Foreword by Christine Lagarde, President of the ECB

2024 was a special year as we celebrated the tenth anniversary of the Single Supervisory Mechanism, which was launched on 4 November 2014. Over its decade-long journey, European banking supervision has not only confirmed its status as one of the most significant milestones in European integration since the launch of the euro, but also exceeded expectations in fulfilling its tasks.

Banks under European banking supervision have become considerably more resilient over this period. Despite Europe’s economy being tested by the COVID-19 pandemic and the subsequent energy crisis, supervised entities maintained strong profitability, capital adequacy and liquidity.

By the third quarter of 2024, the aggregate Common Equity Tier 1 capital ratio and liquidity coverage ratio stood robustly at 15.7% and 158.5% respectively. This financial strength enabled banks to effectively support the broader economy and aid the smooth transmission of the ECB’s interest rate policies.

In 2024, with the disinflation process well on track, a pivotal shift in monetary policy occurred, with the ECB cutting rates as we entered the “dialling-back” phase of our policy. Banks effectively adjusted their lending conditions to reflect these changes. However, the year also presented ongoing challenges owing to a volatile external environment, which is expected to persist. The global geopolitical landscape is marked by instability, including Russia’s unjustified war against Ukraine, conflicts in the Middle East and enduring tensions in international trade. These factors continue to test the resilience of banks, highlighting the need for vigilant supervisory oversight to strengthen defences against macro-financial threats and geopolitical shocks.

Banks must also remain adaptable in the face of transformative structural challenges. Climate change and digitalisation are reshaping the banking landscape. With global temperatures rising, climate-related disasters such as wildfires and flooding have become more frequent. Banks’ ability to manage and mitigate climate‑related and environmental risks will remain high on the supervisory agenda.

At the same time, technological advances are rapidly reshaping industries, including the banking sector. Digital transformation has become essential for banks to remain competitive, but it must be accompanied by sound risk management, addressing issues such as over-reliance on IT service providers and the persistent threat of cyberattacks. The ECB is planning to intensify its supervisory activities in this area in 2025, as mandated by the Digital Operational Resilience Act.

Through these efforts, we remain committed to fostering a robust, resilient and forward-looking banking sector that is capable of navigating challenges and opportunities alike, ultimately supporting the broader economy.

Foreword by Claudia Buch, Chair of the Supervisory Board

In 2024 we could look back on a decade of progress in developing a well-supervised European banking sector. The achievements of European banking supervision would not have been possible without the expertise and dedication of colleagues at the ECB and the national competent authorities. I would like to sincerely thank them for all their hard work. Their efforts have been instrumental in maintaining the stability and integrity of the European banking sector.

Today, the European banking sector is more resilient than it was a decade ago, thanks to better supervision, stronger regulation, improved risk management in banks and decisive policy responses to shocks such as the COVID-19 pandemic and the energy crisis. Robust regulatory standards and effective supervision help to ensure that banks remain sound and stable in a challenging external environment. Resilient, well-capitalised banks are best placed to support and provide financial services to the real economy, including in periods of stress.

Resilience has become all the more important as the environment in which banks operate changes. Macroeconomic and geopolitical risks are heightened, climate and nature-related risks need to be duly considered, digital transformation in the financial sector is affecting the competitive environment, and structural change in the real economy could have an impact on asset quality. Against this backdrop, banks must adapt their risk management frameworks and ensure that they are prepared for adverse scenarios.

At the same time, supervision needs to be risk-focused, forward-looking and responsive to a changing environment − as reflected in our supervisory priorities for 2025-27.

First, banks need to be sufficiently resilient to cope with potential adverse macro-financial threats and geopolitical shocks. The 2024 SREP showed that significant institutions supervised by the ECB have strong capital and liquidity positions. This is also true for the less significant institutions supervised by the national competent authorities. At the same time, a potential deterioration in asset quality and possible economic disruptions caused by geopolitical conflicts or the effects of financial sanctions require heightened attention, sufficient capital and robust governance and risk management systems in banks. Moreover, operational resilience, particularly in the area of cybersecurity, is just as important as financial resilience.

Second, banks must address identified weaknesses in resilience and risk management in a timely manner. These include shortcomings related to governance and climate-related and environmental risk management. Banks also need adequate systems for risk data aggregation and risk reporting capabilities so that their management bodies can make informed decisions in a fast-evolving environment. We will continue to monitor these areas and take supervisory action if needed.

Third, banks need to respond strategically to the digitalisation of financial services and manage the associated risks. As banks increasingly adopt advanced digital tools to enhance efficiency and meet customer expectations, we will continue to assess their digital strategies to ensure that risks are mitigated.

Just like banks, supervisors need to adapt to a changing environment. Thus, in 2024 the Supervisory Board decided on a reform of the Supervisory Review and Evaluation Process (SREP) in order to streamline our processes and enhance efficiency. The SREP reform should make supervision more efficient, effective and focused on bank-specific risks, ensuring that supervisory findings are remediated more swiftly and consistently.

Looking ahead, we will remain firmly focused on the safety and soundness of the banks we supervise and the stability of the financial system. This will enable the banking sector to adapt to the challenges and opportunities offered by a changing world.

Alongside supervisory efforts, a strong regulatory framework, geared towards resilience, is instrumental in preserving financial stability. Legislative progress on the crisis management and deposit insurance framework is needed to enable authorities in the banking union, particularly the Single Resolution Board, to more effectively deal with bank failures and protect depositors. Completing the banking union and making further strides towards a capital markets union remain key priorities for strengthening the resilience and integration of Europe’s financial system.

Engaging in a close dialogue with civil society is crucial in ensuring support for strong and effective supervision. We remain committed to a high level of transparency and accountability to European policymakers, and we have been reaching out more to civil society organisations. We have deepened our collaboration with international authorities – a particularly crucial endeavour in view of the new geopolitical challenges. We will continue to work with all stakeholders to promote a resilient and efficient financial system that can underpin sustainable economic growth across the euro area.

1 Banking supervision in 2024

1.1 Financial resilience of banks under European banking supervision in 2024

Banks under European banking supervision have overall solid capital and liquidity positions. The aggregate Common Equity Tier 1 (CET1) transitional capital ratio of significant institutions (SIs) stood at 15.7% in the third quarter of 2024, compared with 15.6% in 2023 on a year-on-year basis,^[1] while it reached 18.4% for less significant institutions (LSIs). The aggregate transitional leverage ratios remained broadly stable at 5.8% for SIs and improved to 9.8% on a year-on-year basis (+0.45 percentage points) for LSIs.

In 2024 the aggregate liquidity coverage ratio was 158.5% for SIs and 216.8% for LSIs. The aggregate net stable funding ratio stood at 126.9% for SIs and 133.7% for LSIs.

Profitability of banks under European banking supervision remains higher than in the period of low interest rates before mid-2022. In 2024 net interest income stagnated while fee income increased. Funding cost headwinds lessened, supported by lower rates. Deposit rates lost their upward momentum with the June 2024 monetary policy rate cut. Overall, interest rate expenses remained high, as maturing liabilities repriced at higher levels.

In 2024 the aggregate annualised year-to-date return on equity of SIs was 10.2%, as compared with 10.0% on a year-on-year basis, largely mirroring developments in interest rates attenuated by a slight increase in equity. For LSIs, the return on equity reached 8.2%, as compared with 8% in 2023 on a year-on-year basis.

Asset quality was broadly stable in 2024. The overall non-performing loan (NPL) ratio of SIs stood at 1.9%^[2], with an ongoing increase in the volume of NPLs by €13.9 billion in the first nine months of 2024. The total volume of NPLs at SIs reached €360.5 billion in 2024.

However, pockets of risk were observed in some portfolios, driven predominantly by sectors more sensitive to interest rate changes such as small and medium-sized enterprises (SMEs) and commercial real estate. Loans to SMEs showed an increasing number of late payments and defaults, which drove up the NPL ratio of SMEs to 4.9%. The commercial property market continued to undergo a substantial price correction.^[3] This, together with increased pressure on borrowers’ ability to refinance maturing commercial real estate loans due to higher interest rates, led to an increase in NPLs in some countries. Banks began to increase provisions for corporate loans, with the cost of risk rising marginally to 0.5% in 2024, as compared with 0.4% in 2023 on a year-on-year basis. The coverage ratio for corporate NPLs reached historically low levels of 42.1% in 2024, driven by, among other things, the disposal of well-provisioned legacy NPLs.

The recent easing of banks’ credit standards for mortgages supported an increase in residential real estate loans, with stable credit risk indicators and the NPL ratio standing at 1.6% in 2024 for SIs.

1.2 Supervisory priorities for 2024-26

1.2.1 Overview

Over the past couple of years, the banking sector outlook had largely been shaped by an uncertain macro-financial environment, a weaker economic outlook, higher and more persistent inflation and the tightening of financing conditions, as well as by heightened geopolitical tensions and the risk of renewed episodes of financial stress. Against this backdrop, supervised entities were asked to strengthen their resilience to immediate macro-financial and geopolitical shocks (Priority 1), focusing primarily on their credit risk and counterparty credit risk management frameworks, as well as on effectively mitigating the build-up of risks in portfolios more sensitive to these shocks. Supervisors assessed the adequacy of banks’ asset and liability management frameworks, with a view to ensuring resilience to short-term liquidity shocks. Banks were asked to accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks (Priority 2), and to make further progress in their digital transformation and in building robust operational resilience frameworks (Priority 3).

1.2.2 Priority 1: strengthen resilience to immediate macro-financial and geopolitical shocks

1.2.2.1 Credit risk and counterparty credit risk management frameworks

Throughout 2024 supervisors continued to address structural deficiencies in banks’ credit risk management frameworks, including portfolios more vulnerable to higher interest rates and continued macroeconomic uncertainty. Therefore, it is particularly important that banks proactively address emerging credit risk in vulnerable portfolios and across asset classes. Loan origination is a key component of the credit risk management cycle of a bank, because originating good quality loans can help prevent future NPLs. In 2024 the ECB continued to focus on NPL management and related activities to ensure that should NPLs begin to rise, banks are equipped to react proactively with the appropriate processes and procedures.

The off-site and on-site activities performed in 2024 revealed that banks have made progress in mitigating the risks related to vulnerable portfolios and asset classes. However, several shortcomings remained unaddressed.

A series of off-site targeted reviews and on-site inspections focused on residential real estate, commercial real estate, leveraged finance and SME portfolios in the areas of loan origination, risk classification and the modelling practices for expected credit losses. Joint Supervisory Teams (JSTs) also carried out deep dives on topics and risks specific to their banks for example, the classification of forbearance and unlikely to pay.

The focus continued to be on the management of emerging risks, particularly in vulnerable portfolios such as commercial real estate and leveraged finance. An ongoing on-site campaign on commercial real estate revealed a range of issues in terms of how banks commission or carry out their valuations.^[4] A comprehensive leveraged finance portfolio review was carried out to complement off-site activities given the significant growth and associated risks seen in this sector.^[5]

On-site and off-site activities continued to reveal issues regarding the identification of forbearance and unlikely-to-pay exposures. Correct identification and classification of risk is critical to ensuring that it is effectively managed and that adequate capital and provisions are made. A range of supervisory measures were communicated to banks in 2024 to ensure that deficiencies would be remediated in a timely manner.

As a result of supervisory work carried out on IFRS 9 provisioning practices, specifically overlays, the ECB published a set of best practices for capturing novel risks in loan loss provisions.^[6]

The remediation of findings relating to counterparty credit risk has progressed. Furthermore, in 2024, in cooperation with the Federal Reserve Board and the Bank of England, the ECB conducted a joint analysis of counterparty credit risk exposures to non-bank financial institutions of some banks active in global financial markets. This initiative, in combination with reviews of exposures to private equity and private credit funds, brought to the fore the need for banks to gather appropriate information from their immediate counterparties in order to avoid excessive exposure to leverage and concentration risks.

In 2024 the ECB continued to monitor and address foreign exchange settlement risk using a sample of SIs most active in this area. To this end, the ECB reviewed SIs’ adherence to the relevant standards and sound practices^[7], with a particular focus on capital calculations. The ECB also adopted the Global Foreign Exchange Committee’s methodology for statistical reporting by selected SIs.

Detailed findings from all finalised off-site and on-site supervisory activities were communicated to banks. Where appropriate, these fed into the 2024 SREP outcomes, and the related supervisory measures were discussed with the supervised entities as part of the regular supervisory dialogue.

1.2.2.2 Asset and liability management frameworks

Following years of abundant liquidity amid rising geopolitical tensions, effective liquidity and funding risk management has become increasingly important. Additionally, social media and digitalisation, along with the appeal of alternative investment opportunities, can rapidly influence how depositors and investors react to price signals and market rumours. Unexpected events, such as political upheavals or economic disruptions, can lead to sudden repricing in markets, further complicating the landscape for banks. Without robust risk management strategies, credible contingency funding plans and prudent collateral management, banks leave themselves more vulnerable to adverse shocks.

Therefore, in 2024 the ECB conducted various off-site supervisory activities with respect to asset and liability management (ALM) frameworks. More specifically, it completed targeted reviews of funding and contingency plans, collateral mobilisation capabilities and ALM frameworks covering 25 SIs, selected based on their risk indicators together with the JSTs.

The targeted reviews concluded that SIs had generally maintained good access to both retail and wholesale funding, with funding costs stable throughout 2024 and expected to fall as from 2025. Furthermore, SIs were operationally capable of accessing central bank liquidity facilities. However, not all SIs were fully prepared to operate in a tighter liquidity environment.

Moreover, increasing reliance on market funding sources, limited and/or concentrated counterbalancing capacity and leniency in terms of designing adverse scenarios, combined with weaknesses in governance and internal controls, could compromise the reliability of SIs’ funding plans and increase execution risk. In some cases, assumptions regarding the time needed to liquidate assets were overly optimistic and collateral identification and management needed to be improved.

At the same time, the review of ALM governance and strategies revealed the need to (i) increase the frequency with which key ALM metrics are reported internally, (ii) better define internal strategies and limits for interest rate risk and liquidity risk, (iii) strengthen the calibration of ALM behavioural models, and (iv) improve the design of hedging frameworks.

In 2024 the ECB complemented its assessment of interest rate risk and credit spread risk in the banking book, as well as of liquidity risk, by way of its on-site inspection campaigns. 34 SIs were included in this assessment, selected in accordance with both the relevant supervisory priorities and the institution’s individual risk profile. On-site inspections complemented the results of targeted reviews with their in-depth bank-specific assessments of, among other things, (i) the measurement, monitoring and management of interest rate risk and liquidity risk; (ii) the robustness of funding/contingency plans and liquidity stress tests; and (iii) the accuracy of regulatory liquidity ratio calculations.

Finally, the ECB conducted a thematic review of intraday liquidity risk management at six complex global systemically important banks and, based on the outcome of this review, published its Sound practices for managing intraday liquidity risk.^[8] These practices complement current international standards by detailing concrete practices for seven areas of intraday liquidity risk^[9] and seek to harmonise banking supervision practices, while strengthening existing industry practices.

The shortcomings identified in the targeted reviews and on-site inspections fed into the 2024 SREP and other related supervisory activities.

1.2.3 Priority 2: accelerate the effective remediation of shortcomings in governance and the management of climate-related and environmental risks

1.2.3.1 Management bodies’ functioning and steering capabilities

Well-run banks are the cornerstone of a safe and sound banking system.^[10] Clear lines of accountability, effective risk management and transparency in decision-making processes are crucial for this to be achieved. Although banks have made further progress, the ECB continues to observe some structural deficiencies requiring further improvement, particularly in terms of the functioning and steering capabilities of management bodies, the effectiveness of internal control functions, and risk data aggregation and risk reporting.^[11]

Therefore, the ECB continued to engage in various supervisory activities with targeted efforts to achieve progress in these areas, with a focus on strengthening internal governance and strategic steering capabilities.

Over the course of 2024 the ECB concluded targeted reviews of those banks with deficiencies in the composition and functioning of their management bodies. The ECB has seen initial signs of progress among those banks that have been subject to scrutiny over the past few years. Banks have already begun to implement the recommended changes, demonstrating a commitment to enhancing their governance frameworks. However, despite these signs of progress, banks must continue their remediation efforts to fully address the identified deficiencies and to embed a strong risk culture and accountability framework within their management body structures.

Additionally, the ECB further engaged with banks on diversity and succession planning, both of which are reflected in evident improvements across SIs. While management body experience in banking, finance or economics remained stable at 88%^[12], the proportion of non-executive members with IT expertise had only slightly increased over the past few years, standing at 24%. As for management body members’ independence, the figures had remained stable across several years, with an average of 62% of management body members being formally independent, but with significant discrepancies across banks. There has been some progress in succession planning and diversity policies but slower progress in terms of gender representation. More specifically, the average number of female members remained low at around 35% of non-executive directors and 19% of executive directors.

Over the period 2022-24, as part of the work on deficiencies in the composition and functioning of banks’ management bodies, the ECB also continued to perform dedicated on-site inspections and targeted risk-based fit and proper (re)assessments (see Sections 1.3.5 and 2.2).

Finally, the outcomes of the targeted reviews of management bodies and annual data collections significantly informed supervisory activities and provided input for the Draft guide on governance and risk culture^[13].

1.2.3.2 Risk data aggregation and risk reporting

Risk data aggregation and risk reporting (RDARR) is essential for sound risk management and effective decision-making, as deficiencies in data quality and reporting undermine a bank’s ability to correctly identify, monitor and mitigate risks. Robust RDARR capabilities also enable banks to unlock their full potential, including enhancements in operational efficiency and competitiveness.

For over a decade, since the publication of the Basel Committee’s principles for effective risk data aggregation and reporting (BCBS 239), the ECB has continued to observe long-standing deficiencies in RDARR capabilities. In 2019, banks were reminded of the need to adopt a holistic approach to RDARR and data quality in a letter sent to all SIs. As a result of these ongoing challenges, RDARR was retained as one of the key vulnerabilities in the supervisory priorities for 2024-26. To address this vulnerability, a targeted supervisory strategy, encompassing on-site and off-site activities, was implemented to ensure that banks have effective steering and risk management procedures in place, supported by adequate data governance and robust data quality controls.

The dedicated on-site inspection campaign on RDARR continued, involving around one-third of SIs over the period from 2022 to 2024. This campaign identified several shortcomings in areas such as internal governance, IT infrastructure and data architecture, and data accuracy and integrity. With the conclusion of this campaign in 2024, the ECB will continue to conduct targeted on-site inspections to assess banks’ RDARR capabilities going forward.

A key milestone in off-site activities was the publication of the final Guide on effective risk data aggregation and risk reporting in May 2024, following a public consultation on the draft Guide. The final Guide provides clarifications and explanations of the supervisory expectations for RDARR, with a view to greater consistency and simplicity. All comments are summarised and answered in the accompanying feedback statement. A dedicated targeted review of a number of banks’ RDARR capabilities was conducted, which focused on management body responsibilities and data governance and architecture. Some progress appeared to have been made in clearly assigning RDARR-related responsibilities within management bodies and in establishing comprehensive policies. However, significant deficiencies persisted in several cases, including limited scope of application, the absence of fully independent validation functions or ongoing challenges in achieving integrated data taxonomies. As follow-up, seven institutions were subject to ECB decisions imposing qualitative requirements to address identified gaps. More broadly, supervisors increased pressure on institutions to address persistent issues in their RDARR capabilities that fell short of minimum supervisory expectations.

In addition to this targeted review, supervisors conducted specific assessments in the context of stress tests to evaluate the quality of data provided by supervised entities. In past years, significant improvements had been observed in the quality of data submitted. Nonetheless, some banks struggled to meet the required data quality standards. Where data quality was considered a signal of broader material shortcomings that affected RDARR, this was reflected in the SREP assessments and other day-to-day supervisory activities.

Finally, the ECB conducted its annual Management report on data governance and data quality exercise.^[14] As compared with the pilot exercise conducted in 2023 banks’ senior management appeared to be more aware of the pertinent issues relating to data governance and data quality. That said, some critical deficiencies still remained. For example, with regard to financial reporting (FINREP) and common reporting (COREP), the ECB identified operational/human errors in the reporting process, misinterpretation of regulatory requirements and recurring difficulties with regard to software providers and IT systems.

1.2.3.3 Material exposures to physical and transition risk drivers of climate change

Banks’ ability to adequately manage climate-related and environmental (C&E) risks remains high on the supervisory agenda given the increasing physical and transition risks, the fact that banks do not yet fully integrate C&E risks into their risk management and governance frameworks, and given the new requirements stemming from the new banking package which entered into force in 2025.^[15] Furthermore, the ECB preliminary analyses show that at the end of 2023, around 90% of supervised entities considered their C&E risks to be material.^[16]

Against this backdrop, in November 2023 the ECB announced^[17] that it had started to issue binding supervisory decisions, including the potential imposition of periodic penalty payments (PPPs), should the banks fail to meet the requirements for C&E risks within the deadlines set out in these decisions. These decisions were issued after the ECB communicated to banks that it would closely monitor three milestones set following the outcome of the 2022 thematic review on C&E risks and, if necessary, that it would take enforcement action to address risks not properly covered.

When the first of the three milestones failed to be met, the ECB, in 2023 and early 2024, issued 28 binding decisions on C&E risks, 22 of which implicating the potential imposition of PPPs should the banks fail to meet the requirements set out in these decisions. By this first milestone, banks were expected to have in place a sound and comprehensive materiality assessment and business environment scan.

While most of the supervised entities in question have since met the requirements set out in these decisions on the materiality assessment and business environment scan, the process to determine whether PPPs would be finally levied^[18] was still ongoing at the end of 2024 for a small number of these entities.

A second milestone was set for the end of 2023 concerning the integration of C&E risk into institutions’ governance, strategy and risk management frameworks. In the course of 2024 the ECB issued further binding supervisory decisions, including the potential imposition of PPPs should banks fail to comply with the requirements set out in these decisions. These binding decisions applied to nine supervised entities that did not have in place the foundational elements for an adequate management of C&E risks after the date for this milestone had lapsed.

In 2025 the ECB will continue to closely monitor banks’ progress and, if needed, take similar enforcement action after the third milestone in December 2024. After this milestone, banks are expected to have sound management processes for C&E risks, including full integration of these risks into their internal capital adequacy assessment process (ICAAP) and in their stress testing.

In 2024 the ECB carried out a climate data collection exercise as part of the system-wide Fit-for-55 climate risk scenario analysis, which the European Commission asked the European Supervisory Authorities, the ECB and the European Systemic Risk Board (ESRB) to jointly conduct in order to assess the resilience of the EU financial system to climate and macro-financial shocks in line with the Fit-for-55 package of reforms. This data collection exercise not only provided input for the Fit-for-55 exercise, but also helped assess banks’ progress in terms of managing climate risk since the ECB’s 2022 climate risk stress test and adopting good practices for climate stress testing. The ECB’s assessment of climate data submissions focused on banks’ ability to collect and compute climate-related data, such as the greenhouse gas emission intensity of their borrowers and energy performance certificate ratings for the collateral underlying housing loans. While banks are making some progress, the exercise identified deficiencies in the ability of many banks to explicitly report climate-relevant data. However, some banks did manage to demonstrate that overcoming this data gap was feasible. Once the results of the assessment were released, banks received individual output reports on their climate data capabilities, including comparisons with peers and the 2022 climate risk stress test results for a given set of climate-relevant metrics.

1.2.4 Priority 3: further progress in digital transformation and building robust operational resilience frameworks

1.2.4.1 Digital transformation strategies

The digitalisation of financial services is a structural trend affecting the competitive environment in which European banks operate. It not only affects their risk profiles, including their longer-term strategies, but it can also have profound implications for banks’ operational risks and their financial risks. Further supervisory attention needs to be paid to addressing digitalisation challenges, the related risks and management bodies’ steering and risk management capabilities.

In 2024 the off-site activities, including targeted reviews of banks’ digitalisation activities, were undertaken across 21 supervised entities. The results of these activities give the ECB valuable insight into digitalisation-related risks and help it to finetune its assessment tools and methodologies accordingly. Along with the outcomes of other activities undertaken in recent years, these results were used as input for the report entitled Digitalisation: key assessment criteria and collection of sound practices published in July 2024. This report helps supervised entities understand how digitalisation-related risks are assessed and how to develop sound practices from a supervisory perspective.

The decision on whether to digitalise processes is a bank’s own strategic decision, which can have a relevant impact on its future profitability, but also on the associated risks. The ECB’s regular short-term exercise was additionally used to collect data on banks’ progress in digital transformation, capturing developments in banks’ digitalisation activities, their fintech cooperation and their technology use cases. These data were also harnessed to provide input into the aforementioned report on digitalisation.

Furthermore, in 2024 the ECB continued to actively contribute to policy discussions in international and European working groups. These activities included contributing to regulatory input for the implementation of the Markets in Crypto-Assets Regulation^[19] and of the Artificial Intelligence Act^[20].

1.2.4.2 Operational resilience frameworks, third-party risk and cyber risk

Operational resilience is a bank’s ability to deliver its critical operations even in the event of operational disruption or failure. It is therefore a high supervisory priority given the potential impact this could have on critical banking activities across the wider financial markets and the economy as a whole.

2024 saw a further notable increase in cyberattacks targeting third-party providers, as significant cyber incidents reported in this category rose by around 50% and accounted for almost one-third of total significant cyber incidents. Banks became increasingly, and sometimes critically, reliant on the services of third-party providers. Moreover, the threat of state-sponsored cyberattacks remained high. Operational resilience has therefore been a focal point for banks under the direct supervision of the ECB.

The ECB carried out several off-site and on-site supervisory activities relating to IT security and cyber risk in 2024 and published the key results and observations in its November 2024 Supervision Newsletter. The targeted review of cyber resilience was extended to include a second batch of SIs in order to assess their key cybersecurity measures. The ECB also extended its targeted review of outsourcing to include a second batch of SIs.

The ECB also participated in a G7 Cyber Expert Group cross-border coordination exercise aimed at enhancing cyber incident management and crisis frameworks.

In addition, the ECB conducted a cyber resilience dry run to test the ECB’s and several national competent authorities’ internal communication, coordination and escalation processes in the event of a cyberattack on multiple supervised entities. This exercise was internal with no industry involvement.

The Digital Operational Resilience Act^[21] supports the EU’s efforts to ensure the operational resilience of the financial sector and aims to consolidate and enhance requirements for ICT risk management. In 2024 the ECB adjusted its supervisory framework to ensure full compliance with the Act’s requirements, for example by adapting the cyber incident reporting framework and the outsourcing register. Additionally, the ECB prepared for threat-led penetration testing, exploiting the European framework for threat intelligence-based ethical red-teaming (TIBER-EU).

1.2.4.3 2024 cyber resilience stress test

The 2024 stress test focused on cyber resilience and assessed banks’ responses to a fictitious cybersecurity incident. The test involved 109 banks and fed into the 2024 SREP. It featured a scenario that had an impact on banks’ core systems. All banks tested their response and recovery capabilities and shared their documentation, with 28 banks undergoing an in-depth assessment that included an IT recovery test and on-site evaluations. Banks were tested on their crisis response plans, communication with stakeholders, services analyses and mitigation measures. Recovery capabilities were assessed on data restoration, third-party collaboration and future resilience improvements. The ECB will continue working with banks to strengthen their cyber resilience, focusing on business continuity, communication and recovery plans. Banks are expected to meet recovery objectives, evaluate third-party dependencies and better estimate losses due to cyberattacks.

1.3 Direct supervision of significant institutions

1.3.1 Off-site supervision and the SREP reform

The direct supervision of credit institutions focuses on identifying and addressing risks to ensure banks remain resilient and are effectively managed in an increasingly complex environment. Similarly, the supervisory approach must adapt to a changing environment in order to safeguard financial stability.

Within the scope of the ECB’s mandate to keep banks safe and sound, making the banking sector more resilient means taking a harmonised and agile approach that avoids fragmentation.

In this context, the Supervisory Board of the ECB decided to reform its Supervisory Review and Evaluation Process to make its supervision more efficient, effective and intrusive, at the same time as committing to adapting and harmonising its own supervisory assessment methodologies. Therefore, the ECB commissioned an independent expert review^[22] of the SREP. The reform of the SREP considered the conclusions of this independent expert review and has been gradually introduced since 2024.

The reformed SREP will guarantee the same level of supervisory scrutiny but with a more streamlined timeline, optimised internal processes and more focused action, resulting in an even more effective SREP.

It is expected to be fully implemented by 2026.

The key objectives^[23] of the SREP reform are as follows.

• Focus risk assessments: increase the flexibility given to supervisors to prioritise and focus their assessments on key risks for a given multi-year period. Supervisors will employ a multi-year assessment strategy, enabling them to conduct an in-depth review of all relevant risks over a multi-year period rather than reviewing each individual risk every year. This flexible approach will allow the JSTs to allocate resources more efficiently.
• Better integrate supervisory activities: strengthen the integration of the planning of on-site inspections, deep-dive analyses and horizontal thematic reviews in order to deliver a structured and comprehensive view of banks’ risks. By improving the planning process of supervisory activities, synergies are maximised and banks gain a clearer understanding of the supervisory priorities.
• Use the full supervisory toolkit: enable more effective and timely escalation^[24] when deficiencies are not promptly remediated. This includes binding qualitative requirements and enforcement and sanction measures, where necessary.
• Enhance communication: streamline the SREP outcomes, focusing exclusively on the key risks and supervisory expectations. If assessments show no material changes in the bank’s risk profile, SREP decisions may be updated less frequently than yearly.
• Make methodologies more stable: simplify supervisory methodologies and make them more stable, enabling supervisors to focus on new issues and emerging risks. One example of this is the revision of the Pillar 2 requirement methodology, which seeks to make the approach more intuitive and reduce procedural complexity. At the same time, this revised approach aims to enhance robustness by ensuring that the Pillar 2 requirement remains anchored in the thorough supervisory risk assessments conducted within the SREP and focused on risks that are not already covered under Pillar 1, thus making sure that risks are not counted twice.
• Make better use of IT systems and data analytics: the ECB’s digital agenda foresees investments in IT systems and data analytics from 2024 to 2028, incorporating advanced technologies such as generative artificial intelligence to support supervisors in routine tasks so as to improve efficiency, access to data, risk analysis, consistency of decision-making and overall collaboration.

These changes aim to enhance European banking supervision by making processes more targeted, efficient, predictable and transparent. The SREP will be streamlined and more closely aligned with real-time supervision, enabling quicker and more effective responses to emerging risks. By fostering a supervisory culture that prioritises significant vulnerabilities and promotes timely, decisive actions, these improvements are designed to strengthen the efficiency and consistency of supervisory practices.

1.3.1.1 Risk-based approach

In 2024 the ECB continued to implement its risk tolerance framework, in place since 2023, and thus introduced more risk-based features and flexibility in different areas of the supervisory methodology. The risk tolerance framework allows supervisors to prioritise critical risk areas, enabling intrusive supervision where it is most needed and deploying the full supervisory toolkit in cases where banks do not meet the ECB’s supervisory expectations.

The risk tolerance framework facilitates the translation of the supervisory priorities into strategic planning and day-to-day supervision. For this purpose, it combines top-down guidance from the Supervisory Board on prioritised risks and vulnerabilities with bottom-up relevance assessments for each bank. The bottom-up assessments effectively complement the top-down guidance, as some supervised entities deal with institution-specific issues that affect the risk tolerance levels set across various risks and which, consequently, also affect the supervisory focus.

The risk tolerance framework is used as a tool by the JSTs and horizontal line supervisors to prioritise their activities and consequently sharpen their focus on the key supervisory risks. This gives the JSTs more flexibility when it comes to tackling novel and emerging risks.

1.3.1.2 Principle of proportionality

The activities conducted by the JSTs follow the principle of proportionality, i.e. the intensity of the supervision depends on the size, systemic importance, risk and complexity of each SI. Therefore, JSTs supervising bigger and riskier SIs, on average, plan a higher number of activities.

The number of activities carried out in 2024 was marginally lower than what was originally planned at the beginning of the year. This is mostly due to a small number of administrative tasks being cancelled throughout the year, which is in line with previous years.

1.3.1.3 Supervisory planning and activities

The supervisory planning process follows a consistent and integrated approach whereby the supervisory priorities steer the planning of horizontal activities, on-site inspections and internal model investigations, as well as other supervisory activities.

To ensure effective supervision, the various business areas of the ECB collaborate closely when planning their activities and with due regard for the supervisory priorities, bank-specific risks and the risk tolerance framework. This planning involves selecting samples of supervised entities that are to participate in these horizontal activities and in on-site inspections. As in past years, a campaign approach was taken to on-site inspections (see Section 1.3.5). The outcome of that process is reflected in the activity planning conducted by each JST for its supervised entity. Given that this planning is an important part of the JSTs’ communication with the supervised entity, a simplified activity plan describing the supervisory activities that warrant involvement or input from the supervised entity is also shared with these banks.

Based on the principle of proportionality, the off-site activity plans include (i) risk-related activities (e.g. the SREP); (ii) other activities related to organisational, administrative or legal requirements (e.g. the annual assessment of significance); and (iii) additional activities planned by JSTs to further tailor the activity planning to the specific characteristics of the supervised group or entity (e.g. analyses of the bank’s business model or governance structure).

1.3.1.4 Supervisory measures

Supervisory measures^[25] are one of the key outcomes of regular on-site and off-site supervisory activities. They set out detailed actions to be taken by the supervised entities to remediate shortcomings. The JSTs are responsible for monitoring the timely and effective implementation of these measures. In 2024 the most important driver of supervisory measures was on-site activities, with on-site inspections and internal model investigations (mostly performed on-site) accounting for 55% of the total measures. As in 2023, the highest number of the new supervisory measures (40%) related to credit risk (Chart 1).

Chart 1

Supervisory measures

a) Number of measures recorded each year

b) Measures by activity	c) Measures by risk category

1.3.1.5 SREP horizontal analysis

The ECB published the outcome of the 2024 SREP on 17 December 2024. This included developments in SREP scores and Pillar 2 capital requirements and guidance as well as an analysis of selected risk areas. With the consent of the relevant SIs, the ECB made available the applicable bank-specific Pillar 2 capital requirements for 2025, including those that are used for addressing the risk of excessive leverage.

The overall SREP score remained stable at 2.6, with 11% of banks seeing their scores worsen, and 15% of banks achieving a better score. The overall capital requirements and guidance increased slightly to 15.6% of risk-weighted assets (15.5% in 2023), while the median of Pillar 2 requirements stood at 2.2%, which was also stable as compared with 2023.

The 2024 SREP demonstrated that, overall, banks under European banking supervision continued to exhibit resilience, with solid capital and liquidity positions. Looking ahead, banks will need to adapt to a changing environment. Banks must therefore remain vigilant and prudent to sustain their business operations. Their currently good levels of profitability provide them with the opportunity to strengthen resilience.

1.3.2 Supervision of non-EU banks

In 2024 the ECB oversaw 14 subsidiaries of non-EU banks located in the euro area, collectively holding €1.8 trillion in total assets (7% of total assets under ECB Banking Supervision), with a combined trading book value of €780 billion (21% of total trading financial assets under ECB Banking Supervision) and assets under custody totalling €15.5 trillion (37% of total assets under custody under ECB Banking Supervision) as at the third quarter of 2024.

Supervisory activities for subsidiaries of non-EU banks were largely driven by the ECB’s supervisory priorities for 2023-25. In addition, the ECB implemented several targeted initiatives, including monitoring the execution of implementation plans developed in response to the desk-mapping review (see Box 2 of the ECB Annual Report on supervisory activities 2023) and a series of deep dives on corporate and investment banking and trader controls, designed to address growing concerns in crucial areas such as trading and lending.

The ECB also engaged with subsidiaries of non-EU banks on the implications of Article 21c of Capital Requirements Directive VI (effective from 11 January 2027), which will require that third-country groups establish a physical presence in the EU for activities involving deposit-taking and the provision of lending and guarantees. Such requirements could materially affect the booking models for lending of subsidiaries of non-EU banks. An additional challenge of supervising subsidiaries of non-EU banks is that they are fully owned by their parent entities, whose strategies and internal policies are not always in line with EU rules or the ECB’s supervisory expectations. With this in mind, supervisors need to account for these challenges and differences while at the same time ensuring full compliance with standard requirements. Against this backdrop, the ECB also enhanced its regular bilateral exchanges with non-European banking supervisors responsible for the oversight of non-EU banks, such as the Federal Reserve System and the UK Prudential Regulation Authority.

1.3.3 Supervision of entities with activities in Russia

Since the start of Russia’s invasion of Ukraine in February 2022, the ECB has actively engaged in dialogue with the few supervised entities that are active in the Russian market, has taken specific measures where relevant and has been closely monitoring the situation. Throughout 2024 banks continued scaling back their activities and pushing through their exit and wind-down strategies. Overall, SIs reduced their exposures to Russia by 5.6% between the end of 2023 and the third quarter of 2024,^[26] thus further shrinking their exposure levels since the onset of the war.

Where relevant, the ECB took measures to address the situation of certain SIs in order to mitigate operational, reputational, compliance and financial risks associated with business activities in Russia. Some of these measures involved restrictions on lending and the taking-up of deposits in Russia, as well as on the placement of funds with financial institutions domiciled in Russia. Furthermore, the ECB expects a reduction in the payment business out of Russia and in cross-border loans with customers domiciled in Russia.

LSIs adopted various strategies to reduce exposures, as was also the case for SIs. Several LSIs closed their Russian subsidiaries, reduced their balance sheet exposure and curbed financial transactions linked to the Russian market. In some cases, LSIs withdrew completely from the Russian market by winding down operations and relinquishing their banking licences. In very few cases, international sanctions severely affected LSIs under Russian ownership, effectively forcing them to exit the market.

In the context of escalating tensions with Russia, financial market infrastructures with a banking licence remain inherently vulnerable to geopolitical risks. These risks include the legal and compliance challenges relating to international sanctions against Russia. To navigate the complex and evolving landscape of international finance and geopolitical tensions, financial market infrastructures must continue to adapt and enforce robust risk mitigation strategies, while supervisors must closely monitor this process.

1.3.4 Fundamental review of the trading book

The fundamental review of the trading book is a key component of the revised Basel III framework. It consists of a major overhaul of the Pillar 1 capital requirements for market risk, which builds on the lessons learned from the great financial crisis of 2007/08, and it aims to reduce the likelihood and impact of similar events in the future. In particular, it introduces stricter rules for classifying assets inside or outside of the trading book, an alternative standardised approach, which is more risk-sensitive but also more complex than the current standardised approach, and additional requirements for the use of internal models.

In 2024 the ECB conducted an off-site targeted review and several on-site inspections and internal model investigations on the topic. The targeted review of the alternative standardised approach assessed the preparedness of a risk-based sample of 30 banks. It concluded that since reporting under this approach had begun in 2021, banks had made reasonable progress towards preparing and implementing this new approach for the capital requirements. That said, deficiencies were identified on the more technical side, as well as in the independent review and the incorporation into management reporting of the alternative standardised approach under the fundamental review of the trading book.

Additionally, some of the OSIs assessing the implementation of the alternative standardised approach identified bank-specific shortcomings in the underlying calculations, operational processes and data management, as well as in the involvement of the second and third lines of defence. The first two OSIs of the alternative standardised approach took place in 2023, followed by another one in 2024. Five are planned as part of the Supervisory Examination Programme for 2025.

In 2024, based on banks’ applications to use the alternative internal models approach, the ECB completed three internal model investigations in order to prepare the respective supervisory decisions. The key findings are described in Section 1.3.5.2.

On 24 July 2024 the European Commission adopted a delegated act postponing by one year (i.e. until 1 January 2026) the date of application of the Basel III fundamental review of the trading book standards in the EU for banks’ calculation of their own funds requirements for market risk. Ongoing supervisory engagement in this area, including follow-up by the JSTs, will ensure that the fundamental review of the trading book is implemented smoothly.

1.3.5 On-site supervision

In accordance with the SSM Regulation^[27], the ECB’s oversight of its supervised entities is exercised through both off-site and on-site supervision, the combination of which aims to ensure a detailed and thorough analysis of its supervised entities’ business operations. On-site supervision is performed through on-site inspections (OSIs), which are in-depth investigations of risk, risk controls and governance, or through internal model investigations (IMIs), which are in-depth assessments of the internal models used for the calculation of own fund requirements, in particular with regard to methodologies, economic appropriateness, risk, risk controls and governance.

In 2024, 165 OSIs and 78 IMIs were launched for SIs. Similarly to the previous years’ trend, most OSIs and IMIs were performed based on hybrid working arrangements. In addition, the ECB undertook a comprehensive leveraged finance portfolio review for a set of banks^[28] to help improve the risk management of leveraged loans.

The OSIs conducted in 2024 covered areas such as credit risk; governance; IT risk; interest rate risk and credit spread risk in the banking book (IRRBB/CSRBB), with some of the inspections also covering liquidity risk; business model and profitability; liquidity and funding risk; capital adequacy; market risk and operational risk. C&E risks were assessed both by way of dedicated OSIs and as part of inspections in other risk areas, most notably credit risk.

The IMIs conducted in 2024 covered areas such as the implementation of the latest European Banking Authority (EBA) standards and guidelines, the fundamental review of the trading book and the remediation of obligations relating to previous IMIs.

Chart 2

On-site inspections and internal model investigations launched in 2022, 2023 and 2024

(number of investigations)

1.3.5.1 Key findings from on-site inspections

In terms of credit risk, severe weaknesses were found in banks’ ability to properly quantify expected credit losses for performing loans, especially in the context of increased macroeconomic uncertainties. Expected credit loss models were not adequately suited to incorporating forward‑looking information. The models for the probability of default and for loss given default revealed deficiencies. While there were a diverse range of practices identified, for a number of banks, frameworks for accommodating significant increases in credit risk were found inadequate in terms of the timely transfer of loans to Stage 2 under IFRS 9.

As banks were rather slow to acknowledge the deterioration in financial markets, particularly across vulnerable sectors of real estate, numerous findings were initiated concerning the design and implementation of collateral valuation processes. OSIs continued to reveal flaws in risk management processes, shortcomings in the risk strategy, risk appetite and credit-granting process, as well as weaknesses in risk monitoring and the proper identification of forborne and defaulted loans. In some cases, these findings were triggered by concerns about banks’ governance frameworks hindering adequate risk steering.

In terms of market risk, the main weaknesses concerned valuation risk and counterparty credit risk identification, measurement and management. More specifically, for valuation risk, shortcomings were identified in the calculation of regulatory and accounting reserves held by institutions to account for valuation uncertainty. Severe flaws were also observed in counterparty credit risk, especially for the modelling and validation of counterparty credit risk indicators (potential future exposure, stress tests), the setting and monitoring of limits, and collateral management.

In terms of liquidity risk, the most severe findings related to weaknesses in the measurement and monitoring of risk, including shortcomings in quantification methodologies, the accuracy and completeness of data and weaknesses in the scenario design for liquidity stress testing. Severe findings were also identified with regard to regulatory reporting and the calculation of the liquidity coverage ratio and the net stable funding ratio. Other severe findings revealed an inadequately effective organisational framework for liquidity risk management and inconsistencies between the funding plan and the liquidity risk strategy.

In terms of the IRRBB, the majority of critical findings concerned weaknesses in the measurement and monitoring of the IRRBB, including the inadequacy of quantification methods and of the robustness of key modelling assumptions, outdated data, weak IT systems and weak model risk frameworks. Other severe findings revealed insufficient formalisation of the IRRBB management profile and strategy, as well as insufficient involvement of the risk management body in defining and monitoring IRRBB risk management processes.

In terms of business model and profitability, the most severe findings related to product pricing frameworks, methodologies and monitoring, which were the focus of a number of OSIs in 2024. Other severe findings disclosed weaknesses in income and cost allocation, in the analysis of profitability drivers as well as in assumptions and sensitivity analyses in the financial projections of banks’ business plans.

In connection with the business model and profitability, the OSIs concerning the review of banks’ digital transformation^[29] revealed weaknesses in strategic steering, change management and monitoring. Additionally, issues were identified with respect to income and cost allocation, key performance indicator frameworks, forecasting and budgeting processes.

In terms of climate risk, which is a driver of other existing risk categories, such as business model risk or credit risk, the OSIs revealed weaknesses in risk identification, materiality assessments, monitoring and the reflection of climate risk in banks’ business strategies. In addition, other severe findings disclosed deficiencies in the integration of climate risk into credit-granting processes and the respective internal controls.

In terms of internal governance and closely connected topics, the most critical findings related to (i) risk data aggregation and risk reporting, caused by insufficiently comprehensive governance frameworks, inadequate data architecture and IT infrastructure, leading to weaknesses in data quality management; (ii) independence, scope of activity and resources for all internal control functions; and (iii) outsourcing activities, including inadequate risk assessments for decision-making on outsourcing and flaws in the risk management and monitoring of outsourced services, especially in relation to IT services. These findings led supervisors to set the remediation of shortcomings in internal governance as a supervisory priority.

In terms of the ICAAP, the most severe findings revealed (i) inconsistent internal quantification methodologies and assumptions for credit risk and market risk, (ii) deficiencies in the internal validation process for quantification methodologies, and (iii) inadequate methodologies to identify material risks as part of the risk identification process.

In terms of the calculation of regulatory capital (Pillar 1), the main findings concerned (i) inadequate assignment of risk weights to exposures, leading to an underestimation of risk-weighted assets, particularly for credit risk, as a result of the incorrect assignment of exposure classes and determination of collateral values; and (ii) insufficient control frameworks for the capital requirements and own funds calculation process.

In terms of operational risk (non-IT risk related), the most severe findings related to (i) measurement and management of risks, including deficiencies in the operational risk data collection process, inadequate risk prevention and remediation when dealing with operational risk events; and (ii) risk identification, in particular inadequate coverage and definition of significant operational risks.

In terms of IT risk, the most severe findings were found in the area of IT and cybersecurity management, particularly with respect to cybersecurity protection and detection capabilities. At the same time, OSIs continued to identify deficiencies relating to weaknesses in governance frameworks, IT continuity management and IT asset management. A considerable number of the remaining severe findings concerned the IT operations of banks. Additionally, third-party risk management remained a key area of the supervisory focus,^[30] with a substantial number of findings related to IT outsourcing arrangements. In 2024, as in the previous year, the ECB conducted a dedicated inspection of a large ICT third-party service provider.^[31]

In conclusion, the findings revealed significant deficiencies across various risk management areas within the inspected banks. These underscored the need for further improvements in risk quantification, governance frameworks and internal controls to ensure a more robust and resilient banking sector. Addressing these issues, among others, will be crucial for banks to better navigate future uncertainties, particularly in the light of persistently high geopolitical tensions and their impact on the macroeconomic outlook.

1.3.5.2 Key findings from internal model investigations

Internal model investigations assess whether the internal models used by banks to calculate capital requirements are compliant with the legal and regulatory requirements. IMIs can either be triggered at the request of a bank (in the case of initial model approvals, material changes to models, model extensions, model roll-out, permanent partial use or reversion to less sophisticated approaches for models) or they can be initiated by the ECB.

The targeted review of internal models (TRIM), which was concluded in April 2021, was ECB Banking Supervision’s biggest push towards harmonising the supervisory treatment of internal models and making them compliant with existing rules. Since then, ECB Banking Supervision has focused mainly on assessing model changes requested by SIs either to comply with new regulatory requirements stemming, for instance, from the regulatory review of the internal ratings-based (IRB) approach (the EBA’s “IRB repair programme”) or to remediate weaknesses identified during the TRIM. One of the main objectives of the TRIM was to reduce unwarranted (i.e. non-risk-based) variability of the model outputs used by SIs to calculate Pillar I regulatory capital requirements and thus to further foster trust in the use of internal models.

In addition, the new more detailed and stricter standards resulting from EBA and EU regulations make it more challenging for banks to comply with all the rules, in particular for portfolios of a small size and/or with limited representative data. In this context, the ECB expects banks to undertake a thorough assessment of their IRB model landscapes with the aim of streamlining them. This assessment should take into account the implementation of the final Basel III standards, the bank’s operational capacity for – and costs associated with – rolling out or maintaining IRB models, and the suitability of these models for different portfolios (e.g. availability of minimum representative data).

In this respect, more than 90% of IMIs in 2024 were triggered by requests from banks to assess model changes, initial model approvals or model extensions. Similar to 2023, the number of IMIs initiated by the ECB stood at around 5%. The ECB also received and assessed numerous applications to revert to less sophisticated approaches, in line with the broader initiatives taken to simplify internal model landscapes described above.

The IMIs conducted in 2024 revealed several weaknesses, with an average of 20 findings being identified for each IMI, one-third of which were of high severity.^[32]

Focusing purely on the procedural aspects of IRB models for credit risk, around one-third of the findings were of high severity, of which roughly half concerned shortcomings in the IT infrastructure and the definition of default. For the modelling of probability of default and of loss given default, approximately one-third of the findings were of high severity. For the modelling of probability of default, roughly half of the findings concerned risk quantification and the margin of conservatism calculation. For the modelling of loss given default, risk quantification and the structure of the rating system were the key concerns.^[33] In areas where severe findings were numerous, the ECB provided additional clarification in its revised Guide to internal models, which was published in February 2024.

Few market risk investigations were conducted during the reporting period owing to the impending new requirements stemming from the fundamental review of the trading book. During the investigations of the initial model approval under these new requirements, the main weaknesses were in some of the building blocks of the new approach, for example the risk factor modelability assessment, the methods for the stress scenario risk measure and model processes. As a result of the low number of IMIs on counterparty credit risk, there was no clustering of the respective findings.

1.4 ECB oversight and indirect supervision of less significant institutions

1.4.1 Structure of the less significant institution sector

The number of LSIs declined to 1,912 entities, at the highest level of consolidation, in the second quarter of 2024, as compared with 1,932 LSIs at the end of 2023. 77% of all European LSIs are located in Germany and Austria. In 2024, most of the structural changes in the LSI sector related to the mergers of 43 entities, most of which were established in Germany. Four banking licences were withdrawn and four new licences were granted.

While the LSI sector is composed of quite diverse and sometimes very specialised business models, retail and consumer credit lenders remained the predominant category, accounting for around 60%. These are often regional savings and/or cooperative banks, many of which are members of institutional protection schemes and most of which are located in Germany and Austria. Generally, LSI activities are still more concentrated within certain regions and/or products than those of SIs.

Despite the overall declining number of LSIs, this sector continued to constitute a relevant share of the European banking sector, accounting for roughly 15.5% of total banking assets excluding financial market infrastructures. The share of LSI assets in the respective country’s total banking assets deviates considerably, pointing to structural differences across Member States. In Austria, Germany, Luxembourg and Malta LSIs accounted for more than one-third of the total assets held in the domestic banking sector, whereas in most other countries the LSI sector is relatively small. For instance, in Belgium, France and Greece, this sector represents only 4.4%, 1.9% and 4.8%, respectively, of total banking assets. Further details can be found in the 2024 LSI supervision report.

Chart 3

Business model classification of less significant institutions

(percentages)

1.4.2 Selected oversight activities

The rapid rise in interest rates in 2023 led to a notable increase in bank profitability in 2024. However, this growth was accompanied by uncertainties, particularly relating to exposures to geopolitical risks and, more notably, real estate exposures, especially those related to commercial real estate. The increase in the NPL ratio for LSI loan books to 2.5% as at the second quarter of 2024, surpassing its trough in 2023, shows that risks may start to accumulate. Consequently, the ECB and the national competent authorities closely monitored developments at both the sectoral and the bank level in this regard. Given these growing uncertainties, there were further concerns about the potential impact on liquidity risk. Therefore, the ECB, together with the NCAs, conducted a targeted funding plan assessment exercise to evaluate potential liquidity risks in the LSI sector.

Given the importance of ICT systems, the ECB facilitated a structured exchange among European supervisors to share their approaches to ICT risk supervision, which should also support the implementation of the Digital Operational Resilience Act from a regulatory perspective. In the area of climate change, the ECB organised information exchanges between the NCAs and continued to support them by sharing evidence of good practices and providing training for their staff.

1.4.3 Horizontal work on stress testing of less significant institutions

In 2024 the ECB and the NCAs conducted a dedicated follow-up to the 2022 review of national practices for the supervisory stress testing of LSIs. This included a series of workshops on good practices, methodologies and tools. In addition, the ECB and NCAs produced a collection of the most recent LSI stress test publications as well as a quantitative stocktake of the most recent aggregated LSI stress test results and several related stress-testing metrics.

According to the stress tests conducted by the NCAs, overall, this stocktake has proved the LSI sector to be resilient. From a methodological perspective, while there are many similarities across LSI stress-testing practices there are also differences, reflecting the specific features of the national banking structures across European supervised entities.

1.5 The ECB’s macroprudential tasks

The ECB's coordination of macroprudential policy within European banking supervision is crucial for consistency and effectiveness when addressing systemic risk across the euro area. Through its oversight activities and other such functions, the ECB examines the measures taken by national authorities to ensure that individual Member States and the banking union as a whole are well prepared to address economic uncertainties and risks to financial stability.

The ECB engaged actively with the national authorities in 2024 in accordance with the macroprudential tasks conferred upon it under Article 5 of the SSM Regulation. In this context, as in past years, the ECB received and assessed macroprudential policy notifications from the relevant national authorities. These notifications concerned decisions on setting countercyclical capital buffers (CCyB), on the identification and capital treatment of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs), as well as on other macroprudential measures, for example on the setting of systemic risk buffers and on stricter risk weights for banks’ real estate exposures.^[34]

In 2022 and 2023, several national authorities imposed or increased cyclical or structural capital buffers. This trend continued into 2024, resulting in a situation in which all banking union countries had announced or implemented some form of releasable buffer requirement, with nine countries having adopted a so-called positive neutral rate for the CCyB, i.e. a positive rate for the CCyB when cyclical systemic risks are not yet elevated. National authorities also identified 129 O-SIIs and set capital buffer rates for those banks. These buffer rates were in line with the floor methodology for setting O-SII buffers.

Since January 2024 the ECB has been using a revised floor methodology to assess O-SII buffers.^[35] By using more buckets and a higher floor level for the highest bucket, the revised floor methodology is designed to strengthen the capacity of O-SIIs to absorb losses, further reduce the risk of heterogeneity in O-SII buffers and lead to a more consistent treatment of O-SIIs across those countries that participate in European banking supervision. More recently, as announced by the Governing Council in December 2024, the ECB enhanced its floor methodology to assess O-SII buffers notified by the national authorities, which now also takes into account the systemic importance of O-SIIs for the banking union as a whole. This enhanced methodology, which has been applicable since 1 January 2025, will counter unwarranted heterogeneity in the way O-SII buffers are set and contribute to deepening financial integration by reducing the current disparity between capital requirements for domestic and cross-border activities within the banking union.^[36]

ECB Banking Supervision also participated actively in several areas of the work of the ESRB. This included its regular assessments of the risks and vulnerabilities in the EU financial system, its work on the implications of higher interest rates for financial stability, on the analysis of systemic illiquidity and on advancing macroprudential tools for cyber resilience,^[37] as well as its work on vulnerabilities in residential and commercial real estate. This work also included the adverse scenarios for the EBA’s 2025 EU-wide stress test exercise and the ESRB’s exercise on system-wide liquidity.

1.6 Risks and supervisory priorities for 2025-27

The strategic priorities continue to reflect the current risk environment and the need for the timely remediation of open findings. Despite the robust balance sheets and risk profiles of European banks throughout 2024, the persistently heightened geopolitical tensions and the associated uncertainty surrounding the macroeconomic outlook require banks to remain vigilant and to regularly assess the implications for their businesses, operations and risk profiles. At the same time, given the gradual shift in supervisory focus from risk identification to risk remediation in areas which have been subject to close supervisory scrutiny in the past, banks will be asked to step up their efforts to address persistent shortcomings effectively.

ECB Banking Supervision made targeted adjustments to its supervisory priorities for 2025-27, while maintaining its call for banks to focus on prudent and sound risk management practices to withstand the headwinds expected in the near and medium term. The supervisory priorities for 2025-27 will therefore focus on strengthening banks’ resilience to immediate macro-financial threats and severe geopolitical shocks (Priority 1); the timely remediation of known material shortcomings, in particular relating to the management of C&E risks and RDARR (Priority 2); and the need to tackle challenges stemming from digitalisation and new technologies (Priority 3). Under Priority 1, there will be a special focus on incorporating the management of geopolitical risks into supervisory activities and into the assessment of banks’ related risk management practices. In addition, other regular activities and follow-up work on past supervisory priorities will also be carried out by supervisors as part of their ongoing engagement with banks, complementing the work on the three supervisory priorities for 2025-27. Further details about the updated supervisory priorities, the underlying risk assessments and the related supervisory activities can be found under the supervisory priorities for 2025-27.

Box 2
Geopolitical risks

The intensification of geopolitical tensions over recent years has called for heightened scrutiny. Although the direct impact of recent geopolitical events on the banking sector has so far been contained and the immediate threats limited, it is important to remain vigilant and assess the possible future implications for banks.

Geopolitical risks are defined as the “threat, realisation, and escalation of adverse events associated with wars, terrorism, and any tensions among states and political actors that affect the peaceful course of international relations”.^[38] They are not easily predictable, originate outside the financial system, and can affect all traditional categories of banking sector risks via three risk transmission channels: financial markets, the real economy and safety and security (Figure A). Geopolitical risks can lead to increased risk aversion, which might result in market and funding risk shocks. A macroeconomic shock can trigger increased credit and profitability risks. Risks to the safety and security channel can jeopardise banks’ operations as well as their business model sustainability.

Geopolitical risk was a key supervisory priority for 2024-26 and will remain so for 2025-27 (see Section 1.6). Given its cross-cutting nature, this risk is addressed through a range of supervisory initiatives.

First, strong governance arrangements are required to manage geopolitical risks. Therefore, the ECB will assess the risk management processes and risk appetite frameworks that banks use to monitor and mitigate geopolitical risks to help shape its views regarding its supervisory expectations for these risks.

Second, geopolitical risks need to be considered within the context of liquidity and capital planning. For this reason, supervisors assess the tools that banks use for their internal capital adequacy assessment process and their internal liquidity adequacy assessment process.

Third, geopolitical risks can also exacerbate credit risk through the real economy channel. With this in mind, an IFRS 9 review examined how banks account for novel risks, including geopolitical risk, in their loan loss provisioning.

Fourth, geopolitical risk was a key feature of the EBA’s 2023 EU-wide stress test and will also be a key component of the 2025 EU-wide stress test^[39].

Fifth, increasing geopolitical tensions may affect banks’ operational resilience, for example through the threat of cyberattacks or through their outsourcing arrangements. Therefore, banks need to have robust operational frameworks in place to mitigate such threats. These threats can be assessed in targeted reviews of outsourcing arrangements and cyber resilience and were indeed assessed as part of the 2024 cyber resilience stress test. Initiatives were also launched to capture the geopolitical risks of each bank at the individual level.

Figure A

Transmission channels of geopolitical tensions to the macro-financial environment and to banks

1.7 Assessing supervisory effectiveness

In 2024 the ECB began to consider ways of systematically assessing the extent to which its supervisory activities achieve their intended outcomes. A holistic assessment of supervisory effectiveness will enable the ECB to better gauge how far its supervisory priorities have been met and whether its supervisory strategies need to be adapted. It is a key element of the accountability of European banking supervision as a whole.

Effective supervision enables supervisors to promptly assess prudential risks and identify material shortcomings, thus making more effective use of their supervisory toolkit and their regulatory powers to ensure that banks remediate their deficiencies in a timely manner. To assess supervisory effectiveness, a combination of quantitative indicators, qualitative information and expert judgement need to be employed.

Assessing supervisory effectiveness needs to account for the fact that the outcomes of supervisory activities may (i) not be directly observable in financial or statistical data, (ii) have a delayed impact, and (iii) be influenced by external factors outside of the supervisor’s scope of influence. This makes the use of appropriate analytical tools, together with expert judgement, indispensable.

The ECB strives to be an ever more effective supervisory authority and aims to go beyond its objective of ensuring compliance with regulatory requirements and incentivising its supervised entities to remediate their identified deficiencies. Measuring supervisory effectiveness is not only about understanding the key effects of the supervisory measures taken. It is also about considering unintended effects and the role that the macroeconomic environment plays in affecting supervisory outcomes. Therefore, evaluating supervisory effectiveness does not simply stop with an assessment of the supervisory activities conducted. Rather, it starts by gauging the concrete outcome of these supervisory activities. This is why the ECB strives to assess whether the identified risks or deficiencies have been properly addressed or remediated by the supervised entity in a timely manner and why it also seeks ways of avoiding the emergence of such risks or deficiencies in the future.

This in turn helps the ECB to decide, for example, whether a prioritised vulnerability has been properly addressed or whether its supervisory strategy for remedying such vulnerabilities needs to be adjusted. This way, a high-level work programme can be drawn up, together with the requisite supervisory tools, to address the prioritised vulnerability more effectively. This assessment of the ECB’s supervisory effectiveness could furthermore support its communication to its external stakeholders, such as the European Parliament, to feed into a discussion of the accountability of European banking supervision as a whole.

2 Authorisation, fit and proper, and enforcement and sanctioning procedures

2.1 Authorisation

2.1.1 Significance assessments, comprehensive assessments and identification of high-impact less significant institutions

2.1.1.1 Significance assessments

In line with the SSM Framework Regulation^[40], the annual assessment of whether a bank or banking group fulfils any of the significance criteria^[41] was concluded in November 2024. It was supplemented by ad hoc significance assessments (leading to 51 significance decisions) which were carried out following changes to group structures.

As a result, 114 institutions^[42] were classified as significant as of 1 January 2025, one more than in the previous annual assessment of significance.

The 2024 annual assessment resulted in the following changes.

Furthermore, as a result of two Class 1 investment firms being licensed as significant credit institutions, two significant credit institutions were added to an existing significant group in 2024.

In addition, the following changes to group structures took place, affecting the number of significant supervised entities.

Finally, the following changes to group structures took place, without affecting the number of significant supervised entities.

The list of supervised entities is frequently updated and can be found on the ECB’s banking supervision website.

2.1.1.2 Comprehensive assessments and asset quality reviews

In 2024 the ECB concluded three asset quality review exercises. Each of the three banks assessed fulfilled a criterion to be directly supervised by the ECB: AS LHV Group in Estonia was among the three largest credit institutions in the Member State, while FinecoBank S.p.A. in Italy and J.P. Morgan SE in Germany met the size criterion.

In November 2024 the ECB launched asset quality review exercises for three banks that met the size criterion: Raiffeisen-Holding Niederösterreich-Wien reg.Gen.m.b.H. in Austria, Wüstenrot Bausparkasse Aktiengesellschaft in Germany and LBS Landesbausparkasse Süd in Germany. The exercises are expected to be completed in the second quarter of 2025.

2.1.1.3 High-impact less significant institutions

Owing to the large number of less significant institutions (LSIs), as well as their differences in terms of size, complexity and risk profile, European banking supervision classifies these institutions based on their impact on the financial system and their risk profile. Since 2022 impact criteria and risk criteria have been assessed separately. High-impact LSIs are determined once a year for each of the countries participating in European banking supervision. The criteria for determining high-impact LSIs include size, importance for the economy, cross-border activities, business model, and minimum coverage per country (see Box 1 of the LSI supervision report 2022).

An LSI that is considered a small and non-complex institution under the Capital Requirements Regulation cannot be designated as a high-impact LSI unless it is the largest LSI in a jurisdiction where all LSIs are small and non-complex institutions.

2.1.2 Authorisation procedures: introduction and statistics on notifications

In 2024 the ECB was notified of a total of 742 authorisation procedures (Table 10). These notifications comprised 15 licence applications, nine licence withdrawals, 29 lapsings of authorisations, 91 acquisitions of or increases in qualifying holdings, 596 passporting procedures and two authorisations of financial holding companies. They also included the authorisation of three Class 1 investment firms licensed as significant credit institutions, in line with the broader definition of “credit institution” applicable since June 2021 under the revised Capital Requirements Directive (CRD V)^[43].

In 2024 133 decisions on authorisation procedures^[44] were finalised. These accounted for 8.3% of all ECB individual supervisory decisions in 2024.

Five authorisation procedures led to negative decisions. Furthermore, three licence applications and three notifications of acquisitions of or increases in qualifying holdings were withdrawn prior to a decision being finalised owing to a negative assessment.

2.1.2.1 Developments in common procedures

Overall, in 2024 the number of notifications of common procedures for licensing, qualifying holdings and withdrawals submitted to the ECB decreased compared with the previous year.

The ECB assessed a high number of qualifying holdings. It issued negative decisions in three procedures following concerns raised by supervisors. One of these decisions was challenged before the Administrative Board of Review, which issued an opinion confirming the ECB’s decision (see Section 6.3.2). Several qualifying holding procedures stemmed from internal reorganisations that were subject to the simplified qualifying holding assessment approach. Cross-border consolidation remained limited in 2024, despite emerging transformation and active consolidation dynamics.

In 2024 most licensing procedures were associated with the establishment of new LSIs. The few licensing procedures concerning significant institutions resulted primarily from the need to extend licences for additional regulated activities planned by banks, which is required in certain Member States. The ECB approved two licence extensions for crypto-asset related activities in Germany in relation to the specific licensing requirement imposed under German law. In addition, one authorisation was granted under the EU regulatory framework for investment firms, introduced with the application of the Investment Firms Regulation and Directive as of 26 June 2021.

With the entry into force of the Markets in Crypto-Assets Regulation (MiCAR) in June 2023 and its application from December 2024, credit institutions across the EU are considering whether to engage in crypto-asset related activities and services as set out in the Regulation. Credit institutions as defined in the Capital Requirements Regulation do not require additional licensing under MiCAR for crypto-asset related services and activities, but they are subject to notification requirements.

In 2024 the ECB received two licensing applications related to a national reform requiring local credit unions to become credit institutions. Some licensing applications were submitted by third-country entities intending to expand their business in the EU. In these cases, the assessments focused on the good reputation of the entity and the AML/CFT compliance of these third-country entities.

The national competent authorities (NCAs) initiated authorisation withdrawals for two LSIs (in Germany and Luxembourg). One was due to the credit institution having unsuitable shareholders and deciding to wind down and the other was due to unsuitable shareholders, governance breaches and serious breaches of anti-money laundering requirements. One of the two withdrawal decisions was challenged before the ECB’s Administrative Board of Review, which issued an opinion confirming the ECB’s decision (see Section 6.3.2). Both ECB decisions were challenged before the General Court of the European Union. The proceedings are still ongoing.

2.1.2.2 Developments in passporting procedures and (mixed) financial holding companies

The ECB and the NCAs handled 462 passporting procedures in 2024.

After a vast influx of procedures in 2021 and 2022 following the transposition of CRD V, the number of procedures stabilised in 2023 and 2024. In 2024 the ECB was notified of two procedures concerning (mixed) financial holding companies of significant groups: one seeking an approval and the other an exemption.

2.2 Fit and proper procedures

In 2024 the ECB was notified of a total of 1,557 individual fit and proper procedures^[45] concerning significant institutions (Table 11).

In 2024 63.0% of all individual fit and proper procedures concerned members of the management body in its supervisory function and 25.8% concerned members of the management body in its executive function. The remaining individual procedures involved key function holders (8.9%), third-country branch managers (1.6%) and additional non-executive directorships (0.7%).

The average time taken to carry out fit and proper assessments and for the ECB to adopt a decision was reduced from 109 days in 2023 to 97 days in 2024, which is within the maximum period of four months set out in paragraph 179 of the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders.

2.2.1 Developments in fit and proper procedures

The ECB continued to improve the efficiency of fit and proper decisions by simplifying processes (aided by Heimdall, its machine-reading tool) and developing and updating guides and templates, with an increased focus on diversity and collective suitability. On 24 April 2024, the ECB organised a joint seminar with the European University Institute in Florence to raise awareness within the banking industry of effective governance and risk culture.

The ECB made use of the fit and proper criterion of collective suitability to improve board effectiveness by promoting diversity of skills and experience, gender, age and geographical provenance in banks’ boards. In 2024 the ECB also raised its expectations regarding collective suitability, focusing on expertise in information and communications technology and security risks within the management body in its supervisory function.

A suitability assessment may result in the imposition of ancillary provisions when, based on the five fit and proper criteria, certain concerns about an appointee need to be addressed. Decisions containing an ancillary provision increased from 9.5% in 2023 to 14.5 % in 2024. The most common concerns raised in the fit and proper assessments in 2024 were about experience, conflicts of interest and collective suitability. This led to 55 conditions, 151 obligations and 20 recommendations in 2024, from 47, 179 and 21 respectively in 2023.

If there are material concerns about an appointee’s suitability, the ECB may deem it necessary to carry out a more in-depth assessment and may ultimately communicate its intention to adopt a negative decision. Banks then tend to withdraw the application during the supervisory dialogue. This occurred in 50 cases in 2024.

In 2024 the ECB initiated five reassessments of members of banks’ management bodies, mainly owing to concerns about reputation. It also continued to develop and promote IT tools for processing fit and proper procedures (see Section 5.2.3).

2.3 Enforcement and sanctioning measures, and whistleblowing

2.3.1 Enforcement and sanctioning measures

Under the SSM Regulation and the SSM Framework Regulation, the allocation of enforcement and sanctioning powers between the ECB and the NCAs depends on the nature of the alleged breach, the person responsible and the measure to be adopted. The penalties imposed by the ECB within the remit of its supervisory tasks and the penalties imposed by the NCAs at the request of the ECB are published on the ECB’s web page on supervisory sanctions.

Sanctions are intended to punish misconduct and act as a deterrent not only to the supervised entity concerned but also to the banking sector as a whole. Enforcement measures, such as periodic penalty payments, are designed to compel supervised entities to comply with prudential requirements set out in supervisory decisions or regulations.

In 2024 the ECB handled eight enforcement and sanctioning proceedings. Of these, seven were sanctioning proceedings, which led to three ECB decisions^[46], and one was an enforcement proceeding, which was ongoing at year-end (Table 12).

In addition, in 2024 the ECB issued 13 binding supervisory decisions on climate-related risks envisaging the accrual of periodic penalty payments for each day of infringement should the banks concerned fail to comply with prudential requirements set out in these ECB decisions. Four of these decisions contained prudential requirements on strengthening the process for identifying climate-related and environmental risks. The ECB notified the supervised entities concerned of these four decisions in early 2024, but the proceedings had started in 2023. 18 decisions on the same topic, and which also envisaged the accrual of periodic penalty payments should the banks fail to comply, had been notified to entities in 2023. The remaining nine decisions notified in 2024 contained prudential requirements on the integration of climate and environmental risks into banks’ governance, strategy and risk management frameworks.

All seven sanctioning proceedings handled in 2024 were related to suspected breaches of directly applicable EU law (ECB decisions and regulations included) committed by six significant institutions. Four of these proceedings were finalised in 2024 with three ECB decisions imposing five penalties amounting to €15,625,000. These penalties were imposed on three supervised entities. The first decision imposing two penalties related to breaches of requirements set out in ECB decisions on internal models, the second decision imposing two penalties related to the misreporting of own funds requirements for foreign exchange risk and credit risk, and the third decision imposing one penalty related to the reporting of inaccurate information on own funds requirements and risk-weighted assets for credit risk.

The enforcement proceeding handled in 2024 concerned the failure of one significant institution to comply with ECB decisions requiring it to reinforce its process for identifying climate-related and environmental risks by a specified deadline in 2024. This governance-related enforcement proceeding was ongoing at the end of 2024.

Chart 4 provides a breakdown by area of infringement of the enforcement and sanctioning proceedings handled by the ECB in 2024 as well as proceedings finalised between 2020 and 2023.

Chart 4

Enforcement and sanctions activity per area of infringement between 2020 and 2024

(number of proceedings)

Following previous requests from the ECB to open proceedings and having assessed the cases in accordance with their national law, one NCA imposed one pecuniary penalty amounting to €97,500 in 2024. Further information on pecuniary penalties imposed by NCAs at the request of the ECB can be found on the ECB’s web page on supervisory sanctions.

Detailed information, including comprehensive statistics on the sanctioning activities that the ECB and the NCAs carried out in 2024 in relation to breaches of prudential requirements, will be presented in the Annual Report on Sanctioning Activities in the SSM in 2024. The report will be published on the ECB’s banking supervision website in the second quarter of 2025.

2.3.2 Other pecuniary measures

Under the SSM Regulation, for the exclusive purpose of carrying out its supervisory tasks, the ECB exercises the powers available to NCAs pursuant to relevant national laws. In this regard, in 2021 the ECB imposed on two significant institutions administrative measures available to an NCA under its national law implementing the Capital Requirements Directive. The national administrative measures imposed were not punitive in nature and consisted of payments of interest amounting to approximately €21.5 million for breaches of large exposure limits requirements. Following the annulment of the ECB’s decisions by the Court of Justice of the European Union in 2024, the ECB, taking into account the Court’s judgment, adopted a new decision imposing interest payments of approximately €10.2 million in one of these cases. A new decision was not adopted in the second case, as the entity had ceased to exist.

2.3.3 Whistleblowing

Under Article 23 of the SSM Regulation, the ECB is required to ensure that effective mechanisms are put in place to enable any person to report breaches of relevant EU law, a process commonly referred to as whistleblowing. Accordingly, the ECB operates an online whistleblowing platform.

The ECB ensures full confidentiality of the whistleblowing reports received through the web platform or other channels (e.g. email or post) and takes into account all available information when carrying out its supervisory tasks.

The ECB received 421 whistleblowing reports in 2024, up from 355 in 2023. Of these reports, 124 referred to alleged breaches of relevant EU law, 117 of which were considered to be within the ECB’s supervisory remit and seven within that of the NCAs. The remainder referred mainly to alleged breaches of non-prudential requirements (e.g. consumer protection) and therefore fell outside the scope of the whistleblowing mechanism.

Within the ECB’s supervisory remit, the most common alleged breaches reported related to governance issues (86%) and the calculation of own funds and capital requirements (8%). Governance-related issues mainly concerned risk management and internal controls, fit and proper requirements, organisational structure and management body functions. The complete breakdown is shown in Chart 5.

Chart 5

Alleged breaches reported via the whistleblowing mechanism

(percentages)

The relevant Joint Supervisory Teams were made aware of the information reported via the whistleblowing mechanism and decided on the appropriate follow-up action.

The main investigatory actions taken in 2024 in relation to whistleblowing reports on breaches of relevant EU law received in the course of the year, or previously, included:

• internal assessment based on existing documentation (44%);
• request for documents or explanations from the supervised entity (43%);
• request for an internal audit or on-site inspection (10%);
• interview of the accused persons (3%).

3 Contributing to crisis management

3.1 Crisis cases in 2024

In 2024 no significant institutions were assessed as failing or likely to fail in accordance with Article 18(1)(a) and Article 18(4) of the Single Resolution Mechanism Regulation^[47]. The macroeconomic environment in 2024 was favourable for banks, particularly with regard to profitability. However, looking ahead, banks will need to adapt to heightened geopolitical risks, structural change, climate and environmental risks, and a less favourable macroeconomic outlook.

3.2 Interaction with the Single Resolution Board

The ECB and the Single Resolution Board (SRB) continued their close cooperation in 2024. The Chair of the ECB’s Supervisory Board and the Chair of the SRB had regular exchanges and visited several national competent authorities (NCAs) and national resolution authorities together. There were also frequent exchanges between the ECB and the SRB at management and expert levels.

Regular interactions between the ECB’s Joint Supervisory Teams and the SRB’s Internal Resolution Teams continued to be an essential part of the cooperation between the two organisations. Cooperation was particularly close for banks under the ECB’s crisis management framework. This was supported by the bilateral Memorandum of Understanding between the ECB and the SRB on cooperation and information exchange and the dedicated Memorandum of Understanding on the exchange of confidential data, which was signed in 2023.

The ECB and the SRB continued to cooperate on policy topics of common interest. The organisations ensured that they were closely aligned on the reform of the crisis management and deposit insurance framework from a supervisory and resolution perspective. Moreover, the ECB and the SRB continued their joint efforts on liquidity measurement and reporting. In 2024 they completed the second annual joint liquidity exercise, which tests banks’ crisis preparedness based on the jointly developed liquidity template.

In 2024 the ECB and the SRB participated in dry-run exercises as part of their common objective to assess existing capabilities and enhance crisis preparedness. They also took part in the Trilateral Principal Level Exercise, which involved resolution authorities, supervisory authorities, central banks and finance ministries from the United States, the United Kingdom and the banking union. In addition, the ECB and the SRB participated in the Nordic-Baltic Crisis Simulation Exercise to test their preparedness for a potential crisis situation.

In line with the regulatory framework, the SRB was consulted on the recovery plans submitted to the ECB by significant institutions. In turn, the SRB consulted the ECB on draft resolution plans and on the calculation of the proposed restatements to be paid to the Single Resolution Fund by significant institutions in accordance with the Single Resolution Mechanism Regulation.

3.3 Crisis management involving less significant institutions

Crisis management involving less significant institutions (LSIs) requires close cooperation between the relevant NCA and the ECB. Although supervisory responsibility for LSI crisis management lies with the NCAs, the need for intensified cooperation and information sharing arises when an LSI approaches the point of non-viability, as the ECB is responsible for licence withdrawals.

In the early stages of a crisis triggered by a deterioration of an LSI’s financial situation, the relevant NCA informs the ECB through an official notification. The ECB received 11 such notifications from NCAs in 2024.

After a notification of financial deterioration is submitted, crisis management contact groups are generally set up, unless the NCA responsible or the ECB identifies justified reasons to opt out. These groups – which comprise representatives from the relevant ECB business areas and NCAs – can be established following capital breaches, a deterioration in asset quality or liquidity position, or severe deficiencies in internal governance or control systems. 12 crisis management contact groups were in place over the course of the year. As in previous years, these groups ensured that crises were closely monitored and supervisory actions were taken in a timely and coordinated manner. In 2024 there was one withdrawal of a banking licence and one case of a licence lapsing, i.e. the LSI concerned proactively surrendered its banking licence.

In 2023 the ECB and the NCAs worked together to simplify the LSI Crisis Management Cooperation Framework to streamline information sharing among relevant stakeholders and strengthen the approach for managing future LSI crisis cases. The revised joint supervisory standards came into force on 1 January 2024.

4 Interinstitutional cooperation

4.1 European and international cooperation

4.1.1 Cooperation with other EU supervisory authorities and authorities from non-EU countries

In 2024 the ECB further strengthened its cooperation with other supervisors across borders and sectors, including by negotiating additional memoranda of understanding (MoUs) (Table 13).

4.1.1.1 The ECB and colleges of supervisors

For significant banking groups with operations outside of the banking union, the ECB participates in colleges of supervisors. This enables the ECB to develop coordinated supervisory approaches and decisions and to ensure common work programmes with other supervisory authorities involved in the supervision of the same cross-border banking group. The ECB organises colleges in cases where, as home supervisor, it is the authority responsible for supervising a banking group on a consolidated basis. Alternatively, the ECB is the host supervisor of specific entities within a banking group. In this case, it participates in colleges of supervisors when invited by the home supervisor. Outside of colleges of supervisors, the ECB also cooperates with a number of international supervisors. For example, it participates in trilateral meetings with the Bank of England and the Federal Reserve System.

4.1.1.2 Strengthening cooperation with national market conduct authorities and non-SSM EU authorities

Significant banking groups conduct operations in markets in financial instruments, so the ECB cooperates with national market authorities in the EU in line with Union law. In 2024 the ECB concluded a supervisory MoU with the Spanish National Securities Market Commission (Comisión Nacional del Mercado de Valores – CNMV).

The ECB continued to strengthen information sharing and cooperation with the national supervisory and resolution authorities in the six EU Member States not participating in European banking supervision regarding the operations of significant banking groups in those countries. In 2024 it concluded MoUs with the Single Resolution Board and the respective national supervisory and resolution authorities of the six non-SSM EU Member States.

4.1.1.3 Cooperation with other sectoral supervisors in the EU and non-EU prudential supervisors

The ECB acts as coordinator for significant banking groups that are identified as financial conglomerates and subject to supplementary supervision. In this regard, it cooperates closely with the relevant competent authorities responsible for the supervision of the other regulated entities belonging to the financial conglomerate and with the European Insurance and Occupational Pensions Authority (EIOPA).

In 2024 the ECB strengthened its exchanges with EIOPA and the national insurance supervisory authorities involved in the supplementary supervision of financial conglomerates by organising workshops to discuss common supervisory challenges and identify ways to further improve the effectiveness of supplementary supervision.

The ECB published new supervisory MoUs concluded with the Superintendencia de Servicios Financieros del Banco Central del Uruguay, the Banking Regulation and Supervision Agency of Türkiye and the Guernsey Financial Services Commission. In addition to the regular and structured dialogue with authorities such as the UK Prudential Regulation Authority and the Federal Reserve System, the ECB also hosted several topical and bilateral meetings with the banking supervisory authorities from other non-EU countries to discuss issues of common concern, including the supervision of financial conglomerates and climate-related financial risks.

In 2024 the ECB also further strengthened its cooperation with non-EU prudential supervisors on the use of supervisory technology. This included collaborating with the Federal Reserve System, the Bank of England and the United Kingdom’s Financial Conduct Authority in interdisciplinary, cross-functional “tiger teams”. The ECB also played an active role in the BIS Innovation Network, a collaboration platform promoted by the BIS Innovation Hub to enable knowledge sharing and foster cooperation among central banks and supervisory authorities worldwide through its dedicated expert working groups.

4.1.1.4 The ECB and anti-money laundering: latest developments

At present, the responsibility for the supervision of credit and financial institutions in the area of anti-money laundering and combating the financing of terrorism (AML/CFT) lies exclusively at the national level. Nevertheless, prudential and AML/CFT authorities must collaborate and cooperate closely in order to fulfil their respective mandates.

As in previous years, the ECB reflected money laundering and terrorist financing risks in prudential supervision^[48] and provided policy support in preparation for the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA).

In 2024 the ECB continued to exchange supervisory information with AML/CFT authorities. This included participating as an observer and exchanging information in 66 AML/CFT colleges established for significant institutions.^[49] The ECB also reported material AML/CFT weaknesses to the central database of the European Banking Authority (EBA), EuReCa.

The ECB participated as an observer in the EBA’s Standing Committee on AML/CFT. In parallel, its main policy focus was on the new EU AML/CFT legislative package published in June 2024. The ECB supports this regulatory development and, in particular, advocated for a legislative framework facilitating effective cooperation and information exchange between all financial AML/CFT supervisors in the AML/CFT supervisory system and the relevant non-AML/CFT authorities. It has started contributing to the preparatory work conducted by the EBA following the European Commission’s request for advice on regulatory technical standards and guidelines under the new AML/CFT framework.

As prudential supervisor, the ECB is preparing for a close and smooth cooperation with AMLA and sharing lessons learned from the creation of the SSM with the Commission and its dedicated task force. The ECB has also started preparatory work on a MoU between the ECB and AMLA, as foreseen in the legislative package.

4.1.1.5 IMF Financial Sector Assessment Programs

The Financial Sector Assessment Programs (FSAPs) of the International Monetary Fund (IMF) are comprehensive in-depth assessments of a country’s financial sector.

In 2024 the IMF conducted the second FSAP for the euro area, which is set to be concluded in 2025. The IMF assesses the compliance of the euro area’s regulatory framework and the SSM’s supervisory practices with the Basel Core Principles, which were revised in April 2024 to include strengthened requirements related to, among other things, climate-related financial risks and emerging risks, operational resilience and business model sustainability, as well as the role of European banking supervision in crisis management. It also performs a top-down stress test covering significant institutions. The IMF also assesses the implementation of the recommendations addressed to the ECB and the EU co-legislators in the previous FSAP for the euro area, which was completed in 2018.

In 2024 the IMF concluded the national FSAPs for Luxembourg, the Netherlands and Spain, continued work on the exercise for Slovakia and launched the FSAP for France. National FSAPs assess non-banking topics, such as domestic insurance and macroprudential frameworks, and entail a holistic assessment of banking issues, especially those that fall within the remit of national authorities supervising less significant institutions or aspects related to AML/CFT, while taking into account that further work is needed to complete the banking union.

The ECB’s involvement in national IMF Article IV consultations for countries participating in European banking supervision relates to microprudential and macroprudential issues, in line with the ECB’s responsibilities in these areas.

4.2 Contribution to developing the European and international regulatory framework

4.2.1 Contributing to the work of the Financial Stability Board

As a member of the Financial Stability Board (FSB), ECB Banking Supervision actively participated in the meetings of the FSB Plenary, the Standing Committee on Supervisory and Regulatory Cooperation, the Standing Committee on Standards Implementation, the Resolution Steering Group and the Regional Consultative Group for Europe. It contributed to various FSB initiatives, including reviewing lessons from the 2023 banking turmoil to strengthen crisis preparedness and resolution frameworks, advancing efforts on climate-related financial risks and disclosures and assessing the implications of transition plans for financial stability. It supported the evaluation of the effects of the G20 financial reforms on securitisation, participated in the stocktake on supervisory approaches to nature-related financial risks and contributed to work on cross-border regulatory challenges of global stablecoins in emerging markets. In addition, it collaborated on developing the incident reporting exchange framework.

4.2.2 Contributing to the work of the Basel Committee on Banking Supervision

In 2024 the ECB continued to contribute significantly to the work of the Basel Committee on Banking Supervision (BCBS). It participated in several workstreams, providing expertise in BCBS groups and cooperating with Basel Committee members within the EU and across the globe.

In particular, representatives from the ECB co-chaired and helped to steer the work of two Basel Committee groups. The Vice-Chair of the ECB’s Supervisory Board, Frank Elderson, co-chaired the Task Force on Climate-related Financial Risks (TFCR) alongside Kevin Stiroh, Senior Adviser at the Federal Reserve Board, while Korbinian Ibel, Director General of Universal and Diversified Institutions co-chaired the Policy and Standards Group (PSG) with Arthur Yuen, Deputy Chief Executive of the Hong Kong Monetary Authority.

Key milestones of the TFCR’s work in 2024 included the publication of a discussion paper on the use of climate scenario analysis and the review of the feedback received in response to its consultation paper on a Pillar 3 disclosure framework for climate-related financial risks. The TFCR also continued to address some of the Basel Committee’s other strategic priorities, including assessing the materiality of gaps in the current Basel Framework, examining banks’ transition planning and monitoring the implementation of the Principles for the effective management and supervision of climate-related financial risks.

In 2024 the PSG played a key role in the final publication of (i) the Guidelines for counterparty credit risk management, (ii) the disclosure framework for banks’ crypto-asset exposures and some targeted amendments to its crypto standard, (iii) targeted adjustments to its standard on interest rate risk in the banking book, and (iv) a report on existing practices to support jurisdictions that wish to apply positive cycle-neutral rates. In addition, the PSG contributed to the launch of the consultation on measures to address window-dressing behaviour by banks in the context of the framework for global systemically important banks and the consultation on the principles for the sound management of third-party risk.

Outside of these two groups, the ECB also contributed to, among other things, the final publication of revisions to the Core principles for effective banking supervision and to work on liquidity and supervisory effectiveness as part of the Basel Committee’s follow-up initiatives related to the banking turmoil of March 2023.

4.2.3 Contributing to the work of the European Banking Authority and European policymaking

In 2024 ECB Banking Supervision continued to work closely with the EBA to promote consistent supervision across the European banking sector and to foster the safety and soundness of credit institutions and the stability of the financial system.

The ECB and the EBA signed an MoU on 18 March 2024 on the establishment of the Joint Bank Reporting Committee with a view to improving integration and reducing banks’ regulatory reporting costs. Both institutions were also involved in discussions on the draft methodology and narrative for the 2025 EU-wide stress test exercise as well as possible ways to improve stress testing, building on the latest regulatory changes.

In the context of the Basel III reforms, the ECB provided input for several of the EBA’s regulatory projects. In addition, it contributed to the EBA’s consultation on draft guidelines for managing environmental, social and governance (ESG) risks, and to the development of draft consultation papers on ESG disclosures and ESG supervisory reporting.

The ECB supported the EBA’s policy work on the implementation of the Markets in Crypto-assets Regulation and the Digital Operational Resilience Act, including for the expansion of the outsourcing guidelines to third-party arrangements.

In addition to their work with the EBA, ECB staff prepared a public contribution to the European Commission’s targeted consultation on the functioning of the EU securitisation framework. This contribution leverages and complements the EBA’s advice from December 2022 and the reports prepared by the Joint Committee of the European Supervisory Authorities pursuant to Article 44 of the Securitisation Regulation.

5 Organisation of ECB Banking Supervision

5.1 ECB Banking Supervision staffing

5.1.1 Hiring

ECB Banking Supervision generally advertises vacant positions internally first, except for entry-level positions, which are advertised on the external market. In 2024 ECB Banking Supervision hired 53 candidates from external campaigns for longer-term positions.

Chart 6

Number of appointments per staff group in 2024

5.1.2 Swap programmes

Following the staff exchange programme established in 2023 with the European Insurance and Occupational Pensions Authority, the Single Resolution Board (SRB), the European Securities and Markets Authority and the European Investment Bank (EIB), a second edition was launched with the SRB and the EIB in 2024, resulting in 12 pairs of staff members swapping their roles.

5.1.3 Capability building

ECB Banking Supervision conducts periodic organisational readiness assessments (mainly for JSTs and on-site teams) to evaluate its capabilities in relation to ongoing tasks and potential supervisory priorities. These assessments are used to update the capability building plan, which enables the organisation to prioritise talent development and related initiatives in areas with lower readiness.

In 2023-24 ECB Banking Supervision focused on capability building for supervisory tasks related to IT outsourcing, IT security, cyber risks and the ECB’s new mandate under the Digital Operational Resilience Act.

Training efforts were also intensified in all areas of banking supervision. Two new training programmes were introduced in 2024: the SSM Induction Programme for newcomers and the SSM Foundation Programme, which is designed to equip banking supervisors with a common level of core technical knowledge and skills in traditional and emerging supervisory topics. The pilot phase of the SSM Foundation Programme was concluded in June 2024.

A comprehensive climate and nature-related risks learning path, targeting different roles and functions, was launched in February 2024. 1,000 banking supervisors completed the training in 2024.

In addition, the SSM digital learning tools were further developed with the aim of strengthening supervisors’ knowledge of the role of artificial intelligence (AI) in banks, IT risk supervision and other core digitalisation and innovation topics. In 2024, 2,050 supervisors took part in the training.

In 2025 work to enhance the training offer in the three focus areas will continue to exploit the ECB’s established collaborative partnerships, with a particular focus on the latest developments in banking supervision.

5.1.4 Diversity and inclusion

ECB Banking Supervision strives to create a working culture that harnesses the power of diversity and inclusion and enables every colleague to bring their authentic selves to the workplace. As part of this vision, achieving gender balance remains a key strategic priority. In ECB Banking Supervision, 42% of employees are women. The share of women varies across the levels of hierarchy. Women account for 49% of staff at analyst level and 42% at expert level. At the team lead and management levels, the share is 33% and 35% respectively, while 42% of senior management roles are held by women. The ECB will continue to strengthen its efforts to achieve gender balance.

Figure 1

ECB Banking Supervision workforce in figures

5.2 Digitalisation, data reporting framework and information management

5.2.1 Digital agenda and SSM tech strategy

In 2024 the ECB’s Supervisory Board approved a new technology strategy for European banking supervision covering the period from 2024 to 2028 – the SSM tech strategy. With the banking sector becoming more complex and supervisory resources more limited, the strategy holistically addresses the digital needs of European banking supervision in order to strengthen effective, risk-based supervision.

The SSM tech strategy builds on existing core systems and the implementation of 14 supervisory technology (suptech) applications. It comprises two fundamental pillars: technology and people. By focusing on both, it will advance supervisory practices through cutting-edge technology while keeping supervisors at the heart of technological developments.

Under the technology pillar, the strategy seeks to simplify and consolidate the IT landscape to foster efficient and cohesive supervision that benefits supervisors and banks alike. Key objectives include integrating core systems and suptech tools and decommissioning legacy systems. In this vein, Project Olympus seeks to create a more integrated IT landscape across European banking supervision. To this end, it will create a unified supervision cockpit – a customisable platform providing supervisors with essential information to streamline tasks, enhance efficiency and improve team collaboration. It will also consolidate the channels that banks use to exchange information with the ECB into a single SSM portal. This will significantly reduce banks’ reporting efforts and simplify related communication between banks and supervisors.

The SSM tech strategy also emphasises the responsible use of generative AI to strengthen supervisory processes. For example, a large language model enhancement of Athena – European banking supervision’s AI platform for textual analysis – will allow supervisors to process vast amounts of documents, extract information and efficiently draft texts.

The second pillar, people, is equally important. Under the SSM tech strategy, all tools are designed to meet the needs of supervisors. The strategy also emphasises the importance of providing high-quality training and fostering a digital culture across all levels and functions. This approach ensures that supervisors fully understand new technologies and know how to make the best possible use of them.

Implementing the SSM tech strategy for 2024-28 will provide supervisors with the right tools and technologies to carry out their tasks effectively. This will have positive implications for banks: a modern and streamlined IT landscape will foster consistent, efficient and more timely supervision, reduce the reporting burden, increase transparency and, ultimately, help to ensure a safe and sound European banking sector.

5.2.2 Developments in the data reporting framework

The ECB and the NCAs are preparing for the implementation of the updated EBA reporting framework, which includes changes in content and reflects new requirements stemming from CRR III and CRD VI. It also introduces a new taxonomy architecture, with an expected first reference date of 31 March 2025.

To comply with the reporting requirements introduced in CRR III, banks are having to make several technical adaptations to their internal reporting systems within a limited time frame. For example, the implementation of the output floor generates additional data needs for banks that use internal risk-based models. Given the new rules, and in order to reduce the implementation costs for banks and give them sufficient time to prepare, the deadline for reporting supervisory information subject to the updated framework was extended to 30 June 2025. In addition to reporting under the updated EBA framework, supervisors also ask banks for ad hoc information that they need to carry out their supervisory tasks, for example, to monitor developments in emerging risks. The ECB maintains a database of such ad hoc data collections to monitor and manage the reporting burden.^[50] Banks should be in a position to respond to these challenges in order to meet supervisory expectations regarding good data governance and data aggregation capabilities.

In 2024 the ECB developed a methodology to identify significant resubmissions of supervisory data within the scope of the EBA’s implementing technical standards (ITS) and to collect explanations on the nature and root causes of the resubmissions. The methodology built on the insights gained from the pilot exercise conducted by the ECB in 2023.

The ECB shared its annual Management report on data governance and data quality with banks (see Section 1.2.3.2). It includes bank-level quantitative indicators and a questionnaire and aims to increase management body accountability. This helps supervisors and banks identify and address deficiencies in risk data aggregation and risk reporting.

As part of its ongoing efforts to manage reporting costs, the ECB assesses data collections on business model and capital adequacy with a view to identifying areas that could be streamlined and standardised. This should enable supervised institutions to meet expectations more effectively with regard to risk data aggregation and risk reporting capabilities (see Section 1.2.3.2).

In 2024 the ECB expanded its quarterly supervisory banking statistics by adding more granular breakdowns of the non-performing loans ratio and loans and advances with a significant increase in credit risk. The year-to-date figures in the profit and loss tables were adjusted to reflect a linear annualisation, making it easier to compare data across different time periods. Significant improvements were also made to the publication timeline of the quarterly supervisory banking statistics, allowing earlier release dates (reduction from 40 to 30 working days after the ITS remittance date).

Finally, the ECB performed its annual reconciliation exercise between selected Pillar 3 disclosures and supervisory reporting, focusing on banks’ exposures to climate risks. This exercise led to substantial improvements in data consistency and quality. The extracted data were published on the ECB’s banking supervision website, together with an accompanying note highlighting the key results.

5.2.3 Information management

The Information Management System (IMAS) is the suite of core IT systems that support supervisory processes. It is used by European banking supervisors and supervised entities to connect digitally and access shared information.

In 2024 IMAS continued to evolve and adapt to changes in the financial system and its regulation, and to the supervisory methodology and strategy. The main changes to IMAS were related to the reform of the Supervisory Review and Evaluation Process (SREP) (see Section 1.3.1). In IMAS, supervisors can now start their annual risk assessments earlier, according to risk type, and can more easily integrate the outcome of other supervisory processes into the SREP as well as into the ECB’s escalation framework of supervisory measures.

In addition, ahead of the entry into force of the Digital Operational Resilience Act, a new process was implemented to enable the automated reception of major incident reporting from supervised entities and its subsequent supervisory assessment in IMAS.

There were also enhancements to other supervisory processes in IMAS in 2024. These included on-site inspections and internal model investigations, significance assessments, enforcement and sanctioning procedures, recovery plan assessments, the supervisory examination programme and its operational planning, and the data warehouse and information services that produce self-service reports and dashboards with all available supervisory data.

Moreover, new processes that allow digital interaction between supervised entities and supervisors were also added to the IMAS portal. This included (i) online monitoring of outstanding supervisory measures and their remedial actions; (ii) credit quality review on-site inspections; and (iii) updates to existing processes, including the assessment of fit and proper and licence applications and the acquisition of qualifying holdings. The online form for fit and proper assessments was also improved, making the process easier for supervised entities submitting new applications.

6 European banking supervision governance

6.1 Accountability requirements

This Annual Report constitutes one of the main accountability channels for ECB Banking Supervision vis-à-vis the European Parliament and the Council of the European Union, as stipulated by the SSM Regulation. The Regulation provides that the ECB’s supervisory tasks are subject to appropriate transparency and accountability requirements. The ECB attaches great importance to maintaining and fully applying the accountability framework that is set out in further detail in the Interinstitutional Agreement between the European Parliament and the ECB and in the Memorandum of Understanding between the Council of the EU and the ECB. Over the years, the ECB has broadened the scope of its interactions with the European Parliament beyond those mentioned in the Interinstitutional Agreement, further underlining the importance that the ECB attaches to accountability.

In 2024 the Chair of the Supervisory Board appeared before the European Parliament’s Committee on Economic and Monetary Affairs in three regular public hearings. In her public hearing on 21 March, the Chair presented the ECB Annual Report on supervisory activities 2023. The other two regular public hearings took place on 2 September and 18 November. The discussions focused on challenges for banks, in particular the macroeconomic uncertainty, digitalisation, climate and environmental risks and geopolitical risk. The Chair also explained the recent efforts to strengthen supervision. Discussions centred on the implementation of Basel III and the legislative files to strengthen the banking union, such as the review of the bank crisis management and deposit insurance (CMDI) framework and the European deposit insurance scheme (EDIS).

In 2024 the Chair of the Supervisory Board responded to three written questions from Members of the European Parliament (MEPs) on banking supervision-related matters and, in line with the ECB’s reporting requirements with respect to national parliaments, to one written question from a member of a national parliament. All the reply letters to Members of Parliament were published on its website. The letters covered interest rates on deposits, mortgages on homes with defective blocks, capital requirements and the competitiveness of EU banks, as well as operational resilience amid the digital transformation.^[51]

In line with the Interinstitutional Agreement, the ECB also made the records of proceedings of its Supervisory Board meetings and the summaries of Supervisory Board seminars available to the European Parliament.

In addition, to further strengthen the dialogue with the European Parliament, ECB Banking Supervision responded to the comments and suggestions provided by the European Parliament in its Resolution on banking union – annual report 2023. In its feedback, the ECB commented on developments in the banking sector and on legislative files relevant to banking supervision. This included interest rate and asset quality risks, Russia’s invasion of Ukraine, banks’ exposures to environmental, social and governance risks, the CMDI framework and EDIS, anti-money laundering, and diversity in the boards of financial institutions.

With regard to interactions with the Council of the EU in 2024, the Chair of the Supervisory Board participated in two exchanges of views with the Eurogroup, on 13 May and 4 November. Around the time of these discussions, the ECB published an overview of its relevant supervisory activities^[52]. The main topics discussed were the first decade of European banking supervision, the state of the European banking system in the current macroeconomic and geopolitical environment, supervisory priorities and regulatory and institutional issues.

6.2 Transparency and communication

In 2024 the Chair and Vice-Chair of the Supervisory Board gave 33 speeches, while its ECB representatives gave 11 speeches. Together, they gave 23 interviews and posted nine blog posts and opinion pieces. The Chair also held one press conference on the results of the Supervisory Review and Evaluation Process (SREP) for 2024. ECB Banking Supervision released two podcast episodes and published 22 press releases, as well as other items such as letters to MEPs, guidance to banks and supervisory statistics. The quarterly Supervision Newsletter, a digital publication with more than 10,000 subscribers, provided information and updates on ongoing supervisory projects and findings. The ECB also highlights relevant European banking supervision topics on its social media channels, using quizzes and reels to explain basic concepts to younger audiences.

In 2024 ECB Banking Supervision conducted its first cyber resilience stress test and launched three public consultations. These consultations covered the Guide on governance and risk culture (see Section 1.2.3.1) the Guide on outsourcing cloud services to cloud service providers (see Box 1) and the revised policies on the options and discretions available to supervisory authorities under EU law (see Box 3). Following up on the expert group’s review of the SREP and the feedback from the European Court of Auditors, the ECB revised the SREP to make sure its supervisory processes remain effective and efficient. A blog post by the Chair and a set of FAQ outlined the main elements of the new SREP (see Section 1.3.1).

To foster dialogue with market professionals, the ECB held two meetings of the Banking Supervision Market Contact Group, with discussions focusing on the risk outlook for the European banking sector, banks’ valuations in an international context and their IT and cyber resilience. In addition, when visiting the national competent authorities, the Chair of the Supervisory Board also met with representatives from civil society organisations in 13 countries.

In 2024 the ECB dealt with 923 public enquiries on banking supervision topics. Specifically, it responded to questions on climate-related risk, the cyber resilience stress test, banking licences and authorisations, and supervisory policies and frameworks, particularly concerning internal models. In the Visitor Centre, the ECB held lectures on banking supervision for 469 attendees and introduced 12,798 visitors to the key tasks of the ECB and the basics of European banking supervision.

6.3 Decision-making

6.3.1 Meetings and decisions of the Supervisory Board and Steering Committee

The ECB’s Supervisory Board met 14 times in 2024. Six meetings were held in Frankfurt am Main and one in Cyprus. The other meetings were held via videoconference.

In addition, upon invitation by Banka Slovenije, the Supervisory Board held a strategic retreat in Ljubljana in October 2024.

The Steering Committee^[53] of the Supervisory Board held four meetings in 2024, all of which were held via videoconference.

The Steering Committee held 12 additional meetings with a focus on digitalisation, simplification of SSM processes and SSM integration. All of these meetings were held via videoconference and participation was open to all Supervisory Board members who expressed an interest.

In 2024 the ECB took 2,174 supervisory decisions^[54] concerning specific supervised entities (Figure 2). Of these, 1,312 decisions were adopted by the ECB heads of work units in line with the general framework for delegating decision-making powers for legal instruments related to supervisory tasks. 845 decisions were adopted by the Governing Council under the non-objection procedure on the basis of a draft proposal of the Supervisory Board. These numbers include 123 operations (such as the establishment of branches) that the ECB implicitly approved by not objecting within the legal deadlines.

The bulk of the supervisory decisions were related to fit and proper assessments (50.7%), own funds (12.2%), national powers (9.0%), internal models (6.9%), the SREP (4.4%), and qualifying holdings (4.2%).

In addition to the bank-specific final draft decisions submitted to the Governing Council for adoption, the Supervisory Board decided on several horizontal issues. Most notably, these decisions related to the SSM tech strategy for 2024-28, IT risk supervision, the 2024 cyber resilience stress test exercise, the implementation of the Digital Operational Resilience Act in the supervisory framework, the review of the ECB framework for the exercise of options and discretions, climate-related and environmental issues, further enhancing the SREP framework, and the supervisory priorities for 2025-27. Some of these decisions were prepared by temporary structures mandated by the Supervisory Board. These structures comprised representatives from the ECB and the national competent authorities who carried out preparatory work on the relevant topics.

Moreover, some decisions by the Supervisory Board resulted in public guides, reports and reviews, such as the update of the ECB Guide to internal models.

The Supervisory Board took most of its decisions by written procedure.^[55]

Of the 113 banking groups directly supervised by the ECB as of January 2024, 32 asked to receive formal ECB decisions in an EU official language other than English.

Figure 2

Decisions by the Supervisory Board in 2024

6.3.2 Activities of the Administrative Board of Review

The Administrative Board of Review (ABoR) is an ECB body comprising members who are individually and collectively independent from the ECB and are entrusted with the task of reviewing decisions adopted by the Governing Council on supervisory matters upon an admissible request for review.

In 2024 the ABoR received four requests for an administrative review of ECB supervisory decisions (Table 14). The ABoR Secretariat also received other correspondence which was forwarded to the competent ECB business areas. The ABoR held 21 meetings, of which 15 were virtual and six were in person, including an external meeting in Zagreb, Croatia.

Two requests for review related to the acquisition of a qualifying holding. In both cases, after hearing the applicants, the ABoR proposed to the Supervisory Board that the decision should be replaced by a decision of identical content. The third request, concerning a licence withdrawal, was found inadmissible by the ABoR. The fourth request was withdrawn by the applicant.

The ABoR also published a paper detailing its activities over the past ten years.

In 2024 the ABoR was chaired by Pentti Hakkarainen. Its other members were André Camilleri (Vice-Chair), F. Javier Aríztegui Yáñez, René Smits and Christiane Campill. Damir Odak was an alternate member. The mandates of Mr Camilleri, Mr Aríztegui Yáñez and Mr Smits expired in September 2024. The Governing Council appointed Edouard Fernandez-Bollo, Ilias Plaskovitis and Verica Trstenjak as their successors for a term of five years. The current composition of the ABoR is available on the ECB’s ABoR web page.

6.3.3 Areas of interest of the ECB representatives to the Supervisory Board

Pursuant to the SSM Regulation and ECB Decision 2014/4^[56], the Governing Council appoints four representatives of the ECB to the Supervisory Board. The representatives support the Chair and Vice-Chair of the Supervisory Board and represent ECB Banking Supervision internally and externally.

In 2024 the ECB representatives to the Supervisory Board were Kerstin af Jochnick, Edouard Fernandez-Bollo, Elizabeth McCaul and Anneli Tuominen. The terms of Ms af Jochnick, Mr Fernandez-Bollo and Ms McCaul came to an end during the year. The Governing Council appointed Patrick Montagner, Sharon Donnery and Pedro Machado as their successors.

6.4 Implementing the code of conduct

In accordance with Article 19(3) of the SSM Regulation, the ECB has established an ethics framework for high-level ECB officials, management and staff. It comprises the single Code of Conduct for high-level ECB officials, a dedicated chapter in the ECB Staff Rules and the Guideline laying down the principles of the Ethics Framework for the Single Supervisory Mechanism. The implementation and further development of the framework is supported by the ECB Ethics Committee, the Compliance and Governance Office (CGO) and the Ethics and Compliance Committee.

The enhanced rules for private financial transactions and related transparency obligations, which came into force in 2023, led to an increase in requests submitted to the Ethics Committee, particularly for obtaining prior authorisation for the sale of legacy assets. As of 2024 the ECB has also started publishing the private financial transactions carried out by high-level ECB officials during the previous calendar year as an annex to the annual declarations of interest.

In accordance with its mandate, the Ethics Committee carried out its yearly assessment of the Supervisory Board members’ declarations of interests before they were published on the ECB’s banking supervision website. The Committee also responded to requests for advice submitted by high-level ECB officials involved in banking supervision and, in this context, issued 16 opinions, most of which concerned post-employment notifications. Opinions of the Ethics Committee are published on the ECB’s website six months after the date they are issued.

In 2024 the CGO continued its digitalisation efforts with a view to providing staff with ethical advice in a faster and more user-friendly way. There were 3,070 requests requiring CGO staff input in 2024, compared with 2,767 in 2023. Approximately 44% of the requests for advice were submitted by ECB Banking Supervision staff. Lastly, the monitoring of conduct risks was enhanced by integrating the declarations of absence of conflict of interest for heads of missions and inspection team members in the IMAS portal.

Chart 7

Overview of requests received from ECB Banking Supervision staff in 2024

(number of requests)

In addition to training courses and e-learning programmes, the CGO organised information campaigns on the ethics framework, such as the Open Ethics Days for newcomers and the Ethics Awareness Season in October, and contributed to an ECB-wide whistleblowing awareness campaign. The 2024 Global Ethics Day for all staff members, supported by ECB leadership, included ethics awareness stands and offered refresher sessions on rules on private financial transactions, post-employment, meetings with external parties and accepting gifts and hospitality.

To avoid actual or perceived “revolving door” situations, the CGO assessed possible conflicts of interest arising from staff members considering job offers from the private sector, advised on the applicable rules and imposed mitigating measures, as appropriate. Of the staff resignations in 2024, six cases triggered a temporary prohibition on taking up another occupational activity in line with the ethics framework. In 19 cases, additional safeguarding measures, such as reassigning tasks, transferring staff to other positions and/or cutting access rights were imposed to avoid a revolving door situation, in effect internalising the cooling-off period.

The CGO organised its annual compliance monitoring exercise on staff members’ and high-level ECB officials’ private financial transactions. As in previous years, this exercise only identified a limited number of instances of non-compliance, of which approximately 55% were related to ECB Banking Supervision staff. None of these instances involved intentional misconduct or other serious cases of non-compliance.

The Ethics and Compliance Committee is a forum for exchange and collaboration within the Eurosystem and the SSM on matters related to ethics and integrity. In 2024 the Committee continued working on the implementation of SSM and Eurosystem ethics guidelines and organised thematic sessions with external speakers, which were attended by representatives from 50 European and international institutions. To mark Global Ethics Day, the Ethics and Compliance Committee launched a poster campaign with the theme “Ethics: our common compass”. It was produced in all EU languages, highlighting the shared commitment to strong ethics.

6.5 Principle of separation between monetary policy and supervisory tasks

In 2024 the principle of separation between monetary policy and supervisory tasks was mainly applied to the exchange of information between different policy areas.

In line with Decision ECB/2014/39 on the implementation of separation between the monetary policy and supervision functions of the ECB^[57], this exchange of information was subject to a need-to-know requirement: each policy function had to demonstrate that the information it was requesting from the other policy function was necessary to achieve its policy goals.

Under Decision ECB/2014/39, Executive Board approval is required for the exchange of non-anonymised common reporting (COREP) and financial reporting (FINREP) data, other raw data, and information containing assessments or policy recommendations. The business areas of the ECB’s two policy functions exchanged such data under the framework approved and periodically reviewed by the Executive Board.

Where the requested information pertained to anonymised data or non-policy sensitive information, access to confidential information was granted directly by the ECB policy function that owned the information, in line with Decision ECB/2014/39.

The sharing of data related to the impact of Russia’s invasion of Ukraine on the banking sector – which was activated under the emergency provision in Article 8 of Decision ECB/2014/39 in February 2022 – continues, subject to a strict need-to-know requirement.

Separation at the decision-making level did not raise concerns and no intervention by the Mediation Panel was required.

7 Reporting on budgetary consumption

7.1 Expenditure for 2024

The SSM Regulation requires the ECB to dedicate adequate resources to carrying out its supervisory tasks effectively. These resources are financed through a supervisory fee borne by the entities subject to direct and indirect supervision by the ECB. The ECB makes every effort to reprioritise and optimise its resources to ensure that the supervisory function can perform its tasks adequately in a changing environment, thus improving its effectiveness and containing its costs in line with the cost stabilisation commitment of the whole organisation.

The expenditure incurred for supervisory tasks is separately identifiable within the ECB’s budget. The expenditure incurred consists of the direct expenses of the ECB’s supervisory function. The supervisory function also relies on shared services provided by the ECB’s support business areas^[58].

The budgetary authority of the ECB is vested in its Governing Council. The Governing Council adopts the ECB’s annual budget, following a proposal by the Executive Board in consultation with the Chair and the Vice-Chair of the Supervisory Board for matters related to banking supervision. The Governing Council is assisted by the Budget Committee, which consists of members from all of the national central banks of the Eurosystem and the ECB. The Budget Committee assists the Governing Council by providing it with evaluations of the ECB’s reports on budget planning and monitoring.

In 2024 the actual annual expenditure on ECB supervisory tasks amounted to €680.6 million, 3.0% higher than the estimated expenditure of €661.0 million communicated in March 2024. This reflects better than expected utilisation of the budget, which reached 97.4% of the €698.9 million planned expenditure on supervisory tasks in 2024.

The classifications provided in Table 15 are used to identify the split of the annual costs to be recovered through annual supervisory fees from supervised entities based on their supervisory status as significant or less significant in accordance with Article 8 of the Fees Regulation^[59].^[60] Table 16 provides more granular information on the expenditure based on the activities performed.

In 2024 expenditure on supervisory tasks increased by 4.2% as compared with 2023, when it stood at €653.5 million. This €27.1 million year-on-year increase in total expenditure reflects a higher utilisation of the planned budget across supervisory functions, as well as ongoing inflation effects. In addition, intensified supervisory activities, namely in relation to the comprehensive leveraged finance portfolio review (see Section 1.3.5) and the regular asset quality reviews resulted in higher costs for off-site supervision and the surveillance function.^[61] Similarly, continuous developments and improvements to IT systems dedicated to banking supervision increased costs within the policy, advisory and regulatory functions, as well as in the supervisory statistics function in 2024. By contrast, costs for macroprudential tasks were lower, as no EU-wide stress tests coordinated by the European Banking Authority were conducted in 2024.

In addition to its internal resources, the ECB uses external consultancy services for specialised expertise or integrated consultancy under qualified guidance, particularly during peak workloads. In 2024 the ECB spent €42.1 million on consultancy services for core supervisory tasks, an increase of €8.2 million as compared with 2023. This expenditure included €11.3 million for IT system developments, €18.7 million for supervisory initiatives (see Sections 2.1.1.2 and 1.3.5) and €11.8 million for on-site supervision tasks, including cross-border missions. More information on these activities can be found in Chapter 1. In addition, consultancy costs of €10.5 million were incurred by the areas that support the ECB’s supervisory function and these were primarily related to the operation and maintenance of IT systems.

In 2024 there was an increase of €1.7 million in expenditure on business travel related to supervisory activities as compared with 2023, with total expenditure amounting to €13.1 million. This reflects increased costs related to the internalisation of resources for on-site activities as well as higher prices related to business travel.

The split of costs between expenditure directly attributable to ECB supervisory tasks and expenditure on shared services was broadly similar to the previous year (Chart 8).

Chart 8

Cost of ECB supervisory tasks by cost category

(EUR millions)

The directly attributable expenditure, amounting to €410.5 million in 2024, is composed of core supervisory staff costs, supervisory initiatives (including costs relating to asset quality reviews) and other operating expenditure such as business travel and training. It also includes current expenditure on dedicated information technology, such as the Information Management System (IMAS) and the Stress Test Account Reporting platform (STAR) and related projects, as well as suptech developments (see Section 5.2.1).

Expenditure in the shared services category amounted to €270.2 million, encompassing services that are used by both the central banking function and the supervisory function.^[62] These costs are split between the two functions using a cost allocation mechanism applying industry standard metrics such as full-time equivalents, office space and number of translation requests. As the ECB is committed to rigorously pursuing efficiency improvements, it routinely refines the cost allocation metrics.

In 2024 expenditure on directly attributable information technology and related projects includes the amortisation expenses for IMAS and STAR, amounting to €18.9 million.

The total spending on directly attributable costs increased by €7.5 million in 2024 as compared with 2023, reflecting increased activities related to supervisory initiatives and the development and maintenance of IT systems dedicated to banking supervision. The €14.6 million increase in these cost categories was offset by reduced staff-related costs compared with 2023, as no biennial stress tests were conducted in 2024. Staff cost expenses for internal staff involved in supervisory initiative activities are recorded under the supervisory initiatives category rather than under the staff-related costs category.

The year-on-year increase in shared services costs reflects costs associated with investments in IT hardware and IT services categorised under information technology services. Additional increases across all shared services were generally in line with the inflation rate but also reflect additional costs for 2024, including ECB contributions to the expansion of the European School Frankfurt (under human resources services).

7.2 Outlook for ECB supervisory fees in 2025

The 2025 planned budget ceiling for supervisory tasks stands at €703.8 million. Consistent with the progressive trend of improved budget utilisation, the ECB anticipates nearly full utilisation of this planned expenditure next year. This estimate reflects the continued investment in supervisory technology and includes an additional budget for the new mandate stemming from the Digital Operational Resilience Act, as well as costs for the biennial EU-wide stress tests planned in 2025. Furthermore, transition costs are anticipated in 2025 as the ECB consolidates from three buildings to two.^[63] These cost increases will be offset by the reduction in amortisation expenses for IMAS and STAR and will continue to be contained through the ECB’s ongoing commitment to cost stabilisation.

The annual supervisory fee for 2025, to be levied in 2026, will be calculated only at the end of the 2025 fee period and will comprise the actual expenditure for the entire year 2025, adjusted for amounts reimbursed to or collected from individual banks for previous fee periods, late payment interest and non-collectable fees.

The ratio of the total amount to be levied on each category for 2025 is estimated to be 95.8% for significant institutions and 4.2% for less significant institutions.

7.3 Fee framework for 2024

Together with the SSM Regulation, the Fees Regulation and associated Decision^[64] provide the legal framework within which the ECB levies an annual supervisory fee for the expenditure it incurs conducting its supervisory tasks.

7.3.1 Total amount to be levied for the fee period 2024

The annual supervisory fee to be levied for the fee period 2024 amounts to €680.6 million. This is almost completely composed of the actual annual cost for 2024, amounting to €680.6 million, with adjustments of €4,538 for (net) reimbursements to individual banks for previous fee periods and €78,283 for late payment interest received, amounting to an overall adjustment of €73,746.

The annual supervisory fee can also be adjusted for amounts written off that were not collectable. Such an adjustment was not necessary in 2024.

The amount to be recovered through annual supervisory fees is split into two parts based on the status of the supervised entity as either significant or less significant and therefore on the degree of ECB supervisory scrutiny. Expenditure is allocated either to the significant or less significant institution in accordance with a methodology that is continuously reassessed based on the actual supervisory tasks performed.

For 2024, the total amount levied for significant institutions is €651.4 million and for less significant institutions it is €29.2 million, representing 95.7% and 4.3% respectively of the total cost of supervisory tasks.

7.3.2 Individual supervisory fees

At entity or group level, the fees are calculated according to a bank’s importance and risk profile using annual fee factors for the supervised entities.

More information on supervisory fees is available on the ECB’s banking supervision website.

7.4 Other income related to ECB supervisory tasks

The ECB is entitled to impose administrative penalties on supervised entities for failure to comply with applicable EU banking law on prudential requirements (including ECB supervisory decisions). The related income is not taken into account in the calculation of the annual supervisory fees, nor are reimbursements of such penalties in the event that previous sanction decisions are amended or annulled. The related amounts are recorded in the ECB’s profit and loss account. In 2024, the income arising from penalties imposed on supervised entities amounted to €15.6 million.

8 Legal instruments adopted by the ECB

The legal instruments adopted by the ECB include regulations, decisions, guidelines, recommendations and instructions to national competent authorities. This section lists the legal instruments in the area of banking supervision that were adopted in 2024 by the ECB and published in the Official Journal of the European Union and on EUR-Lex. It covers legal instruments adopted pursuant to Article 4(3) of the SSM Regulation and other relevant legal instruments.

8.1 ECB regulations

No regulations in the area of banking supervision were adopted by the ECB in 2024.

8.2 ECB legal instruments other than regulations

ECB/2024/8
Decision (EU) 2024/871 of the European Central Bank of 8 March 2024 on the total amount of annual supervisory fees for 2023 (ECB/2024/8) (OJ L, 2024/871, 21.3.2024)

ECB/2024/10
Decision (EU) 2024/902 of the European Central Bank of 12 March 2024 amending Decision (EU) 2021/1486 adopting internal rules concerning restrictions of rights of data subjects in connection with the European Central Bank’s tasks relating to the prudential supervision of credit institutions (ECB/2021/42) (ECB/2024/10) (OJ L, 2024/902, 22.3.2024)

ECB/2024/18
Decision (EU) 2024/2023 of the European Central Bank of 3 July 2024 amending Decision ECB/2004/2 adopting the Rules of Procedure of the European Central Bank (ECB/2024/18) (OJ L, 2024/2023, 25.7.2024)