ECB communicates its key assessment criteria and collection of sound practices for digital transformation
RegCORE Client Alert | Banking Union | EU Digital Single Market
QuickTake
The European Central Bank (ECB), acting at the head of the Banking Union’s Single Supervisory Mechanism (SSM), has had a dedicated focus on digital transformation amongst Banking Union supervised institutions (BUSIs). On 11 July 2024 as most of Europe was preparing for the summer holiday season the ECB-SSM published a detailed blog articleAvailable here.Show Footnote and a 24-page report “Digitalisation: key assessment criteria and collection of sound practices” (the 2024 Digitalisation Report).Available here.Show Footnote The ECB-SSM’s views, as summarised in this most recent publication, are built off: market intelligence, discussions with BUSIs, key market players and its 2022 “survey on digitalisation”Available here and here.Show Footnote which involved all significant institutions under ECB-SSM direct supervision as well as ongoing supervisory engagement.As the 2024 Digitalisation Report notes: “a broad set of supervisory activities was completed in 2023. These included targeted reviews on the steering of digitalisation covering 21 banks, 10 on-site inspections on digitalisation (5 in 2022 and 5 in 2023), and the assessment of digitalisation data collected through the short-term exercise (STE) and for the Supervisory Review and Evaluation Process (SREP)”Show Footnote
As digitalisation continues in transforming the business of banking, the ECB-SSM is committed to ensuring the resilience and sustainability of emerging business models as well as risks related to business model reinvention and how these are supervised. Accordingly, this Client Alert assesses the key requirements in the 2024 Digitalisation Report, as supplemented by key messages from policymakers’ speeches, and what this means for BUSIs in meeting their legislative and regulatory compliance obligations – notably with the General Data Protection Regulation (GDPR), the revisions to the Payment Services Directive (PSD2) and the upcoming operationalisation of the EU’s Digital Operational Resilience Act (DORA) as well as the AI Act and the EU’s Markets in Crypto-Assets Regulation (MiCAR).
This Client Alert should be read in conjunction with further analysis, including from our EU RegCORE, on the aforementioned regulations as well as the ECB-SSM’s approach to national options and discretions, operations of Joint Supervisory Teams (JSTs) and on-site inspections and thematic reviews (collectively OSIs) as well as rules on fit and proper requirements and internal governance guidelines as published by ECB-SSM but also the European Supervisory Authorities (ESAs), in particular those of the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) that address the same themes discussed in the 2024 Digitalisation Report.
Key takeaways from the 2024 Digitalisation Report
The ECB-SSM uses the 2024 Digitalisation Report to highlight the importance of digitalisation in the banking sector, driven by technological advancements and changing customer expectations. It underscores the need for BUSIs to adapt to remain competitive and relevant by providing an analysis of the current digitalisation trends within the EU’s banking sector.
Specifically, the 2024 Digitalisation Report discusses the adoption of new technologies such as artificial intelligence (AI), blockchain, and cloud computing across the front office and back office operations. The 2024 Digitalisation Report also examines the impact of digital transformation in the context of business model reinvention as well as disruption to traditional banking models due to the emergence of FinTech companies. Some of this can be summarised in the ECB-SSM observing the following key trends:
- Increased use of digital channels: BUSIs are increasingly adopting digital channels for customer interactions, including mobile banking apps and online platforms – with this in mind firms will need to assess their compliance with various on-going EU and national level investor and consumer protection reforms along with the EU’s European Accessibility Act (see separate dedicated coverage on this development);
- Adoption of advanced technologies: BUSIs are leveraging technologies such as blockchain plus distributed ledger technologies (DLT) beyond just current crypto-asset use cases along with AI, machine learning (ML) and cloud computing to innovate and streamline operations; and
- Emergence of FinTech and BigTech: The rise of FinTech companies and the entry of BigTech firms into the financial services market are reshaping competitive dynamics – an issue that was touched upon also in a contribution to the Eurofi Magazine, dated 10 September 2024Available here.Show Footnote by the very esteemed Elizabeth McCaul, Member of the Supervisory Board. That contribution focused on the role of supervisors amid technological shifts as well as challenges stemming from FinTech and BigTech partnerships, especially when these entities act as primary consumer interfaces while BUSIs bear legal responsibility. BUSIs must exercise control over customer onboarding, operational resilience, liquidity, and legal risks. They need to prepare for intermediary and vendor failures and oversee partners’ soundness to avoid concentration or interdependency risks. Mrs. McCaul states this eloquently by explaining “The financial landscape is shifting, and so should regulation and supervision. To evolve properly, collectively we need a holistic understanding of the new contours of the financial system. We need robust risk assessment capabilities to apply a proportionate and fair approach while enabling innovation. Calibrating supervisory actions properly should be based on the economic and societal impact of services, not the technology or licences used.” Accordingly, when BigTech conglomerates enter the financial sector through e-commerce and payment platforms, expanding into retail credit, mortgage lending, or crypto services, they may mimic banks’ economic functions without being subject to the same comprehensive oversight. Supervisors need robust and versatile tools to oversee these disintermediated, interdependent, and possibly distributed-ledger-based business models.
Given the above, the 2024 Digitalisation Report, allocates the risks associated with digitalisation into several areas:
- Cybersecurity risks: The increased reliance on digital platforms heightens the risk of cyberattacks and data breaches;
- Operational risks: The integration of new technologies can lead to operational disruptions if not managed properly;
- Third-party risks: The use of third-party service providers, including cloud services, introduces additional risks related to vendor management and data security; and
- Compliance risks: Ensuring compliance with regulatory requirements in a rapidly evolving digital landscape is a significant challenge.
While the above may not be new, the supervisory scrutiny and prescriptive detail that the 2024 Digitalisation Report contains however is. So too is the commitment by the ECB-SSM to continuously reassess the effectiveness of the financial services legislative and regulatory framework amid the evolving market conditions. This includes adapting regulation and oversight for BigTech conglomerates primarily active in non-financial services, requiring a thorough understanding of large non-bank groups’ financial activities across jurisdictions and sectors. For the traditional i.e., BUSI supervisory framework, a significant portion of the 2024 Digitalisation Report is dedicated to governance, risk management and cybersecurity. Accordingly, the ECB-SSM establishes the following assessment criteria and sound practices, as summarised in the bullet points immediately below. These are grouped according to three themes (A) business model impact; (B) governance and (C) risk management.
A. Business model impact – which includes:
1. Understanding digital trends: The ECB-SSM emphasises the importance of BUSIs understanding the impact of digital trends on their business environment. This involves a comprehensive analysis of external factors such as competitive landscape, policy and regulation, innovative technologies and customer preferences. BUSIs are expected to perform a digital readiness assessment to gauge their internal capabilities, including financial resources, human capital and legacy systems.
2. Digital strategy formulation: BUSIs must decide whether to formulate a digital strategy and, if so, define clear strategic objectives. The ECB-SSM does not mandate a specific format for the digital strategy; it can be part of the business or IT strategy or a standalone document. The strategy should however identify key digital initiatives, underlying technologies and profitability targets.
3. Execution capabilities: Adequate financial and non-financial execution capabilities are essential for implementing the digital strategy. This includes a robust budgeting process aligned with the digital strategy and a proper project management framework detailing timelines, milestones, roles, responsibilities, and resources.
4. Key performance indicator (KPI) framework: A comprehensive KPI framework is necessary to monitor the implementation and execution of the digital strategy. The KPIs should be granular, measurable, actionable, and have clear ownership and responsibility. BUSIs must understand the reasons for missed KPI targets and incorporate lessons learned into strategy updates.
B. Governance – which includes:
5. Coordination and steering of digital initiatives: The ECB-SSM requires a clear allocation of responsibilities related to digital topics within the management body between its role in as the management function (MBMF) and in its role as the supervisory function (MBSF). The ECB-SSM considers that this can be achieved through a central coordination body that aligns digitalisation projects across the organisation, ensures strategic alignment between business and IT strategies, manages staff and resources, and provides sound reporting to the management body.
6. Monitoring and reporting: The ECB-SSM expects that adequate monitoring processes must be in place to track the progress of digital initiatives. This involves defining business areas responsible for reporting on digitalisation initiatives and establishing a proper reporting process covering all subsidiaries and business lines.
7. MBSF: The MBSF must constructively challenge the management body in its executive function and provide effective oversight of the digitalisation strategy and related risks. This includes proactively discussing digitalisation-related topics and ensuring relevant risks are covered.
8. Internal control functions’ (ICF) involvement: ICF should have a strong role in the digitalisation strategy process, new product approval process (NPAP) and ongoing business operations while maintaining their independence. This ensures that risk dimensions in digitalisation-related decision-making are adequately considered.
9. Digitalisation risk culture: The ECB-SSM clearly expects that firms embed digitalisation in their risk culture, fostering regular communication and coordination among all staff involved in delivering the digital transformation strategy. A culture of effective communication and challenge should exist at all levels, ensuring accountability for risks.
10. Assessment of critical dependencies: Firms need to monitor critical dependencies, interdependencies, and third-party relationships on an ongoing basis. This includes having policies for identifying critical dependencies, ensuring internal audit access to third-party agreements, assessing interconnections between providers, and defining risk tolerance for third-party risks.
C. Risk Management – which includes:
11. Risk Identification: The ECB-SSM expects that firms conduct a detailed impact review of all financial and non-financial risk dimensions is required during the digital strategy-setting process and NPAP. This comprehensive process should cover risks arising from digitalisation, including credit, liquidity, market, operational risks, AML/fraud governance, reputational impact and capital impact.
12. Data governance framework: The ECB-SSM expects that firms have a data governance process to support data-driven digitalisation initiatives. This includes defining roles and responsibilities for data governance, ensuring data quality, and aligning digitalisation plans with the bank’s ability to maintain, capture and exploit data.
13. Risk modelling: The ECB-SSM requires that firms assess and update their risk map and relevant risk metrics to reflect changes in risk dimensions due to digitalisation. This involves reviewing existing risk models and adapting them as necessary to account for changes in customer behaviours or business processes.
14. Update of Risk Appetite Framework (RAF), Risk Management Framework (RMF), and Key Risk Indicators (KRIs): The ECB-SSM is clear in expecting that firms review and update their RAF, RMF, and KRIs to ensure they adequately cover digitalisation-related risks. This includes defining suitable KRIs to capture new or altered risks related to digitalisation and setting thresholds that trigger mitigating measures.
These criteria and practices (which in the 2024 Digitalisation Report are expressed as questions so as to act as qualitative assessment criteria) are signalled by the ECB-SSM as being subject to further fine-tuning “… based on upcoming supervisory activities, including future targeted reviews, on-site inspections and deep dives.” This may warrant some BUSIs to step up their efforts to be able to demonstrate they are complying with the expectations and objectives set in the 2024 Digitalisation Report.
Key considerations for BUSIs
In light of the above, the ECB-SSM sets the following overarching expectations for BUSIs:
- Strategy: BUSIs should have a well-defined digital strategy aligned with their overall business objectives. Senior management and boards should be actively involved in overseeing digital initiatives;
- Governance and risk management: BUSIs are expected to have robust governance frameworks and risk management practices in place to oversee digitalisation initiatives. This includes board-level oversight and clear accountability structures;
- Cyber-resilience: BUSIs must enhance their cyber resilience by implementing comprehensive cybersecurity measures, conducting regular risk assessments, and ensuring rapid response capabilities to cyber incidents;
- Third-party risk management: Effective management of third-party risks is crucial. BUSIs should conduct thorough due diligence, establish clear contractual agreements, and continuously monitor third-party performance;
- Data management and protection: BUSIs are required to implement strong data management and protection practices, ensuring compliance with data privacy regulations such as the GDPR;
- Innovation and compliance balance: While innovation is encouraged, BUSIs must ensure that new technologies and business models comply with existing regulatory frameworks. This includes maintaining transparency and ensuring that digital products and services meet regulatory standards; and
- Innovation and collaboration: The ECB-SSM encourages BUSIs to foster innovation and collaborate with fintech companies and other stakeholders to drive digital transformation.
In addition to the overarching standard and expectation setting, the ECB-SSM uses the 2024 Digitalisation Report to equally communicate its evaluation of “sound practices” on a number of matters it has analysed. Firms assessed as “adequately steering digitalisation” are noted as having taken the following steps (and it should be assumed that the future supervisory cycle will benchmark compliance against these considerations in addition to the above and further aspects in the section below):
- understanding the impact of digital trends on the business environment in which institutions operate in the short, medium and long term, in order to be able to make informed commercial and strategic decisions;
- based on an informed perspective, deciding on the need to formulate a clear and well-articulated digital strategy and defining strategic objectives that are to be achieved by means of digitalisation and innovation;
- having in place adequate financial and non-financial execution capabilities for proper implementation of the digital strategy as defined;
- developing a comprehensive framework of financial and non-financial KPIs for monitoring the implementation and execution of the digital strategy and for reassessing it in the event that targets are missed;
- having a clear allocation of responsibilities related to digital topics in the management body, whether individual allocation to those with a management function/executives, and/or senior managers reporting to the executive management, or a dedicated centralised steering/coordination body, enabling adequate coordination of digital initiatives at group level;
- setting up adequate processes covering all subsidiaries and business lines by defining the business areas ultimately responsible for reporting on digitalisation initiatives and setting up top-down steering and monitoring processes and proper bottom-up reporting processes;
- having a management body with a supervisory function/non-executive role that constructively challenges the management body in its management function/executive level role and provides effective oversight of the digitalisation strategy and related risks;
- assigning internal control functions a strong role in the digitalisation process, new product approval process (NPAP) and ongoing business operations, while ensuring their independence;
- embedding digitalisation in the risk culture (e.g. tone from the top, incentives, risk accountability and a culture of challenge), both top-down and bottom-up, including the communication on strategy and risks, thereby creating awareness and fostering knowledge;
- ensuring insight and monitoring of critical dependencies, interdependencies and third-party relationships, and not only of outsourcing, on an ongoing basis;
- having in place a data governance process to support data-driven digitalisation activities;
- carrying out a detailed impact review on traditional and non-traditional dimensions of risk during the process of digital strategy-setting and the NPAP as well as during the execution of the digital strategy;
- assessing and updating all dimensions of the risk map, reviewing the suitability of existing risk models in view of digitalisation and adapting them as necessary; and
- reviewing the RAF, the RMF and the KRIs defined ex ante and adapting them if needed in view of digitalisation initiatives.
Complementing the 14 points above, the 2024 Digitalisation Report sets out further identified “sound practices” in 14 call-out boxes (which themselves run to multiple pages) that can be collectively summarised as follows – unsurprisingly a lot of these follow the standard set by the ECB-SSM in its expectations, as analysed above:
a. Periodically conduct a comprehensive business environmental analysis: Firms should periodically conduct a thorough SWOT analysis covering client behaviours, competition insights (including for FinTech and BigTech challengers), regulatory requirements, operating models, cybersecurity, technological developments, infrastructure, AI capabilities, and digital talent acquisition.
b. Set and maintain a clear and well-articulated Digital Strategy: Firms must embed a clear digital strategy within their business plan, focusing on strategic priorities such as customer experience and building a future-proof bank. This includes defining a targeted operating model, restructuring around customer segments, and adopting a resilient IT backbone.
c. Ensure effective execution capabilities: Cross-team collaboration and periodic reviews are essential to prioritise projects and reconcile strategic views. Institutions should implement sound project management practices, including frequent review processes and steering execution through development agendas and digital labs.
d. Establish and periodically update a comprehensive KPI framework: A solid firm-wide KPI framework is necessary to steer digital strategy implementation. This includes specific measurement methodologies, automated monitoring systems, performance assessment, decision-making processes, and communication of KPIs to executive management and stakeholders.
e. Set-up and maintain dedicated units for digitalisation strategy: Firms should have dedicated teams or departments responsible for coordinating and executing the digitalisation strategy. These units must ensure strategic alignment, manage interdependencies and oversee staff and resource management.
f. Implement robust operational plans for digital transformation: Digital transformation initiatives should be translated into detailed operational plans with timelines, milestones, objectives, roles, and responsibilities. Regular monitoring meetings should be held to discuss progress and address challenges.
g. ICF involvement: The risk dimension must be integral to the digitalisation strategy-setting process. This includes involving the internal control functions (ICFs) including Legal in all phases of design and roll-out, conducting holistic risk assessments, and ensuring compliance with regulatory requirements.
h. Promotion of “digital risk culture”: Firms should foster a digital risk culture through innovation labs, employee engagement programs, hackathons, and cross-cutting governance committees. This helps employees understand the capabilities and risks of innovative technologies.
i. Maintain high-quality sourcing strategy and controls: A high-quality sourcing (in addition to outsourcing) strategy for technology applications and projects is required. Institutions must perform risk assessments before entering new relationships with third-party providers and maintain oversight measures to ensure alignment with the firm’s risk profile.
j. Deepen data governance framework compliance: An updated understanding and commitment to maintaining a comprehensive and compliant data governance framework is essential to support data-driven decisions in digital initiatives. This includes a unified governance structure, data quality controls, automated checks and attention to risks from innovative technologies.
k. Regular risk mapping and modelling for new technologies: Firms should develop new risk maps incorporating metrics for AI, third-party reliance, and other digital risks. This includes creating new credit risk models for digital channels and monitoring specific risks related to IT and digital transformation.
l. Updating RAF, RMF, and KRIs: Regular updates to the RAF and RMF are necessary to include new digital-related metrics and review risk tolerance. KRIs should be developed in parallel with risk identification processes and aligned with the RAF/RMF updates.
The requirements discussed above highlight the need for firms to adopt comprehensive strategies, robust execution capabilities, effective risk management practices, and continuous monitoring to successfully navigate the digital transformation landscape. While the expectations are prescriptive the ECB-SSM does, throughout the 2024 Digitalisation Report, emphasise its commitment to supporting BUSIs in their digital transformation journeys by applying clear supervisory guidance and offering ongoing dialogue including with JSTs.
Outlook
The ECB-SSM’s Draft Guide provides comprehensive supervisory expectations aimed at enhancing the governance frameworks and risk cultures of BUSIs, regardless of size and complexity as well as level of maturity of their digital transformation when operating within the Banking Union. While aimed at the Banking Union, the ECB-SSM’s expectations expressed in the 2024 Digitalisation Report will likely be of relevance to all firms supervised by NCAs and subject to the oversight and priorities set by the ESAs.
Supervised firms will want to take proactive steps to align their practices with these updated expectations, ensuring they can evidence the robustness of their existing or revised governance arrangements, effective internal control functions, a comprehensive RAF, a strong risk culture and ongoing compliance with supervisory requirements generally but as well as those targeting digitalisation and business model reinvention related risks. For some firms this may warrant an inside-out as well as an outside-in 360-degree assessment of their compliance with the respective legislative requirements as well as the supervisory expectations of the ECB-SSM, ESAs and NCAs.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
In order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.