“Maximum harmonisation with minimal rules”

Interview with Kilvar Kessler, Chair of Finantsinspektsioon and Member of the Supervisory Board of the ECB, Supervision Newsletter

14 May 2025

Estonia is a pioneer in digital banking and you encourage banks to use more digital solutions. What motivated you to drive this forward?

In my opinion, Estonia’s leadership in digital banking boils down to two things: business needs and a strong tradition of computer science. This tradition came about because historically, in the Soviet planned economy, Estonia happened to be the home of a couple of science institutes specialising in computers and programming. These institutes were located in Estonia because the level of education there was very high. We consequently had, and still have, a good body of engineers and scientists who are more than fluent in programming and IT.

The second reason was the business need to cut the costs of labour and bricks and mortar bank branches. The banks did not suffer from legacy issues and could therefore build their business using state-of-the-art technologies. Finantsinspektsioon has had IT auditors working with it since it was established at the beginning of this century. This means we have maintained the role of supervisor and we make sure IT risks are properly managed, leaving the rest up to the market.

Have you seen an uptick in cyberattacks since Russia’s invasion of Ukraine in 2022?

Our history of cyberattacks started in 2007 when Estonia’s banks and other institutions were massively attacked for the first time by foreign, state-related bad actors. Since then we have learned how to deal with cyber threats. However, it is a constant game of cat and mouse, where the main responsibility is with telecom service providers, financial intermediaries and certain other actors, and cooperation between these parties is critical.

Yes, there has been a slight uptick in cyberattacks recently. Consumers have generally not noticed disruptions in banking services, as overall the countermeasures have worked properly.

European banking supervision is ready to impose the first periodic penalty payments. What is your experience of bank penalties?

For me, penalties are one of the tools in the supervisory toolbox, as foreseen in the legal acts. Supervisors should not hesitate to use them at the appropriate time, alongside other measures, to send a signal to wrongdoers and to the market as a whole. However, penalties should be used in a proportionate manner.

We do not impose monetary penalties frequently, but in serious cases we do as our policy foresees. Our experience is that the deterrent nature of a penalty along with making the penalty public has an even bigger impact than the actual measure itself. One thing to note about using the measure is that the legal team should be ready not only to draft penalty decisions and provide reasons for them, but also to defend these decisions successfully in the courts.

A few prominent anti-money laundering cases in Estonia, such as those of Danske Bank and Swedbank in recent years, have shown that open markets can come with risks. What lessons have you drawn from these cases and what safeguards do you have in place?

One lesson we learned is that supervisors should never lose their curiosity. Frankly speaking, we discussed these risks in quite some depth with our Baltic friends during the meetings when the single supervisory mechanism (SSM) was being set up. I think these discussions would never have taken place if the SSM hadn’t brought us closer together. Another thing we learned is that it takes courage to tackle some serious, outstanding risks proactively, especially if they might not be that visible to stakeholders or the public at large. The third lesson we learned is that you have to show, in a credible way, that entering into a questionable, risky business without risk controls in place will end up with you having to exit the business.

At the current juncture, we have good processes and systems in place that help us understand and measure the respective risks. Moreover, we have an excellent team that has become highly experienced in handling complex cases. And we have put an effective cooperation network in place. We are very much looking forward to the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) being set up and to sharing our experience with them.

The Estonian banking sector is relatively small and concentrated, with foreign banks dominating the market. How important is proportionality for Estonia as part of European banking supervision?

In recent years, local banks have gained market share and foreign banks have lost some. However, I would say that all banks operating in the Baltics are small or medium-sized banks. Sometimes our common rulebook is pretty burdensome for smaller institutions. This means that supervisors should really understand the context and merits of a business in addition to going through all the aspects formally.

I have also noticed that there are cultural differences in doing business. For example, Scandinavian financial organisations rely on a bit less formal set-up, while the continental European approach seems to appreciate quite detailed, written processes. At the same time, both approaches have produced good financial and business results. I therefore very much welcome European banking supervision’s move towards more risk-based supervision.

Considering the current global push for deregulation, do you see room for streamlining rules and reporting obligations in Europe?

We supervisors have learned that rules are our friends in supporting financial stability and transparency. But limiting failure too close to zero sometimes means that creativity suffers, as bankers are not incentivised to take a risk to boost new businesses. Fewer new businesses with good creativity means fewer successes and less added value. I see some room for easing the rules.

Deregulation at the EU level should, however, not be a vehicle for Member States to build their own internal rules in a way that effectively makes their markets more difficult to access. I consequently believe that the European Union should consider taking the path of maximum harmonisation, but with only the minimum of necessary rules within it. These should be principle-based rules. I think this would work at least in places where we have joint mechanisms in place, such as the SSM and the Single Resolution Mechanism.

You have been a member of the Supervisory Board from the very beginning of the Single Supervisory Mechanism. What have your observations been over the years? Where can it improve further?

First, integrating with the SSM and becoming a part of it was a huge leap forward for Finantsinspektsioon. We gained direct access to a vast database and very deep pool of know-how. Finantsinspektsioon was given the chance to share its experience of supervising IT risks and of conservative and risk-based prudential supervision, among other things. I cannot underestimate the personal and professional contacts that being a part of the SSM has created for all of us. It is my experience that, especially during crises, personal trust and a close connection between supervisors has a very, very high value.

I like the current trend, at least from our point of view, where the central authority trusts the national competent authorities and their judgement more. This links nicely with our risk tolerance project that I like to call “risk-based supervision”. Moreover, I applaud the digitalisation work that the ECB as central authority has done and is doing in banking supervision, as this is directly linked to the efficiency of the whole system.

Looking ahead, I think we need to analyse whether on-site inspections are arranged in the best possible way. I was surprised to learn that cross-border, on-site missions are not that common, as in Estonia all incoming on-site visits in prudential banking supervision have been cross-border. Another broader and pressing question is how European banking supervisors see themselves in the overall value proposition. Should we strongly voice our opinion on cross-border mergers and acquisitions, or remain neutral? Should we have an even better understanding that the structural changes in banking requested by the ECB may have positive but also negative impacts on a Member State’s economy?

Overall, I am very happy with how European banking supervision has developed over the years and I am optimistic about the current path we have taken.