ECB Banking Supervisory Priorities 2025-2027

By: Yusi Wang, Senior Risk management Consultant

ECB Banking Supervision has recently published its strategic planning and supervisory priorities for the period 2025-2027, which addresses the vulnerabilities identified for its supervised entities.  The ECB identifies the key areas of focus and sets out its work programmes for the main supervisory activities to be carried out during 2025-2027, while at the same time the ECB will continue with the ongoing engagements with the banks for the regular activities and follow-ups on the previous priorities.

ECB Agenda 2025-2027

ECB Priorities 2025-2027

What are the key focus areas from the ECB’s point of view?

Credit risk

The ECB conducted extensive assessments during the 2024 SREP cycle, the outcome of which has highlighted persistent shortcomings in the bank’s IFRS 9 framework, loan origination, collateral valuations, counterparty credit risk and etc. The reviews focused on the portfolios that were more sensitive to the current macroeconomic circumstances, including the commercial and residential real estate, SME portfolio.

Going forward, the ECB will continue to focus on banks’ progress in remediating the gaps and carry out targeted reviews of the identified areas, the main activities to be carried out by the ECB  will include the follow-up of the targeted review of IFRS 9, focusing, among other things, on the use of overlays and coverage of novel risks; IFRS 9 collective staging and provisioning for corporates/SMEs, retail and commercial real estate portfolios, including collateral valuations, as well as targeted review of SME portfolio focusing on early identification and handling of potential borrower distress, SME models and governance of exposure to SMEs.

Operational resilience

The outcomes of SREP 2024 show shortcomings in several areas in the cyber resilience and outsourcing management. The 2024 cyber resilience stress test highlighted needed improvements in  business continuity frameworks, incident response planning, back-up security and management of third-party providers.

Going forward, the ECB will continue with its assessments in the operational resilience, in particular the compliance with DORA requirements (application as of January 2025). The ECB will carry out data collection on third-party ICT providers to identify links between supervised entities and third-party providers, targeted reviews of risk management frameworks for outsourcing risks and of cyber resilience frameworks and risk controls, implementation of DORA and etc. Bank should address the findings identified in the cyber resilience stress test.

Climate-related and environmental (C&E) risks

C&E risks have been a supervisory priority since 2022. Supervisory assessments indicate that more banks have made progress over the years in complying with applicable regulations and guidelines. The ECB expects its supervised banks to meet all relevant supervisory expectations on C&E by the final deadline at the end of 2024.

The ECB will continue its supervisory activities in various C&E aspects through further supervisory assessments, on-site inspections, ad hoc workshops in line with the ongoing regulatory developments (e.g., the final EBA guidelines of management of ESG risks). The focus will be on Pillar 3 disclosure, transition planning and nature-related risks.

Risk data aggregation and reporting (RDARR)

The 2024 SREP shows the persistent weaknesses in the RDARR, with many supervised entities failing to fully comply with supervisory expectations and BCBS239.

The ECB will therefore intensify efforts and increase pressure on banks failing to meet the gap remediation deadline. The ECB will continue their targeted review of RDARR capabilities and perform targeted OSIs, engaging closely with banks when shortcomings are identified.

Digital transformation

In recent years, the ECB has focused on evaluating risks associated with the digitalisation of the banking sector and implementing appropriate measures to mitigate these risks, including those arising from the adoption of new and advanced technologies like cloud services and AI.

In July 2024, the ECB published a report on key assessment criteria and good practices that identifies the key areas for bank’s digitalisation. The ECB will continue its supervisory assessments through targeted reviews and OSIs on digital transformation, looking at both IT-related and business model-related aspects of banks’ strategies.

What particular attention is the ECB paying to?

The ECB emphasizes incorporating geopolitical risk management into supervisory priorities due to escalating global tensions. Banks must strengthen risk management and controls, while supervisors assess their resilience, strategies, and risk frameworks through activities like benchmarking risk appetite and culture. Geopolitical risks will also feature prominently in the 2025 EU-wide stress test, which will analyze banks’ capacity to model counterparty credit risk under stress.

How should banks prepare for their agenda?

The ECB agenda provides valuable insights for its supervised entities on the key areas of focus in the coming years. Banks should continue building on previous supervisory assessments, with a focus on addressing gaps and meeting deadlines set by the ECB. They should also prioritize ensuring compliance with all  ECB’s supervisory expectations and guidelines, particularly in areas like C&E risk and RDARR. With the CRR3 and CRD6 becoming effective in January 2025, the immediate focus should be on implementing the new requirements. Additionally, banks should not overlook ongoing regulatory developments, such as the EBA Roadmap on EU Banking Package, to better understand the key impact areas for their organizations.