FAQs on Russia-Ukraine war and ECB Banking Supervision
Q1. What is the role of ECB Banking Supervision in the financial sanctions adopted by the European Union since Russia invaded Ukraine?
The ECB does not impose these sanctions, nor does it monitor banks’ compliance with them. Banks are responsible for implementing and monitoring compliance with the different sanctions regimes. Meanwhile, individual Member States are responsible for identifying breaches of sanctions applicable in the European Union and imposing penalties if necessary. The list of national authorities responsible for this can be accessed here.
However, sanctions can have implications for banking supervision. For example, if a bank is fined for breaching the sanctions regime, it could reduce the bank’s capital, potentially affecting its capacity to weather losses. Similarly, a bank that doesn’t respect sanctions risks damaging its reputation, which eventually could also hurt its business. And if a bank has deficiencies in its internal governance (such as insufficient oversight by the board of directors or weak internal controls that hinder a timely reaction to developments), this could well affect the bank’s capacity to comply with the sanctions. That is why, as banking supervisor, the ECB monitors the impact sanctions can have on banks.
Q2. Are there any particular aspects that you look at?
We look at banks’ governance and internal control systems, as they play a critical role in steering a bank’s compliance with the sanctions.
In practice, this means checking that a bank is well equipped to comply with the sanctions in the first place. This includes having strong oversight from the board and senior management on the impact of the sanctions regimes for the whole group. It is also crucial that the bank has strong internal control functions in place, for instance a proactive compliance department to monitor developments under the different sanctions regimes and assess their impact on the bank, as well as risk management arrangements for the approval of transactions and engagement with clients. Overall, banks need to ensure that their processes can mitigate legal and reputational risks.
Q3. What should a bank do if unsure about what is prohibited under the sanctions?
Banks and other financial institutions in Europe are called upon to implement and comply with the financial sanctions adopted in response to Russia’s invasion of Ukraine. The ECB does not have a mandate to assess and enforce banks’ compliance with the different sanctions regimes. The European Commission provides clarifications and answers queries on the scope and implementation of these measures in the European Union. Its FAQ can be accessed here. The European Banking Authority is helping the Commission to collect and filter such queries. Queries can be sent to firstname.lastname@example.org.
Q4. What happens if banks do not comply with financial sanctions?
Banks are themselves responsible for implementing and monitoring compliance with the different sanctions regimes. Only the relevant national competent authority can determine whether a sanctions regime has been breached. The list of national authorities in charge of implementing sanctions can be accessed here.
A competent authority may use its own powers to act in the event of a breach, for example by imposing a fine. Furthermore, the violation of sanctions could also trigger criminal investigations and possible legal action, along with significant reputational issues for banks.
If the national competent authority in charge finds that a bank has breached the sanctions regime, the ECB, as supervisor, can respond to the situation within its own remit. This may imply assessing the impact of the breach on the bank’s resilience or taking the breach into account when assessing the bank’s governance framework during the annual Supervisory Review and Evaluation Process. It could also play a role when assessing the bank’s authorisations, or in “fit and proper” procedures to assess the suitability of managers. The ECB will always consider any supervisory measures from a prudential perspective rather than from a sanctions perspective.
Banks’ exposures to Russia and Ukraine
Q5. How large are the exposures of European banks in Russia and Ukraine?
Total direct banking sector exposures to Russia and Ukraine are limited. Credit exposures to Russian counterparties at the end of 2021 were around €70 billion and mostly concentrated among a handful of significant banks. Both securities exposures, at €5 billion, and derivatives exposures are also limited.
Banks are currently reducing their exposures. Overall, the capital positions of euro area banks operating in Russia are solid. So, even in “walk away” scenarios, where a bank decides to quit the Russian market entirely, potential losses should be manageable.
At the same time, it is difficult to quantify the potential second-round effects on the banking sector. These effects may result from increased uncertainty, volatility in financial markets or a repricing of some assets. A repricing of commodities, in particular, would also affect the macroeconomic outlook. And precisely because second-round effects are difficult to track, supervisors remain vigilant and are in constant dialogue with banks about them.
Q6. Was Sberbank declared as “failing or likely to fail” because of the sanctions?
The ECB’s decision to declare Sberbank Europe AG (Austria) and its two subsidiaries in Croatia and Slovenia as failing or likely to fail was neither a political decision nor a sanction. It was not a response either to the war itself or to the sanctions.
The decision was based solely on prudential concerns about liquidity. Following the Russian invasion of Ukraine and the first round of sanctions, Sberbank Europe AG and its subsidiaries in Croatia and Slovenia experienced substantial liquidity outflows. And as the banks were not going to have enough liquidity to cover requests for payment, the ECB assessed them as failing or likely to fail.
Q.7 What impact is Russian retaliation against European banks operating in the country expected to have on the European banking system?
Sanctions and retaliatory measures are prompting banks to reduce their direct exposures to Russia through cross-border credit and derivative positions. Under extreme conditions, such measures may also lead banks to consider selling or abandoning their Russian operations. ECB Banking Supervision is in close contact with the banks most affected. We will ensure the potential risks and operational issues involved in such decisions are properly considered.
Q8. Is the ECB in contact with other supervisory authorities, both inside and outside the euro area, about Russia?
The ECB is in constant contact with supervisory national competent authorities to monitor the impact on supervised banks. Most banks located in the euro area that are Russian-owned or have direct links to Russia are in fact directly supervised by the national competent authorities. In these cases, the ECB fulfils its oversight role by monitoring their situation and working closely with the national authorities.
The ECB is also in close contact with supervisors outside the euro area, such as the Bank of England and the Federal Reserve System. We cooperate bilaterally, through various international fora, and also through joint activities carried out by supervisory colleges. This is to ensure we are as prepared as possible to respond to any new developments.
Q9. What is the ECB doing to ensure banks are equipped to handle possible cyberattacks?
Cyberattacks have long been a risk on the radar of banks and supervisors. This pre-dates the war. Together with their service providers, banks have been working hard to protect their IT systems and ensure business continuity even in the face of such attacks. That said, the war in Ukraine makes the threat of cyberattacks even more concrete.
So far, there has been no material disruption of banking services due to cyberattacks. But the threat exists, and banks need to remain vigilant and make sure they are well prepared. And it is just as important for banks to ensure that they can quickly recover from a cyberattack as it is for them to protect themselves against such attacks in the first place.