I’d like it to be faster.
Can it be faster?
Does this war pose specific risks to our region? Being so close to Russia, do Lithuanian, Baltic, or Scandinavian banks face specific threats or specific risks that you are worried about?
I don’t think it’s an issue. As I said, the interconnectedness of this banking sector with Russia is relatively limited, and banks have already started to segregate business in Russia from the rest of their business.
There are, of course, other types of potential risk. For example, we know that there has been a significant increase in cyberattacks. We cannot apportion this to any specific source, but it is a fact that the number of these attacks has increased since the war started. The impact of these attacks has been contained overall, but this is a source of concern for banks in several regions in Europe. That’s why we are starting to direct more attention to IT and cyber risk, among other things.
There was one more issue that the war caused for European banks: their exposure to energy traders and the unprecedented price volatility that we saw. Was this risk managed well? Is that issue getting better with prices coming down a bit?
Commodity traders were an area of focus for us in the first half of last year. It is true that the market is dominated by a few players – most of them pretty opaque and not listed – so there isn’t much information on their business. We therefore zoomed in on the exposures of European banks towards these counterparties and we identified some risk management issues in their relationships with these counterparties, which we recommended that banks strengthen and take care of. So this is an area in which we have tried to bolster the safety of European banks.
Risks have not materialised so far. The development in prices was advantageous for commodity traders for a while, so you didn’t have risks materialising from that side. But nonetheless, I think it is important to remind banks that this is a potential source of risk, in an environment of high volatility of energy prices.
Does that pose a greater risk to small banks as, with a smaller capital base, they can more easily become exposed to this extreme price volatility that we saw?
Last year, global loans to commodity traders stood at about €80 to €100 billion, with European banks accounting for about a third of this figure. The exposures are fairly concentrated in the relatively large banks, so I’ve not seen a lot of smaller institutions taking large positions towards commodity traders.
On cybersecurity, are you content with the way banks have reacted to the increase in cyberattacks?
As I said, the increase in attacks has not yet led to major operational problems at European banks, but there is a need to strengthen the defences in this area. This is clear. In the recent past, both during the pandemic and after the invasion of Ukraine by Russia, there have been some episodes which have made us think as supervisors. For instance, many banks are outsourcing critical functions, either to other companies in their group or to external providers, third-party providers of services, which are often located in other jurisdictions – sometimes in Russia itself, sometimes in India or other jurisdictions across the globe. The sanctions regime also showed that sometimes you can be cut out of a relationship with a counterpart very quickly. For instance, in the case of Amsterdam Trade Bank, which was a subsidiary of Alfa Bank, a Russian bank, we saw that the Russian bank was put on the sanctions list by the US authorities. Amsterdam Trade Bank was no longer able to receive essential IT services from its US providers, and this meant that the bank went bust overnight.
So these issues can become very relevant, and we need banks to be prepared. That’s why for next year we are launching a thematic stress test on cyber resilience, which will try to test how banks are able to respond to and recover from a successful cyberattack. It’s a new exercise, and we will devote quite a significant amount of time and resources to it, to have a better understanding of where the banks’ strengths and weaknesses are. We plan to have the results by around the middle of next year.
You mentioned that you have already met with representatives of local banks. Do they look better or worse as compared to other parts of Europe when it comes to this issue?
There are, I would say, bright and dark spots. A bright spot is that, in general, Lithuanian and Baltic banks started with the digital transformation agenda before other European banks, so they were a little bit ahead. Also, in terms of governance, you are more likely to find some IT expertise at board level in banks in this region than in banks in other European areas. So there is more awareness and a greater focus on the IT and digital transformation, and this is good. In a sense, it’s an advantage for banks in this area.
Of course, sometimes – and this is a common element that we also see in banks in other areas – when banks invest in digital and develop their digital transformation agenda, they do so with a strong commercial focus, and maybe don’t pay enough attention to the risks that are associated with these commercial objectives. Here, in terms of risks, I mean IT risks, the ability to ensure continuity of services to customers, a well-integrated IT infrastructure, and the ability to provide the board with high-quality information so that it can manage and monitor the risks and strategically steer the bank. In these areas there are elements of weakness, not only at Lithuanian or Baltic banks – it’s unfortunately a common feature across the European landscape.
This is going to be the first downturn and the first rate hike cycle for many of the fintech companies that are registered in or operating from Lithuania. Does that pose a set of unknowns for regulators to be aware of or pay attention to? Does having a lot of fintechs pose some new risks that we haven’t seen before?
The fintech landscape is very diverse. Sometimes there is the tendency – and I must also confess that at the beginning of the debate, I was to some extent characterising the dynamics in this way – to see banks as the incumbents and fintechs as the disruptors that can aggressively enter the market with new technologies and big market shares, and grow and maybe take the place of banks. I think the reality over the last few years is much more complex than that. Fintechs have been disruptors to some extent, but the disruption has occurred mainly in the area of payments. That’s actually an area where it was the European legislators that created an opening for non-bank providers to enter the market, access the accounts of the customers at the banks and trigger competition for the banks. This worked very well, so in this area fintechs have gained significant market share and they have marketed themselves well. Some of them are really very good in terms of the types of services they provide to their customers. I don’t see this type of business being disrupted by higher interest rates or a cyclical downturn. Of course, if the economy goes into a difficult space, it goes into a difficult space for everybody, so everybody’s going to see reduced profits, but you don’t have loans or assets that would be directly impacted by the downturn or by the increasing interest rates.
Then you have all the other types of financial technologies which have been developed to be used in other areas, such as artificial intelligence. In these areas, it is not really the disruptors challenging the banks. What I see more is actually banks and these fintech providers partnering up and providing transformation services together. Sometimes banks acquire these innovative firms. I think this is also a positive development because banks do need to develop digital transformation and a digitalisation agenda.
The third core area is where you have some new providers that try to enter the market, thinking that with new technologies they can gain market share quickly and maybe develop aggressive policies to do exactly that. In the past, for instance, we saw those crowdfunding platforms that were being developed. I think this area could be more of a risk. It has not developed a great deal, to be honest. It had a little bit of a flurry a few years ago, but we have not seen a massive increase in business and market share. But insofar as there are some places that have taken aggressive positions without good underwriting policies or good compliance structures and the like, it’s these small segments – and I hope they’re small – of the market that could be in a little bit more trouble.
My personal impression is that fintechs always seem to be one step away from the crypto space, in one way or another. They either provide access to it for their customers, because their customers seem to be interested in that, or they try to do things in the crypto space themselves. Is the crypto space going to pose a new risk, or is it just a fashionable thing while the money is cheap?
The first observation we need to make is that last year there was a massive adjustment in the crypto space – a massive crisis, basically. You had major players defaulting, and the whole market had a massive downward repricing. This crisis – let’s call it that – had no systemic implications, and did not create any contagion for banks. So it’s clear that the banking sector is still very separate from the world of crypto-asset providers, and that there is no systemic challenge coming from that side. Of course, there could be detriment to consumers. The Federal Reserve’s latest report on Economic Well-Being of U.S. Households showed that the typical investors in crypto-assets often come from lower-income parts of the investor community, so there is a consumer protection issue that probably needs to be managed. At the European level, we are among the first to develop a regulatory framework on crypto-assets, the Markets in Crypto-Assets regulation, which we expect to be finalised in the coming weeks and to enter into force in 2024. It will be complemented by the Basel Committee on Banking Supervision’s standard on the prudential treatment of crypto-asset exposures, which was finalised in December 2022 and will be implemented by jurisdictions by 1 January 2025. So we are moving forward in a positive way in that area.
I don’t think that there is a clear connection with interest rate adjustments or with the overall market dimensions. It’s just that they were not being regulated: there were some business models in that area that were not safe and sound, so that generated massive losses for investors.
Returning to fintech regulation, we had a sort of swing in terms of the attitude of our central bank towards fintech regulation, because, at first, it seemed loose enough to actually attract quite a few fintech companies to Lithuania. Now the central bank seems to be walking that position back a little, scaling back the loose attitude. Are there good practices that we should be implementing?
Again, I think we should differentiate a bit. There are different areas. In the area of payment institutions, I think everything is developing in a relatively controlled way, so in the way that the legislators wanted it to develop. So for these new companies that are becoming competitive vis-à-vis the banks and provide good services and cheaper conditions to end users, I don’t see anything that we should either worry about or do something about. Then you have the specific banking market, where you have some fintech companies that are developing banking franchises and asking for a banking licence. I think that if they want to compete in that space, the banking space, they need to be complying with banking regulations and the supervisory expectations that we have for every bank, meaning robust compliance, strong internal governance, good business planning and capital planning, and good internal controls and risk management.
Sometimes, from my experience, when talking to these innovative firms, they come to me and say, “Tell me what you want as a regulator, and I will create an algorithm and make sure that I make you happy.” It’s not about an algorithm; it’s about having the internal structures, the controls and the board knowledge in place. That’s the main challenge for these new banks. If they want to be successful and sustainable in the long term, they need to pay due attention to these aspects. So it’s important that they tick all the boxes in these areas.
And they can do it. We have several examples of new banks which have been good challengers, and very successful. The area which is sometimes critical for these banks – which is not under my responsibility – is AML controls. “Know your customer” is an area in which some of these new banks struggle to put in place the appropriate controls, so they need to develop good systems in that space as well.
That’s a perennial argument, that jumping from a young fintech that is developing its services to a full-on well-regulated European bank might be a bit of a steep step to make. If you are filtering out some companies that might, potentially, become competitors to banks, and for no real reason other than they are not yet mature enough to have a board, or tick all the boxes, is there an issue there?
To be honest with you, I don’t think so. I think we have been very proportionate. In 2018, we issued specific guidance at the ECB on the licensing of fintech credit institutions. This guidance was specifically focused on these banks, so trying to avoid being excessively heavy-handed about the type of requirements that we set, but setting clear expectations in terms of the areas in which they cannot go below a certain level.
Ultimately, when you grant a banking licence, you enable a bank to collect deposits from the general public. So if you touch deposits, then you need to have some safeguards in place, because ultimately it is the community, it is the deposit guarantee scheme, that protects these depositors. But, again, I think we are being very proportionate in the type of requirements that we set for licensing these banks. We have been extra careful not to prevent them from entering the market and to actually accompany a smooth entry into the market with the proper systems and controls in place.
How prepared is the European banking sector for this new cycle? How are we doing in terms of banking, as Europe likes its banking quite a bit?
First of all, we should be proud of the results of the financial reforms that we implemented after the great financial crisis. Strengthening the resilience of banks in terms of capital, liquidity and risk management has provided a service to the community. When we had the shock in 2008, all the banks started pulling the brake and tightening lending, and the whole economy went into a tailspin, and that was a huge destruction of wealth and value for our economies: large-scale unemployment and a severe recession. This time, when we had the pandemic, banks did not start tightening credit and standards. Why? Because they had much stronger capital positions, much stronger liquidity positions and also, to be honest, because the authorities – the fiscal, monetary, and supervisory authorities – supported the process and supported lending in a positive way. So the system has already shown greater resilience, and we are seeing the benefits of greater resilience.
Of course, this doesn’t mean we are safe from any risk. Things may happen that surprise us negatively, and we have seen several of them. Personally, I think that what is crucial, ultimately, is the strength of banks’ internal controls. During the pandemic our teams, both on-site and off-site, went very deep, and to a very granular level, into the quality of internal controls at the banks, because when you have good internal controls you are able to identify the problem, take remediation action early, and then minimise the final impact. So that’s the most important thing, I think, and banks are better than they were in that area, but we have also identified some areas in which they still need improvements.
Then, we have mentioned throughout our conversation the long-term structural challenges that are not going away, which are also opportunities, to some extent, but they require attention from banks. These are the digital transformation and climate change – the net-zero challenge. In these two areas, banks need to invest adequately and look at the risks from a longer-term perspective than they are accustomed to. One of the problems in the great financial crisis was that the banks were very much focused on short-term profits. I think that we now have an opportunity to correct this type of short-term bias. Banks need to think long-term. They need to understand that there is a climate transition coming and they need to prepare and keep themselves well ahead of it. The digital transformation is not something for the market share next year. It’s a challenge for the longer term, and banks need to invest properly, not only in terms of reaching out to customers, but also in terms of building up resilient infrastructures to ensure continuity in the provision of services and resilience to IT and cyber risk, as we mentioned. So these are really important challenges that the banks will have to take on for a long while.
You mentioned climate risk. Could you elaborate on what kind of climate risks there are for the banking sector?
First of all, you have physical risk. We are seeing an increasing occurrence of wildfires and floods, and these are generating losses, and if you have taken as collateral a building which then gets destroyed in one of these events, of course you lose money, and this is becoming more and more frequent. It’s not yet creating major losses in banks’ books, but it might do. We carried out a stress test last year to test precisely these types of event, and the capital hit is not dramatic, but it is impactful.
Then, for the transition, again, there are several channels through which, if banks do not prepare sufficiently in advance, they can be surprised and then find themselves in a very difficult spot. It might be that certain policies are adjusted abruptly, so that governments faced with an acceleration of climate change decide to take actions sooner than previously envisaged. If you are heavily invested in a sector that is negatively impacted by these policy decisions, then these immediately materialise on your balance sheet.
An example given frequently is that of the Dutch Government, which has already made some laws stating that, if office buildings do not respect certain environmental characteristics and requirements, they can no longer be used. So it means that if you are accepting these buildings as collateral, in a few years they could have zero value, because you can no longer use them commercially. So you have a lot of these examples that can materialise pretty fast. Then you go to the banks, and you ask, “Are you able to measure the risk? What is the environmental category of the building?” and they don’t even have the data, so they can’t even measure the amount of risk. So that’s where our supervisory pressure comes in. You need to be able to measure the risk, to manage it actively, and to prepare, because this is coming. My assumption is that the path to net-zero emissions by 2050 won’t be the straight line that we expect right now, so there will be bumps in the road, and banks need to be ready.