From a wish list to a to-do list: how supervisors can help banks prepare for crises

Opening statement by Danièle Nouy, Chair of the Supervisory Board of the ECB, Board Meeting of the European Banking Federation, Brussels, 23 November 2018

Almost five years ago I embarked on an adventure with an uncertain ending. Becoming the first Chair of the ECB’s Supervisory Board was a bit like leading a small start-up in a powerful incubator. And there were many naysayers at the time. Some thought our plans too ambitious; others didn’t believe that common European banking supervision would make the system safer, or more resilient.

But thankfully, there were those who continued to believe in this ambitious project. Five years on, as my term nears its end, I am happy to say we have achieved a great deal. Banks are generally safer and sounder. They now hold more and better-quality capital than in the past. Banks are also in a better position to face liquidity shortfalls, and their balance sheets have fewer non-performing loans, or NPLs. Since the end of 2014, NPLs have fallen by around €300 billion. The latest stress test also confirmed that European banks have become more resilient.

But resilience goes beyond balance sheets. That’s why we also introduced higher standards for governance. Good governance is crucial for sound decision-making. It is also a powerful tool to set incentives for ethical behaviour. And although banks are not yet where they should be on this, they have made good progress.

But the job of a supervisor is not to celebrate achievements. It is to consolidate them. So today I want to focus on those items that are still on our to-do list. And I think we have more to do before we can say that banks are fully prepared for the next crisis.

So how do we make sure banks can weather the next storm? My answer to this question comes in three parts. First, we need to understand the environment in which banks are operating. And I say “we” because this is a need for both bankers and supervisors. Next comes the suggested treatment. Which items on the list should banks focus on? And how can supervisors help to address them? Lastly, the prognosis. I will offer some thoughts on structural issues, and on what legislators and supervisors can do to contribute to the long-term health of the banking sector.

The diagnosis: what are the risks and where do they come from?

Let me start with the macroeconomic and business environment. We’re 22 quarters into the recovery. So, it is pertinent to ask how long this can go on. And there are indeed a few things that might trigger a turn of events.

We see several pockets of risk. Markets for leveraged loans show signs of exuberance; risks in commercial real estate markets are on the rise, as are risks in consumer finance and certain mortgage markets. At the same time, volatility in financial markets remains very compressed.

These developments could be early symptoms of future instability. And some of their underlying causes are quite clear. First of all, the profitability of euro area banks is still subdued – despite some improvement over the course of 2017. So we have low profitability in an overbanked market where liquidity is still abundant. That is a dangerous mix.

And that’s just the current environment. The banking business is also changing fast, and this too poses risks. I am thinking here of digitalisation, which challenges banks’ business models and increases cyber risks.

And then there are risks outside our direct purview. European banks do not operate in isolation. Macroeconomic risks as well as political and structural risks from around the world affect them as well. We thus keep an eye on risks in emerging markets, on sovereign risks – which are re-emerging – and on rising protectionism and ring-fencing.

The suggested treatment: how to build on past results to ensure a safer future for banks

I have now presented a long list of emerging risks. It is important to be aware of these risks, but it can be overwhelming too. But, it is the role of supervisors to point out to banks those risks that we deem most relevant, to prioritise the things that need to be done, and to suggest specific courses of action. So, let me do just that.

As I see it, for the banks, it all starts with good governance and strong steering capabilities of the board members and senior management. This is the basis for good health, if you like. As I often said, good governance is crucial for making sound decisions. And, among other things, good governance includes boards that have appropriate expertise and experience to properly challenge the management, which also implies that they are sufficiently independent – both formally and in their thinking.

In addition, sound decision-making requires sound information. In this respect, the aggregation of risk data is an important point. Banks must ensure that those who take decisions have the right data at hand.

Further, banks must define the types and amount of risk they are willing to take on. This requires solid risk appetite frameworks. And to be really effective, these frameworks need to be comprehensive, well governed, consistently used and fully integrated into strategic decision-making.

As I said, this is the basis. Now let’s look at the actual problems. The first issue is one that banks have faced for some time: weak profitability. There is still a need for further consolidation in some markets, and for greater efficiency. This could be achieved, for example, through digitalisation and some cost-cutting, although this should not mean that control measures are neglected. Furthermore, steering capabilities should be improved, taking into account the thematic review on profitability recently conducted by the Single Supervisory Mechanism (SSM). It is not the job of supervisors to tell banks how to price risk. But we do expect these decisions to be based on sound information, such as breakdowns for various expenses, cost allocations and detailed revenue information.

Finishing the work on NPLs is at the top of our to-do list. Yes, we have made progress on this front, and not all European banks have a specific NPL problem. But the job is not yet done. NPLs totalling around €650 billion gross are still sitting on banks’ balance sheets as of June 2018. While this is a significant reduction from the end of 2014, it is still very high, especially when we consider that a significant portion of these NPLs is very old. And even those NPLs which are partially covered by collateral are problematic. After all, in many cases there are significant issues when trying to exercise the collateral through the judicial systems. Going into the next downturn with such a high stock of NPLs is simply not an option. And NPLs are not just concentrated in one or two European countries; they are spread across a number of countries and a high number of banks. NPLs remain a European issue, no matter where the banks holding them are located.

So, coordinated and timely action to address NPLs is called for. The European Commission’s Pillar 1 proposal is progressing well; this proposal and the SSM’s Pillar 2 approach complement each other.

On our side, the SSM is implementing the addendum to our guidance on NPLs, to the new NPLs as well as, with a case by case phasing-in, to the legacy ones. As for banks, on top of bringing down their NPLs, they have to improve their credit risk management—starting with credit underwriting criteria—and their control practices. New NPLs may be on the horizon too. The ongoing search for yield may fuel a build-up of future NPLs. Credit standards are easing, more loans are being granted to riskier sectors, and more leveraged loans are being issued. These are warning signs that supervisors and banks should not ignore.

To address the wider risk of weakening underwriting standards, pricing and credit terms, banks will need to rely on good governance and effective risk management. Moreover, as mentioned in our published supervisory priorities for 2019, we will take a closer look at the quality of the underwriting criteria of banks, and will organise targeted deep dives and on-site inspections, tailored to the pockets of credit risk which we see as problematic.

Being aware of the risks is just the first step, though. Before risks can be addressed, they need to be quantified. Most banks have developed basic tools for doing this, but they still need to be strengthened. We see room for improvement in data and associated risk measurement instruments such as internal stress testing and reverse stress testing.

Internal capital and liquidity adequacy assessments (ICAAP and ILAAP) should also become more relevant, and they will only be of real value if they are based on sensible internal approaches. If they are shaped entirely by and for regulators, they risk becoming a waste of time. ICAAP should not become RCAAP! Internal models also need to be enhanced to improve risk measurement and pricing. We have a range of supervisory tools to help us evaluate the capacity of banks to measure risks. These include stress tests, our targeted review of internal models and our reviews of internal capital and liquidity adequacy assessments. We will also be looking for IFRS 9 risk measurement capabilities that are able to promote more proactive provisioning.

To be fair, the industry has got better at evaluating risk – thanks to the hard work of regulators, supervisors and banks. But to be truly safe and sound, banks will need to improve further, for instance with regard to non-traditional risks. What do I mean by these? Well, I mean all those risks that are not captured by normal market, credit or operational risk dashboards.

Money laundering is a prime example. Poor achievements in protection from the risk of money laundering can destroy a bank’s reputation overnight – as we have seen. This calls for serious investments in prevention of money laundering. Banks must equip all their business lines, in all their domestic and foreign establishments, with strong compliance functions. And as I have said before, I believe we need a European anti-money laundering regulation, not a directive, and a European authority responsible for dealing with this issue.

Another non-traditional risk is cyber risk. Banks need to enhance their resilience to cyberattacks, which are becoming more frequent and potentially more systemic. Over the past few years, we have seen many cyber incidents reported to banks by third-parties on which they have relied for IT services. This should be a strong warning that outsourcing and reliance on third parties should be closely monitored. Regulators and supervisors should clarify the rules and expectations. And work is well under way on this front. The European Banking Authority, for instance, has provided guidance on the expectations for cloud computing, and our supervisors are now implementing it.

But digitalisation does not just create new risks; it also transforms existing ones. Think of customer behaviour, for instance. Digital solutions make it easier for customers to switch from one bank to another. To be ready for this, banks should take such trends into account in their models. For example, reaction functions for outflows of deposits should not be based entirely on historical behaviour. In the face of a structural shift, past experience can be a misleading guide.

Banks also need to make sure that their “three lines of defence” model is adapted to the digital world. And this might require some adjustment. As a first line of defence, banks must define additional controls to ensure that IT systems are constantly available and secure. Second, they need to define an IT risk strategy. And third, they need to incorporate digitalisation into their audit plans.

Proper controls should exist for all risks that might emerge from digitalisation. Reputational and compliance risks are one such example. If banks choose to use artificial intelligence and big data to segment their clientele, they should do so in a manner that ensures compliance with the law.

Finally, non-traditional risks also include political risks. And there are quite a few of these. This is perhaps a good moment to remind you that banks should prepare well for Brexit. We see that the majority of banks have understood that we will not accept empty shell companies and full back-to-back booking models in the euro area. We expect adequate risk management capabilities to be established and dual-hatting to be used only in exceptional circumstances. Of course, we are aware that there are operational difficulties in transferring infrastructures and staff in a short period of time, so we remain open to the need for a period of adjustment.

The prognosis: structural issues and how legislators and supervisors can tackle them

I have now talked at length about what I think banks should do to improve their own health and resilience. But I am aware that some of the structural issues are in the hands of legislators and supervisors. So, what are my remaining concerns?

First, as I have said many times, we must complete the banking union. Failure to do so risks creating spillover effects by exacerbating issues of ring-fencing. I am thinking here of ring-fencing of capital and liquidity, internal TLAC requirements and national G-SIB buffers, to name just a few. These have contributed to slowing down cross-border consolidation. This means banks have not been able to develop euro area-wide platforms to compete effectively with global players. Completing the banking union will also mean weakening the persistent nexus between banks and sovereigns as well as improving European bank resolution capabilities.

A completed banking union should be accompanied by more coordinated European action in other areas. Macroprudential buffers, for instance, need to be set to account for risks to the entire euro area banking sector. They should not be set at the national level, as this makes little sense in a banking union.

On the regulatory side, we should complete the harmonisation of national options and discretions, as these still contribute to the fragmentation of the banking market. Large exposure limits are a good example. At the same time, any remaining Brexit loopholes should be closed, such as those on branches and investment firms.

In addition, banks are highly interconnected with non-banks. This means we need to keep an eye not only on banks, but on the rest of the financial sector too. Let’s start with central counterparty (CCP) clearing. Oversight of CCPs in the euro area remains highly fragmented and, given the growing concentration of derivatives clearing in these entities, this should be cause for concern.

Likewise, Europe cannot continue to be so heavily dependent on banks alone for credit intermediation. We should continue to work on the capital markets union, including on the development of deeper securitisation markets.

And as fintechs start to engage in banking activities, they should be regulated accordingly. Creating a level playing field among European banks is important. But if the playing field banks and non-banks compete on is uneven, we may witness worrying spillovers of risk.

Last but not least, we must sustain the momentum for stronger regulation and supervision. As memories of the crisis start to fade, there is a greater temptation to water down regulation and soften supervision. It is the job of legislators and supervisors to make sure this doesn’t happen. Basel III has been finalised and it needs to be faithfully implemented – in Europe as elsewhere, and including the fundamental review of the trading book. Capital quality should continue to be important. Definitions of capital should not be weakened. Nothing other than CET1 instruments should be used to fulfil Pillar 2 requirements.

Let me remind you all that financial stability is good for banks too. And the crisis has taught us that strong regulation, and rigorous supervision, are necessary to ensure it. Things may look quite calm today. But financial stress can increase quickly, and trust can vanish in a matter of hours and days. We have seen it happen before.

And it is important that we supervisors continue to see risk holistically. After all, market, capital and operational risks may interact in non-linear ways when stress increases. Slicing and dicing Pillar 2 requirements by basis points per risk would prove ineffective during a crisis.

Conclusion

I will keep my concluding remarks short. I hope I have not overwhelmed you with my concerns. But laying them out is not a bad thing: after all, identifying a problem is the first step towards solving it. All that is needed is a bit of action. So I hope you see my remarks as a call to action. I do believe a more dynamic, more profitable and more resilient banking sector can emerge in Europe.

Media contacts