Financial Services

ECB-SSM set enhanced supervisory focus on digital transformation strategies and the use of FinTech

Written by

Dr. Michael Huertas

RegCORE Client Alert | Banking Union


On 15 February 2023, the European Central Bank’s (ECB) acting in its role as the head of the Banking Union’s Single Supervisory Mechanism (SSM) published a document setting out its “Take-aways from the horizontal assessment of the survey on digital transformation and the use of FinTech” Available here.Show Footnote (the Key Takeaways). Data flowing into the Key Takeaways, using very preliminary estimates of banks’ digital spending at the end of 2021, found that on average, banks only invested 2.8% of their operating income on digital transformation projects and allocated only a total of 5.2% of their workforce to such projects. 

The ECB-SSM, like other non-Banking Union regulatory policymakers and supervisory authorities along with the national competent authorities (NCAs) that are part of the SSM, have for the better part of the past decade placed an emphasis on supervised financial services firms having adequate measures to not only embrace digital transformation and use of FinTech but to also have the right safeguards in place to limit potential tech-specific risks that may arise from internal (firm specific) and external risk channels (including threat actors/vulnerabilities such as hacking etc.)    

On 17 April 2023, further announcements, were highlighted by Elizabeth McCaul, Member of the Supervisory Board of the ECB, at a speech given at the Joint ECB/EUI “Seminar on Diverse and effective boards in a changing and competitive landscape.” Mrs. McCaul’s speech is available here.Show Footnote In that speech, Elizabeth McCaul, set out additional supervisory expectations of the ECB-SSM on risk data aggregation, IT and cyber-risk identification, mitigation and management that Banking Union supervised institutions are expected to employ to triage, track and tackle internal as well as external risks that arise as part of their digital operational models and/or use of FinTech.

These most recent announcements build upon existing rules as well as supervisory expectations set both by EU-wide as well as Banking Union specific legislative and regulatory rulemaking instruments and should be read in conjunction therewith, as well as further detailed analysis of those developments as well as reforms in the policymakers’ pipeline of further proposals (including but not limited to the EU’s Digital Operational Resilience Act (DORA)). Accordingly, financial services firms, whether subject to Banking Union supervision or not, will want to ensure that they are meeting both sides of the expectations i.e. to continue to drive digitisation but in an appropriate safeguarded manner.

Assessment of the ECB-SSM’s Key Takeaways

The ECB-SSM’s Key Takeways follow on from an inaugural joint ECB-SSM and NCA run survey collecting data on digital transformation and FinTech efforts of Banking Union supervised institutions (BUSIs) and specifically SSM banks, based on their self-assessment returns. Those responses were combined with market intelligence initiatives that equally seek to build knowledge of Banking Union policymakers and supervisory stakeholders as a whole in this evolving field of expertise.

While this stocktake exercise may mark a first, the preliminary insights that were reached reflect a raft of announcements that the ECB-SSM (or indeed individual NCAs) have consistently communicated to the market. The main difference is that the Key Takeaways mark more forceful messaging for BUSIs to bolster efforts to deliver on real change in digital transformation in a more meaningful manner over the next supervisory cycle than may have been the case to date.

Accordingly, the Key Takeaways, conclude that:

  • Digital transformation is relevant for all SSM supervised banks, and most of them have a digital transformation strategy in place;
  • The ECB-SSM frames the concept of “digital transformation” as “a bundle of business model, processes and cultural transformation, enabled by technologies.” This is perhaps a bit more simplistic than previous supervisory statements of the ECB-SSM on this topic let alone those of individual NCA’s; and
  • There is a high degree of heterogeneity (i.e. fragmentation) in SSM banks’ submission and, unsurprisingly, further supervisory dialogue is needed to validate those responses.

The Key Takeaways also set a clear communication that the ECB-SSM is developing a framework for supervisors when assessing digital transformation strategies. This framework is based around the following “six focus points”:

  1. Digital strategy and KPI steering;
  2. Digital business;
  3. Investments and resources;
  4. Governance and cooperation;
  5. Use of innovative technologies (i.e., FinTech solutions); and
  6. Key risks/challenges and risk management.

While the ECB-SSM states that it remains “business model and technology neutral” when supervising BUSIs, it is acutely sensitive to the importance of enhancing understanding of the impact of digital transformation on SSM banks’ business model sustainability and risk management. This general approach is communicated as translating into existing and new efforts in supervisory engagement between the SSM (at the ECB as well as at the NCA level) with supervised firms and in particular reviewing how digital transformation may drive existing risk parameters or create entirely new tech-specific risks adversely affecting SSM banks’ approaches to identifying, mitigating and managing:

  • strategic risk (e.g. sustainability of the digital transformation strategy, consistency with the business model, capabilities building and adequacy);
  • governance and risk management framework;
  • IT and operational risks; and/or 
  • potential new/emerging risks.

Elizabeth McCaul’s more recent statements, addresses some known areas of continued weakness (many of which have been subject to scrutiny over the past decade but still remain lacking) at supervised firms by stating that:

“We are aware that fragmented IT landscapes continue to affect banks’ risk data aggregation capabilities, impairing their ability to produce accurate and comprehensive risk reports.

One area to highlight is the lack of IT expertise in banks’ boards. As part of our most recent stocktake, 14% of supervised banks reported that their board members had no knowledge at all about IT risk. While we recognise the fierce competition for IT talent across the industry, this is concerning in the context of the need to effectively manage banks’ digital transformation strategies. The rate of change in the IT landscape is ever-increasing. When we planned today’s meeting, we had no idea that ChatGPT, Open AI’s chatbot, would have 100 million active users in January, just two months after its launch. How are boards evaluating the impact of this tool on the ways of working, or on the provision of inputs into strategy? How will boards be thinking about how to assess the risks of using such tools? We have also seen the effects of the digital world of social media in the collapse of SVB, where USD 42 billion in deposits left the bank in just five hours. This proves once again the need to evaluate the impact of the digital world on the liquidity base. There are clearly different skills needed at the board table to assess these types of risks, and we may need different supervisory measurements for such risks to liquidity and capital.

In more traditional terms, boards need to understand the IT strategy, its alignment with the business strategy and the related risks to be able to challenge management in that regard. This includes short-term risks, such as cyber risks, but also longer-term strategic risks which can ensue from a lack of investment in IT infrastructures or overreliance on service providers without a tested exit plan in place.

Sufficient IT expertise is important for the board to fulfil its role. We welcome the Digital Operational Resilience Act [DORA], which will come into force in 2025 and enshrine training requirements for the boards in EU law.”

While these statements do not specifically mention the six focus points and how that might flow into other supervisory engagement and dialogue, including as a part of the ECB-SSM administered, supervisory review and evaluation procedure (SREP), it does show a clear indication that SSM banks need to bolster their delivery on all technological fronts.

Assessing 1st focus point – Digital strategy and KPI Steering

The ECB-SSM notes that “The majority of banks only started to develop their digital transformation strategy in recent years, targeting revenues and costs objectives.” No mention is expressed on the degree of how the COVID-19 pandemic may have acted as a catalyst for expanding existing or commencing new projects. What the ECB-SSM does report on is that for most SSM banks, their digital transformation projects broadly aim to attract and retain market share and achieve efficiency gains.

The ECB-SSM accordingly concludes that 43% of banks’ top five projects are aimed at revenue/customer experience enhancement and 84% of banks see project automation as a key lever to reduce costs (mainly through IT legacy transformation). Moreover, banks develop KPIs to monitor their customers’ preferences. Despite well intentioned efforts, the ECB-SSM is of the view that “… given the multi-faceted nature of digital transformation, banks still find it difficult to isolate and quantify the cost and revenue impacts of their digital transformation strategies and processes.”

Assessing 2nd focus point – Digital business 

The ECB-SSM concludes that “Most digital strategies are customer-centric, but keeping track of digital customers and sales remains heterogenous”.  This assessment of the level of fragmentation is not really accentuated beyond the ECB-SSM’s assessment of digital distribution of lending activity and processes.  While the level of fragmentation in the lending space is of course an important area in need of reform (with legislative and regulatory rulemaking driving that), the degree of divergence is problematic in other areas of regulated activity, including even in online brokerage.

The ECB-SSM states that while there is a widespread willingness to improve customer experience by conducting business digitally: banks identify almost half of their customer base as digital.  Unsurprisingly for more digitally native younger customers, the mobile channel is more popular than internet banking, especially for bigger banks: 36% of bank customers use mobile banking while 21% use internet banking. However, the ECB-SSM also sees problems at the banks themselves in that the monitoring the actual use and contribution of digital channels is heterogeneous. Put simply, (a) half of the sampled banks do not monitor the number of customers digitally onboarded; (b) only one in four banks can quantify the volume of digital sales; and (c)  half of the sampled banks monitor the number of digitally concluded loans (e.g. pre-decided loans, consumer credit), which stands at around 45% of their total loan portfolio. Consequently, there is a mismatch between digital distribution and digital tracking. If one cannot track and monitor the results then this detracts from the benefits of a strong digitally enabled front-end. 

Interestingly, the ECB-SSM does not distinguish the technological maturity of respondents and how this might differ between more incumbent and long-established banks that continue to be challenged by unintegrated (often legacy) IT-systems and the more digitally native neobanks or indeed those in the mid-size market that have embraced a mobile/internet/digital go to market strategy that has allowed them to rapidly scale across the EU-27… and been awarded prizes for that effort over many years. 

Assessing 3rd focus point – Investments and resources

The ECB-SSM found that based on data and estimates available at the end of 2021, that there was room for improvement. The ECB-SSM concluded that 61% of banks reported having digital transformation budgets embedded in the wider IT budget. For those banks, their digital transformation budgets accounted for 22% of the IT budget. Moreover, the heterogeneity in the answers provided may result in a diverging image for individual banks, particularly as digitalisation is on average found to be more advanced in retail-oriented business.

While on focus point 3, the Key Takeaways data points are relatively limited and perhaps in 2023 outdated if based on assessments concluded at the end of 2021 and during the still difficult operating conditions of COVID-19 and prolonged pandemic preparedness, it is likely that as part of supervisory dialogue the ECB-SSM but also NCAs may push and challenge supervised banks to allocate more appropriate investment and other resources to forward-plan for what in 2023 is already a comparably more competitive environment to delivering change projects in particular on digital transformation delivery.

Assessing 4th focus point – Governance and cooperation

Governance remains an overarching SSM supervisory priority going forward as has indeed been the case for the past decade. The ECB-SSM concluded that “Banks recognise the importance of the “tone from the top” to steer digital strategies and the need to increase IT/digital skills.” More specifically, the ECB-SSM welcomed that “Most banks have in place a coordination body (normally at non-executive level) to steer the design and implementation of the digital strategy. Top management is often involved in the definition and design of the digital strategy. However, its reporting is heterogeneous across banks.”

Crucially, the ECB-SSM points to the fact that “Banks identify a “war for talents” in the market to attract and retain digital and IT experts as a key challenge at all levels within their organisation.” And that “To implement their digital transformation strategy, banks prefer to cooperate with external partners, mostly by buying in services (software as a service – SaaS) and using consultants. The majority of banks (61%) make use of at least one form of cooperation.”

These findings should however be contrasted with the statements of Elizabeth McCaul and other similar supervisory statements that there remains room for improvement in how to reflect appropriate IT skills and understanding and thus ownership of digital transformation projects at the level of the executive and governance functions of SSM banks and as part of overall strategic steering.

Assessing 5th focus point – Use of innovative technologies (i.e., FinTech solutions)

The ECB-SSM’s assessment on the fifth point states the obvious, namely that “technologies enable banks’ digital transformation.” In particular it notes that: APIs (application programming interfaces) and cloud computing are widely used across banks and the cloud is considered a foundation for digital transformation. Accordingly new EU rules that are coming into force will require banks to implement new safeguards.

In contrast, despite new rules coming into force AI (artificial intelligence) has, comparably on average, a lower business relevance, but 60% of banks were, at the end of 2021, already using AI, with more use cases in development.  The advent of ChatGPT and other AI models, as noted by Elizabeth McCaul’s remarks are a catalyst for growth in use cases both by supervised firms as well as the supervisors themselves.  Equally, DLT (distributed-ledger technology) based solutions, were at the end of 2021, barely used across banks (less than 20%) with limited business relevance so far. In terms of crypto-related activities and exposures, this is still insignificant but as noted in other studies since then an area that is growing and it remains to be seen whether the regulatory responses, both in the forms of the EU’s Markets in Cryptosassets Regulation (MiCA), which received its vote of approval from the European Parliament on 20 April 2023 (see standalone coverage from our EU RegCORE) as well as emerging prudential regulatory standards on cryptoassets.

Assessing 6th focus point – Key risks/challenges and risk management

In its final focus point, the ECB-SSM reiterated that BUSIs must identify key risks and challenges triggered by digital transformation. This includes risks associated with digital transformation beyond those that are mainly perceived as cyber risk, increased third-party dependency, AML/fraud and potential loss of customers. Financial services firms must redouble their efforts in identifying, mitigating and managing those key challenges to digital transformation and will need to source resources (human plus technology powered) with the relevant experience and cybersecurity safeguards.

In addition, the ECB-SSM is cognisant of the risks posed, in particular for incumbent financial services with a disproportionate level of complexity of legacy IT systems coupled with a lack of internal skills that if left unchecked lead to a (over-reliant) dependency on third parties, which in turn cause challenges. As a general observation, the ECB-SSM concludes that cost management is a further challenge as digital transformation is often run under tight investment constraints and this may lead to drifts away from delivery goals or shortcuts that hardwire tech-specific or other risks when investment runs short.


While the current Key Takeaways present the most recent (welcome) means of refreshing and reinforcing a recurring messaging on supervisory expectations, it is regrettable that the ECB-SSM or individual NCAs have not published data or views on expectations (or linking back to those, perhaps more limited rules, where they exist) applicable to supervised firms when tackling digital transformation strategies that either have derailed, failed to deliver or fail after implementation. This in its own right poses exceptional risk to the firm, counterparties, clients, consumers and markets as a whole in which they operate. 

The Key Takeaways themselves are therefore an elegant means of collating various supervisory statements and expectations all of which build off aims and provisions enumerated in specific sections of EU as well as Banking Union-specific legislative and regulatory rulemaking instruments, in another form of supervisory dialogue with SSM supervised banks as a whole. Importantly, it remains to be seen how this will translate into individual impacts for respective banks, in particular given the various degrees of stress they may have each experienced during the COVID-19 pandemic See our Client Alert: Redefining the three lines of defence (3LoD) model during a time of prolonged pandemic preparedness and location independent workingShow Footnote as well as more recent market turmoil during March 2023. 

In conclusion, it certainly remains to be seen how frequently how the ECB-SSM will update its Key Takeaways in this area (especially as MiCA and DORA become operational reality) and how the six focus points will translate into supervisory engagement going forward as part of existing supervisory tools employed across the Banking Union and/or across the wider EU-27. Irrespective of that path of development, supervised firms (including those beyond BUSIs) will want to ensure that their digital transformation projects and use of FinTech solutions are well documented, robust and resilient in light of market stress and supervisory scrutiny and ultimately add to the value creation and process optimisation they are designed to deliver.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from these developments.

We wish all of our readers a happy International Women’s Day 2023 and are very proud that in addition to being unique in our multijurisdictional qualifications and legal expertise we are one of the few teams of financial services lawyers in Germany that includes 75% female and more than 35% multicultural colleagues.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website.