SREP Process

EBA Final Guidelines on ICT Risk Assessment Under Supervisory Review and Evaluation Process

 

On May 11, 2017, the EBA published a report (EBA/GL/2017/05) containing its final guidelines on information and communication technology (“ICT“) risk assessment under the supervisory review and evaluation process (“SREP“) required under the CRD IV Directive (2013/36/EU).

The guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk. They should be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.

The guidelines are contained in section 3 of the report and are structured around three main parts:

  1. the general provisions for applying the guidelines (Title 1);
  2. the assessment of the institution’s ICT governance and strategy (Title II); and
  3. the assessment of ICT risk and the controls in place in the context of risks to capital (Title III), which reflects the same structure as the EBA SREP Guidelines on the assessment of operational risk.

Competent authorities should consider the principle of proportionality when applying the guidelines. The depth and detail of the ICT risk assessment should be proportionate to the size, structure and operational environment of the institution, together with the nature, scale and complexity of its activities.

The guidelines are to be translated into the official EU languages and published on the EBA website. They will be in effect on January 1, 2018.

EBA Clarifies Use of 2016 EU-Wide Stress Test Results in SREP Process

On July 1, 2016, the EBA published additional information on how the results of the EU-wide stress test will inform the Supervisory Review and Evaluation Process (“SREP”).

The focus of the update is to explain how additional capital guidance can be used to cover potential shortfalls in own funds based on the outcomes of supervisory stress tests. Although capital guidance does not constitute any form of minimum capital requirement, institutions are expected to incorporate it in their risk management frameworks. Competent authorities should also monitor its fulfillment.

The 2016 EU-wide stress test does not contain a pass fail threshold and instead is designed to be used as a crucial piece of information for SREP in 2016. The results will allow competent authorities to assess banks’ abilities to meet applicable minimum and additional own funds requirements under stressed scenarios based on a common methodology and assumptions. If competent authorities identify capital shortfalls leading to potential breaches of applicable own funds requirements revealed by the stress tests, they can employ the capital guidance to address their concerns.

The results of the EU-wide stress test, which was launched by the EBA in February 2016, are expected to be published in the early part of the third quarter of 2016.