“Modern banking supervision”
Speech by Pentti Hakkarainen, Member of the Supervisory Board of the ECB, at the ILF 6th Conference on the Banking Union, Frankfurt am Main, 21 May 2019
The topic of this morning’s session is the overlapping responsibilities within the banking union. This is a natural focus of attention, especially for the legal profession, whose members are understandably sensitive to the need for clear roles and responsibilities.
Before embarking on this discussion, we should remind ourselves of how much progress has been made in the last decade in improving the institutional architecture of European banking supervision. I don’t think anyone is suggesting that we go back to where we were in the late 1990s.
The banking union has enhanced authorities’ ability to make decisions that can be immediately implemented across borders. Authorities are now better placed to reduce the risks arising from the banking sector and mitigate any damage caused by failing banks.
While overlaps may appear to exist between mandates in some areas, the system we have now is far better than the previous one, in which supervision was fragmented along national borders and resolution powers were almost non-existent.
National supervision – clear allocation of responsibilities but inadequate coverage
Let us think back to where we were ten years ago. The fires of the international financial crisis continued to blaze. The national authorities tried their best to cope with the problems that arose, but ultimately the nature of these issues extended beyond their reach.
It became clear that the existing structures, institutions and allocation of responsibilities were not adequate for the supervisory tasks at hand. The banking sector had long since begun to operate on an international basis.
The allocation of responsibilities at the time did have an element of clarity. The system ran along national lines, and each national authority took responsibility for supervising the banks that had their home within its own jurisdiction.
But this national model for banking supervision didn’t work well in practice. Since banks conducted their business across borders, the risks they created were transmitted quickly from one country to the next. As banks started to run into difficulties, significant gaps were revealed in the purely national banking supervisory set-up.
While national supervisors did their best to cooperate across borders, their national mandates limited the scope of possible action. The sharing of information between institutions was partial and slow. The decision-making structures made it difficult to address cross-border risks.
The situation for bank resolution ten years ago was even worse. Very few countries had specific tools in place for resolving troubled banks, and where such powers did exist, they were inadequate.
In addition, there was no clarity on how the existing imperfect tools might be coordinated internationally. This sub-optimal situation led to national rescue operations, and these were ultimately a major cause of the huge fiscal costs that resulted from the financial crisis.
Has improved coverage resulted in problematic overlaps?
We have come a long way since the crisis.
Under the banking union, the Single Supervisory Mechanism (SSM) was established as the euro area’s banking supervisor. This new structure has hard-wired seamless cross-border coordination into our system. Information-sharing is immediate, and risk analysis benefits from euro area-wide benchmarking of bank performance.
Decisions are taken by the ECB’s Supervisory Board, which is made up of members from each euro area country along with up to six ECB board members. This mix helps to insulate decisions from domestic political pressures, and thereby brings a necessary objectivity to supervisory work.
At first glance, there may appear to be some overlaps between the mandates of the various institutions involved in the new system of supervision. For example, both the ECB and the national competent authorities (NCAs) have a role to play in the supervision of smaller banks, or less significant institutions (LSIs), as they are known. In addition, the task of solving the problems associated with troubled banks is shared between the Single Supervisory Mechanism (SSM) and the Single Resolution Board (SRB).
However, if we take a closer look at how these responsibilities are divided, there is actually less ambiguity than might first appear to be the case.
The direct supervision of LSIs is conducted in practice by NCAs. The centre provides the joint supervisory standards that set out how the supervision of these banks should be carried out across the system.
This allocation of tasks works well, and it is clear that the ultimate competence for banking supervision lies with the ECB. The European Court of Justice confirmed this in its judgement on the L-Bank case. If an NCA is not fully able to perform its task of supervising a particular bank, the ECB retains the right to take over. This serves as a kind of insurance policy to make sure that NCAs’ supervision remains objective and in line with ECB guidance.
The creation of the Single Resolution Mechanism (SRM), for its part, represents a big leap forward in terms of resolving failing banks. It has embedded the necessary tools across Europe, and established a European institution to handle the mechanics of cross-border resolution.
The SRM has been a real game-changer as it has enabled authorities to manage bank resolution in a more coherent way. Having a European resolution system in place helps to insulate taxpayers from the types of cost they incurred when they had to bail out banks during the financial crisis. This strong framework reassures all parties that problem cases will be solved, up to and including the wind-down and closure of failing banks.
I won’t go into any more detail on this point, as the Chair of the SRB, Elke König, is speaking next, and she will no doubt cover this territory herself. Suffice to say, the day-to-day reality of the new resolution framework is effective. Cooperation and information-sharing between the SRM and the SSM are very good. Overall, the SRM’s casework shows that the new system works well.
The European Banking Authority (EBA) also plays a complementary and crucial role in the system. By providing detailed regulatory standards within the single rulebook, the EBA supports the achievement of a level playing field.
So, I would encourage people not to worry unduly about perceived overlaps between the mandates of the authorities involved in the new system. The different authorities involved in bank supervision and resolution each make complementary contributions to the various tasks at hand.
Economies of scale – benchmarking, best practices, specialism
Of course, the benefits of the banking union are not limited to the efficient allocation of responsibilities. The broad coverage of the banking union offers certain benefits in terms of efficiency and effectiveness.
ECB Banking Supervision supervises 117 significant institutions directly, covering over 80% of the €21 trillion of banking assets held across the euro area. On top of this, the banking union encompasses more than 3,000 LSIs, the day-to-day supervision of which is – as I mentioned before – delegated to NCAs.
This scale allows ECB supervisors to benchmark bank performance against a long list of comparable banks. This improves our ability to diagnose risks, as we can identify outlying or idiosyncratic bank behaviour quickly and easily.
Bringing together the best supervisory expertise from across the euro area has brought benefits too, of course. Both the Supervisory Review and Evaluation Process methodology, which is used to determine banks’ Pillar II requirements, and the on-site inspection methodology reflect the collective wisdom of the euro area’s most experienced specialists in these matters.
The scale of our responsibilities also justifies major investment in all of the specialist skills we need to deliver state-of-the-art supervision. This investment in human capital goes above and beyond what could be afforded under a purely national supervisory structure.
As a result, ECB Banking Supervision benefits from the insights of the best experts across the key supervisory and supporting functions. For instance, the ECB has built up crucial expertise in supervisory law.
Our experts are also focusing on how to make use of new technology and counter related risks, such as those arising from cyber and IT-related sources.
To provide some insight into how the system works in practice, I will now expand on this topic of technological risk and explain how the authorities work together within the banking union to tackle it.
Technological disruption brings benefits but creates new risks
We hear more and more about how the use of modern technology is shaking up the banking sector. Of course, innovation and technological change are hardly new phenomena in the banking sector. Banks have long been early adopters of new technologies, being among the first firms in the 1960s to install mainframe computers, for example.
However, it is true that the pace of change has intensified over the past decade. Customer behaviour and preferences have changed in response to the opportunities for improved convenience offered by digitisation.
Incumbent banks now face new competition from firms that are well placed to meet customers’ evolving needs – mobile-only “neobanks”, payment firms and tech companies. In response, banks themselves are digitising and re-orienting their services to move them online in the most convenient way possible.
Joachim Wuermeling from the Executive Board of the Deutsche Bundesbank will expand on the topic of digital banking during this afternoon’s session. Both he and his institution are well versed in such issues, so we can expect a very interesting presentation.
There are reasons to be optimistic about the overall impact of technological change. It will lead to increased competition, more efficient service provision and thus to improvements in conditions for bank customers. Richer data and more sophisticated analytical tools should enable banks to better meet customer needs, and should eventually improve the way capital is allocated across the economy. Technological progress, and in particular improved data analysis, will also help the authorities to get better over time at detecting flaws and distortions in the finance industry.
All this said, we must acknowledge that technological change is altering the nature of the risks created by banks. While the risks themselves may not be entirely new, these changes are fast leading to a re-ordering of the priorities of supervisory work.
To take one fundamental example, cyber risks in the banking sector have the potential to affect trust. This, in turn, could have a systemic impact on the entire industry.
Management of new risks is imperative
When it comes to mitigating cyber risks and other IT risks, there are some things we know for sure. We know that the functioning of the industry will always hinge on maintaining customers’ trust, making it imperative to securely protect customer data. Likewise, banks’ IT systems must be sufficiently resilient to prevent them from being forced offline for long periods during which customers lose access to their services.
But there are some things we know we don’t know. For example, we can’t predict exactly what new approaches cyber criminals or fraudsters will deploy in attacking the banking sector. We know they’re devising new strategies, but we can’t be sure of being able to second-guess them in advance of an attack.
Finally, there are unknown unknowns. Though these are by their very nature impossible to identify, they potentially pose the biggest threat. We are unlikely to be perfectly prepared for unknown unknowns, for things that will really test the resilience of the system. This is why we supervisors insist that banks be equipped with properly tested procedures for crisis management, cyber response and cyber recovery.
A collaborative approach towards IT risks
Keeping cyber threats under control in the banking sector is in all our interests – so both the private and public sector need to play their part.
Ultimately, banks themselves are responsible for taking appropriate measures for their own protection. In parallel, the authorities monitor how banks manage their risk, challenge them in areas of potential weakness and, where necessary, require them to carry out improvements.
To perform their role effectively, authorities must recognise that cyber threats do not respect borders and that taking a supranational approach is the only way to address modern risks.
By sharing experiences across the international supervisory community, authorities can reduce the set of unknown unknowns. Moreover, pooling our knowledge helps us to develop the most effective mitigation strategies for the threats we do know about.
ECB Banking Supervision follows this supranational approach and is indeed taking a variety of measures to address IT and cyber risks.
First, since 2015, we have been conducting thematic reviews on the topic in the banks that we directly supervise. These thematic reviews have been complemented by around 20 on-site inspections per year focusing on the IT risk of specific institutions. This work has given us a more detailed understanding of the scope of the problem.
Second, the most recent horizontal analysis of IT risk, conducted in 2018, revealed deficiencies in IT security risk management. In some cases, banks’ general risk management frameworks fail to specifically include IT risk. A significant number of banks have critical processes that depend on systems which are close to, or have already reached, the end of their life. This, in turn, makes them more vulnerable to cyber threats. We also see a failure to rapidly address critical findings in the area of IT security. All of the deficiencies that have been identified are being followed up on, and supervisors will ensure that the industry acts swiftly to address all of the findings.
Further, IT outsourcing is increasing. As the group of possible IT infrastructure providers now consists of a handful of global behemoths, there is a worrying tendency for banks to outsource their IT to a single provider. This creates a concentration risk as banks may become critically dependent on the health and stability of their IT provider. Such concentration risks may not be entirely avoidable in some cases. Nonetheless, banks need to employ enough sufficiently skilled staff to monitor and oversee their outsourced activities. In addition, if a bank is critically dependent on a single IT provider, its interaction with that provider should be governed by stringent requirements, particularly for cyber resilience.
Third, in 2017 the ECB set up a cyber incident reporting process. This has been a key area for international cooperation, including cooperation with criminal investigators.
The ECB uses the information on incidents reported by banks to identify and monitor trends, and to facilitate the ECB’s swift response in the event of a major cyber incident affecting one or more significant institutions.
The number of reported cyber incidents has been rather low, the most frequent type being Distributed Denial of Service attacks (DDoS). Other reported incidents were related to unauthorised access, accidental data leakage and phishing attacks. In many cases, there was a delay between the onset of the attack and its detection. Finally, we see that attackers gained access to banks’ systems by exploiting both technological vulnerabilities, such as missing IT security measures, and human ones, such as insufficient staff awareness.
Although the number of reported cyber incidents has been rather low, we can’t say that cyber threat levels are low, or even decreasing.
By design, the reporting framework only picks up on the major attacks.
Our internationally collaborative approach strengthens our ability to mitigate risks. This is why we are actively engaged in further harmonising regulation in this area, both at European level with the European Banking Authority, and at global level with the Financial Stability Board and the Basel Committee on Banking Supervision. We also participate actively in the G7’s work on cybersecurity, including in crisis exercises to simulate how cyber-attacks might play out in practice. The next such exercise is scheduled to shortly take place and I am confident that it will teach us valuable lessons.
ECB Banking Supervision will continue to monitor IT and cyber risks facing banks; we will continue to push banks to ensure that they are resilient to and prepared for cyber threats. And we will of course continue to engage and cooperate with a number of other institutions and agencies.
These risks are here to stay, so the collaborative effort to address them will continue over the coming years.
Let me conclude by returning to the theme of “overlap”, the focus of this morning’s session.
The key takeaway is that we should be less concerned about overlap and instead focus on ensuring that there is sufficient coverage.
Before the financial crisis, there were major gaps across the system in the coverage of prudential supervision and of resolution. Most of these gaps have now been addressed and the potential overlap between the institutions involved is not of great concern. In practice, the risks arising from any overlaps in mandates have been overcome through good cooperation and collaboration between the authorities involved.
So, looking forward, we need to invest our energy in ensuring that we have sufficient coverage rather than worrying excessively about overlaps.
In these times of rapid technological progress, the swift changes in how banking operates have numerous implications, both positive and negative. Some of these changes we can see and understand, while others remain unknown.
Thanks to its broad coverage and internationally collaborative approach, the SSM provides the best possible framework for the supervision of the modern banking system, enabling us to swiftly shrink the set of unknown unknowns and so help protect us from new or emerging risks.
- Judgment of the Court (First Chamber) of 8 May 2019.
- “Tech’s raid on the banks”, The Economist, 2 May 2019.
- See, for example, “Digitale Transformation – Herausforderungen für die Finanzbranche”.
- A cyber incident – i.e. an identified possible breach of information security (both malicious and accidental) – must be reported to the ECB if at least one of the following conditions is met: (1) there is a potential financial impact of €5 million or 0.1% of CET1; (2) the incident is publicly reported or causes reputational damage; (3) the incident was escalated to the CIO outside of the regular reporting; (4) the bank notified the incident to the CERT/CSIRT, a security agency or the police; (5) disaster recovery or business continuity procedures have been triggered or a cyber insurance claim has been filed; (6) there has been a breach of legal or regulatory requirements; or (7) the bank uses internal criteria and expert judgement (including a potential systemic impact) and decides to inform the ECB.