Open access peer-reviewed chapter

Basel IV: The Challenge of II Pillar for Risk Management Function

Written By

Pasqualina Porretta and Fabrizio Santoboni

Submitted: 19 February 2021 Reviewed: 01 March 2021 Published: 02 July 2021

DOI: 10.5772/intechopen.96929

From the Edited Volume

Risk Management

Edited by Muddassar Sarfraz and Larisa Ivascu

Chapter metrics overview

290 Chapter Downloads

View Full Metrics


The book is based on Supervisory Review and Evaluation Process (SREP) is conducted annually by the Supervisory Authorities to verify that each bank (Significant/Less Significant) has implemented strategies, processes, capital, and liquidity assessment process appropriate to the business model and overall planning activity and risk governance system. Analysis of the aims, the features, and the different phases of SREP and the proportionality principles on which the Single Rulebook is based. Some reflections about proportionality principle of Single Rule Book and new skills required to Risk Management function. The research emphasised the need for a holistic approach also in Risk Management and the bank’s business activity.


  • SREP
  • PILLAR 2
  • Business Model Analysis
  • Risk Management

1. Introduction

The Single Supervisory Mechanism 1 (SSM), the Single Resolution Mechanism 2 (SRM) and the European Deposit Insurance Scheme 3 (EDIS) are the three pillars of the European Banking Union, which together form a single set of rules that must be applied to all EU Member States. The European Banking Union is the response to the international financial crisis (first subprime crisis, then liquidity crisis of financial markets and sovereigns) aimed at establishing a single market for banking services and safeguarding financial stability, helping to overcome tensions (mainly fuelled by the intertwining of banking and sovereign risks), restore confidence in the European banking sector, strengthen integration and support economic growth. This objective has yet to be achieved and has been pursued with a massive amount of regulations, guidelines and technical principles (Single Rulebook), which have undoubtedly burdened the cost structure of financial intermediaries in their quest for stability. The three pillars of the Banking Union are closely interrelated and interdependent. However, a single supervisory system could not have been imagined without building a system capable of intervening in crises when they occur. Similarly, where a crisis cannot be resolved without bank failure and liquidation, a common deposit protection system is needed for all EU Member States. The keystone of the Banking Union, the pillar of change in terms of profound changes in policy and law, is the latter. The pursuit of financial stability has become even more urgent during the COVID pandemic because of the global health emergency’s impact on the economic and financial system.

As defined in the Guide to Banking Supervision, the European Central Bank (ECB) has identified three objectives to be achieved by the Single Supervisory Mechanism (SSM):

  • The safety and soundness of the European banking system.

  • Integration and stability of the financial sector.

  • The increased consistency of banking supervision across the Euro area.

The Single Supervisory Mechanism (SSM) has no legal personality and its purpose is the prudential supervision of banking activities. It consists of the ECB, which also plays the lead role, and the national competent authorities (NCAs) of the participating countries. Although the ECB has the ultimate responsibility for decision-making, it carries out its supervisory tasks under the MVU in close cooperation with the NCAs. Working with the NCAs, the ECB performs direct supervision of institutions defined as Significant (SIs). On the other hand, the supervision of Less Significant institutions (LSIs) is carried out directly by the NCAs in a unified supervisory approach guided by the general guidelines and instructions given by the ECB. In addition, all supervisory tasks that are not conferred within the MVU, such as consumer protection or anti-money laundering, remain with the NCAs. The criteria for determining whether banks can be considered significant – and therefore subject to direct ECB supervision – are defined in the MVU Regulation.

To qualify as significant, banks must meet at least one of these criteria4:

  • The total value of assets exceeds €30 billion or, unless the total value of assets is less than €5 billion, exceeds 20% of national GDP.

  • Be one of the three most significant credit institutions in a Member State.

  • Receive direct assistance from the European Stability Mechanism.

  • The total value of assets exceeds €5 billion and the ratio of cross-border assets in more than one other participating Member State to total assets exceeds 20%, or the ratio of cross-border liabilities in more than one other participating Member State to total liabilities exceeds 20%.

The ECB may decide at any time to classify a bank as significant to ensure that high supervisory standards are applied consistently, and conducts periodic reviews of all licenced banks within the SSM. The classification of banks may be changed due to the normal operations of credit institutions or as a result of extraordinary events such as mergers or acquisitions. In such cases, the ECB and the national supervisory authorities involved coordinate the transfer of supervisory responsibilities. The purpose of balancing the regulatory requirements for institutions of different sizes is to promote the stability of the financial system and to ensure a level playing field within the financial system and an appropriate comparison of risk, capital and liquidity profiles between intermediaries of different sizes and operational complexity.

For significant institutions, the ECB carries out its supervision through a specific methodology, the periodic assessment of their economic and financial situations, the verification of compliance with prudential rules, the adoption of any necessary supervisory measures, and the performance of stress tests. All of this is done by the Joint Supervisory Teams (JST) composed of staff from the ECB and the NCAs of the significant institutions’ countries of establishment. The JST is responsible for drafting and organising the supervisory review programme, as well as for performing day-to-day supervision at consolidated, sub-consolidated and individual levels (assessments of the institutions’ risk profiles, business models and strategies, risk management and control systems and internal governance). JST members may also participate in on-site inspections and investigations of internal models.

In our country, the supervision of less significant banks and banking groups is instead exercised directly by the Bank of Italy with a view to unitary supervision under the guidelines and general instructions given by the ECB. Among the less significant banks are the so-called “High Priority” banks for which the exchange of information between the BoI and the ECB is more intense. (These are the first banks “below the threshold” of €30bn in assets.) However, the BoI retains full and autonomous competence in the areas of consumer protection, combating money laundering and terrorist financing, supervision of payment services and markets for financial instruments, and supervision of non-banks and branches of non-EU banks.

As regards SIMs and OICR managers, the Consolidated Law on Finance (TUF) assigns to the Bank of Italy supervisory tasks for risk containment, stability and sound and prudent management, and to Consob those for the transparency and propriety of the conduct of these intermediaries in offering investment products.

The First Pillar of the MUV (SSM) is based on the so-called Basel framework, or rather on the following regulatory sources:

  • CRR (Capital Requirements Regulation), which is directly applicable in all participating countries.

  • CRD IV (Capital Requirements Directive) as transposed into national law.5

Starting from 2021, the two regulatory packages will be gradually replaced by the new CRR II and CRD V, whose regulatory changes define the final structure of the new “Basel IV”. This expression, replacing the previous “Basel III”, indicates the important process of change that has taken place over the last three years to the current regulatory framework. The changes, which affect several areas of prudential supervision of the banking sector (credit risk, market risk, operational risk, liquidity, leverage ratio, etc.) will become fully effective in 2027. The regulatory texts that make up Basel IV are as follows:

  1. CRR II and CRD V.6

  2. Basel III: Finalising post-crisis reforms.

  3. EU Regulation 2017/2401–2402 (Securitisation). 7

The prudential supervisory framework for risk and capital (Basel IV) has always been ideally divided into three pillars:

  1. Pillar 1 regulates the calculation of the capital requirement,8 i.e. the mandatory capital provisions that each intermediary must have for the following regulated risks: credit risk, market risk and operational risk.

  2. Pillar 2 is a set of rules governing the Supervisory Review Process, i.e. an integrated process of supervision and management of risk-capital-liquidity. In technical terms, it is the combined ICAAP/ILAAP, SREP and RAF process.

  3. Pillar 3 is devoted to the transparency obligations incumbent on all banking intermediaries.

In general terms, the MUV is based on the European single rulebook, which therefore consists – in addition to the Regulation and the Directives (Directive 2013/36/EU-CRD IV, EU Regulation no. 575/2013 - CRR, Directive 2014/49/EU - Deposit Guarantee Schemes Directive, Directive 2014/59/EU -Bank Recovery and Resolution Directive) – also of the binding technical standards and guidelines of the EBA. The chapter want to analyse the aim, the features and the different phases of Supervisory Review Process.


2. Is proportionality enough?

The entire structure of the Single Supervisory Mechanism is based on a principle of proportionality aimed at achieving a uniform application of the rules while respecting the diversity of banks’ business models, identities, size and operational complexity. However, the operational implementation of this principle does not always seem to have been able to fully achieve these objectives, which is why the application of this principle continues to be a priority on the agenda of European authorities.

However, the approach of European supervision has historically been oriented towards the definition of a set of rules equal for all, in order to ensure homogeneity of treatment for different banks: the principle of “one size fits all”. However, this approach, while further tightened in the immediate post-crisis years, has been revisited from a proportional perspective (at least in theory) with the introduction of the current CRR and CRD IV and the future entry into the scene of the new CRR II and CRD V.

The application of the principle of proportionality within the Single European Supervisory Mechanism is therefore substantiated by the application of the same rules to all banking intermediaries, but with a “depth” and an articulation proportionate to the significance and/or operational complexity. The significance of an intermediary is relevant to the identification of the competent Supervision Authority, even though, in this regard, an intense collaboration between the European Central Bank and the NCAs is foreseen to guarantee the harmonised application of the Community rules. Specifically, the SSM provides that, with regard to the supervision of the Significant Institutions, the ECB presides over working groups technically defined as “Joint Supervisory Teams” (which are composed of both representatives of the ECB and representatives of the NCAs), while for the supervision of the Less Significant Institutions it is the NCAs that calibrate the regulatory requests on the banks they are responsible for. The method used by the ECB, in its capacity as a harmoniser of EU supervisory practices, to ensure the proper application of the proportionality principle by national authorities is based on the classification (reviewed annually in cooperation with the NCAs) of LSIs into9 priority classes that, based on their impact on the financial system and their inherent riskiness, consist of ( Table 1 ).

Priority classes Intermediary
Very High Any LSIs identified as O-SIIs
High High priority LSI
Medium Medium priority LSI
Low Low priority LSI

Table 1.

Classification of LSIs into priority classes.

Source: Bank of Italy.

Based on this classification, the NCAs establish the intensity of Pillar II assessments, supervisory expectations and information requirements at the data collection stage, calibrated according to the classes.10 Supervisory activities for less significant institutions consist of regular assessments conducted jointly by the ECB and the NCAs of the Member States, with the aim of making the best use of the information available to the national authorities. Moreover, for high priority LSIs, the ECB examines the supervisory procedures and relevant draft decisions established by the NCAs themselves11.

The subject of the proportionality of the rules of supervision and surveillance in the European banking system is of strategic importance, also due to the fact that the LSIs represent a pillar of the European real and financial economy, even though 80% of these institutions are concentrated in nine countries (primarily Austria, Germany and Italy, but also Croatia, Denmark, Luxembourg, Poland, Slovakia and Slovenia).12 It is interesting, in this context, to observe how the principle of proportionality is implemented overseas.

In fact, US banking regulations basically implement the Basel standards for large banks, while the provisions of the reform known as the “Wall Street Reform” or also the “Dodd-Frank Act”13 establish a series of rules tailored to the size of small and medium-sized banks, which make up about 95% of US credit institutions. From the outset, the main objective of the definition of new common rules was to guarantee greater stability to the US financial apparatus and above all to avoid the spread of systemic risk. Although this objective was perfectly consistent with that of European legislators, the approach used on the other side of the Atlantic was more oriented towards defining more stringent rules for large banks (identified as those with total assets of over $50 billion), and therefore by definition carrying systemic risk, while a set of new, less onerous rules proportionate to their operations was envisaged for community banks. In addition, in 2018, the Dodd-Frank Act was revised and amended with a view to further calibrating it towards a more pervasive application of the proportionality principle. For example, while initially the more stringent rules on stress testing, MREL requirements and the weakening of the role of advanced internal models were only applicable to institutions with assets in excess of $50 billion, from 2019 they would be limited to institutions with assets in excess of $250 billion. In the case of smaller banks, the legislature instead focused its attention on the need to hold high capital requirements, which – especially initially – resulted in the closure of smaller, underperforming banks [1].

With regard to Community banks, however, the principle of proportionality does not take the form of applying the same regulatory requirements with a different degree of depth, but rather provides for total exemption from certain supervisory standards (this is the case for banks with assets of less than $10 billion, which are not subject to the macroprudential stress tests that are mandatory for all larger institutions, including those with assets of between $10 and $50 billion). The application in the United States of the regulatory standards envisaged by Basel III applies, with due differentiation, to two categories of credit intermediaries: internationally active banks, identified as banking institutions with at least $250 billion in assets or an amount of foreign exposure of at least $10 billion; and global systemically important banks (G-SIBs), whose identification is based on a comparison of key indicators of systemic risk.

Table 2 summarises the regulatory capital and liquidity requirements for different types of banks operating in the US system.

Applicable Regulations Current Tailoring of Rules
G-SIB Int’l Active ($250b+) Regional ($50-250b) Mid-size ($10-50b) Small (<$10b)
Comprehensive Capital Analysis & Review (CCAR)
Global market shock for trading Yes (6/8) No No No No
Counterparty default scenario Yes (8/8) No No No No
Qualitative Fed-run process review Yes Yes No No No
Quantitative Fed-run stress tests Yes Yes Yes No No
Fed ability to object to capital plans through CCAR Yes Yes Yes No No
DODD-Frank Act Stress Tests (DFast)
Quantitative Fed-run stress tests Yes Yes Yes No No
Company-run stress tests Yes Yes Yes Yes No
Annual stress test Yes Yes Yes Yes No
Mid-year stress test Yes Yes Yes No No
Capital Standards
G-SIB capital buffers Yes No No No No
Countercyclical capital buffer Yes Yes No No No
Including AOCI changes in capital Yes Yes No No No
Risk-based (i.e., Base III) Yes Yes Yes Yes Yes
Leverage ratio
Enhanced Supplementary leverage ratio (eSLR) Yes No No No No
Supplementary leverage ratio (SLR) of 3% Yes Yes No No No
U.S. leverage ratio Yes Yes Yes Yes Yes
TLAC and long-term debt requirement Yes No No No No
Liquidity Requirements
Liquidity coverage ratio (LCR) Yes Yes No No No
Modified LCR No No Yes No No
Net stable funding ratio (NSFR), proposed rule Yes Yes No No No
Modified NSFR, proposed rule No No Yes No No

Table 2.

Breakdown of the main regulatory obligations in the US system.

Source: U.S. Treasury (A Financial System That Creates Economic Opportunities - Banks and Credit Unions. Pag.41.

A comparison of the regulatory indicators in the US and European systems reveals some differences in the proportionate application of supervisory rules with respect to bank size. First, while US regulation provides for a full exemption from stress testing for community banks, in Europe this exemption does not apply to LSIs. With respect to capital requirements, however, the main difference is that while the EU framework allows NCAs to require even smaller institutions to hold an additional countercyclical capital buffer in good times, this only applies to banks with assets greater than $250 billion in the US. Ultimately, evidence of different application of the proportionality principle can also be found with respect to liquidity requirements. Specifically, while in the US full compliance with the LCR (Liquidity Coverage Ratio14 [2]) and NSFR (Net Stable funding Ratio)15 [2] is only required for banks with assets greater than $250 billion, and less stringent application is demanded of institutions with assets between $50 billion and $250 billion, in Europe compliance with an LCR of at least 100% is mandatory for all intermediaries. In addition, as of 2021, compliance with an NSFR of at least 100% will also be mandatory for all intermediaries, although a simplified version will be available for small and less complex institutions. Table 3 below summarises the differences just discussed.

Supervisory obligations USA: application to CBs Europe: application to LSIs
  • Stress test

  • Countercyclical buffer

  • LCR

  • NSFR


Table 3.

Differences between the US and the EU in the application of the principle of proportionality.

Source: Author elaboration.

Finally, the application of the principle of proportionality in the US banking system manifests its effects also in the phase of resolution of banks in crisis, contrary to what actually happens in the European Banking Union. In Europe, in fact, as highlighted by Masera [3], while the SSM provides for the assignment of the tasks of supervision on the LSIs to the NCAs, the performance of this activity is effectively limited only to the banks in ordinary administration, and as highlighted in paragraph 3.2, in the cases in which a Less Significant bank shows signs of vulnerability, the ECB has the right to take over the supervision of the institution, making the principle of subsidiarity prevail over that of proportionality. In the US, on the other hand, resolution interventions are led by the Orderly Liquidity Authority for banks subject to enhanced supervision (i.e. less than 5% of credit intermediaries), while small and medium-sized banks are subject to a special procedure coordinated by the Federal Deposit Insurance Corporation, which is entrusted with the necessary powers for proportionate interventions according to the characteristics of the institutions in crisis. The greater operational flexibility of the aforementioned US authorities compared to the European authorities is also accompanied by the lack of a single deposit insurance scheme for the resolution of small banks and by the provision of a limit of $250,000, well above the €100,000 envisaged by the future CDGS (which the ECB is also considering modulating over time for interventions limited to institutions in countries in financial difficulty), for the guarantee of depositors in the banking system.

In this context, it should be noted that the definition of the identification threshold for banks to which size-related measures are to be applied is not straightforward and can hardly be standardised. The difficulty lies primarily in defining criteria that are adaptable to the financial systems of different jurisdictions, which are different from each other. Policymakers and the literature have provided much food for thought [3, 4, 5] on the effective application of a two-tiered approach to less complex institutions identified through parameters such as:


3. The SREP process and the holistic approach to supervision and management of the banking business

Article 97 of the CRDIV (Directive 2013/36) requires supervisors to review the organisation, strategies, processes and methodologies that banks put in place to address the range of risks they face.

The Supervisory Review and Evaluation Process (SREP) is conducted annually by the supervisory Authorities to verify that each bank has implemented strategies, processes, capital and liquidity appropriate to the risks to which it is or might be exposed and that they have appropriate capital and organisational safeguards in place to address the risks they face, ensuring overall balance of operations and market resilience.

The SREP process is not new, as it has always been carried out before the SSM by national supervisors with different and non-homogeneous methodologies and practices. For this reason, the European regulation intended to standardise the SREP methodologies and practices used by the different Authorities at the level of the Banking Union.

SREP entered into force in 2016 for IS and only from 2018 became mandatory first for high priority LSIs and then for other LSIs. Following the harmonisation of the SREP process for LSIs, national authorities have been given full flexibility regarding the definition of Pillar 2 guidelines (P2G) [6]. Finally, one of the focal points of the MUV is the possibility for the ECB to take over the supervision of LSIs that are more vulnerable, for example due to a change in materiality profile or due to a choice by the Central Bank as a result of new assessments of the impact the institution might have on the financial system. Supervision of less significant institutions takes the form of periodic assessments conducted jointly by the ECB and the national supervisory authorities of the Member States, with the aim of making best use of the information available to the national authorities. Moreover, for high priority LSIs, the ECB examines the supervisory procedures and relevant draft decisions established by the NCAs themselves [6].

The SREP is a process by which the European Central Bank and the NCA specifically:

  • Review and assess the ICAAP (Internal Capital Adequacy Process).

  • Review and evaluate the ILAAP (Internal Liquidity Adequacy Process).

  • Carry out Business Model Analysis (BMA).

  • Analyse the bank’s risk individually and in the aggregate, including under stressed conditions, and its contribution to systemic risk.

  • Evaluate the corporate governance system, the organisational structure and the system of internal controls.

  • Monitor compliance with all prudential rules.

  • Make an overall assessment of the bank and initiate corrective action where appropriate.

At the end of the process, the supervisory Authorities send the banks a letter (called a “SREP decision”) specifying the objectives and areas to be addressed and corrected within a defined time frame16.

The SREP is an articulated process that develops through a continuous dialogue and confrontation between supervisor and supervised in order to make an overall assessment, from an integrated perspective, of the stability and resilience of the latter. The inspectors’ findings and the on- and off-site supervision feed the subsequent SREP cycle. In this perspective, the SREP is not a control and assessment activity carried out by the Supervisor once a year, but rather a process of second-pillar prudential control, which unfolds continuously and starts from the identification of the category17 to which the bank belongs (with respect to which to calibrate the intensity of the supervisory activity) against which the intensity of the SREP assessment is established, the supervisory expectations and the information required during the data collection phase, calibrated according to the classes [7] to finally arrive at the so-called SREP decision. The classification is calibrated according to the systemic impact of the intermediary, based on: size, structure, internal organisation, type, purpose and complexity.

The classification of institutions is followed by monitoring of indicators for changes in financial conditions and risk with the objective of updating the assessment of SREP elements. If monitoring reveals a deterioration in the institution’s risk, the Supervisor investigates the causes and may revise the assessments of the SREP elements. Vigilance develops different sets of ratios based on the different specificities of banks, including: ratios for all risks subject to SREP. All ratios used for regulatory requirements (see EU Regulation 575/2013 and Directive 2013/36/EU), minimum requirements on own funds and eligible liabilities under Directive 2014/59/EU (bank recovery), market indicators (equity price, CDS spread, etc.), recovery indicators. The frequency of assessment of all items of the SREP process is calibrated according to the category that the financial intermediary belongs to.

The four central blocks covered by the SREP assessment are: business model analysis, the governance and risk management framework, the capital adequacy framework (ICAAP) and the liquidity management framework (ILAAP).

For each of the four main blocks covered by the SREP, banks are assessed by the Supervisory Authorities on a scale of 1 to 4.18 The outcome of the assessment constitutes the basis for the overall assessment of the SREP: the SREP decision, which is the basis for supervisory measures. The SREP decision is the final summary of the entire Pillar 2 supervisory review process, which reports the bank’s overall score (compared to the assessment of the four main blocks) and, if anomalies are found, any corrective measures of an organisational, capital or liquidity risk containment nature or other early intervention measures. Interventions depend on the severity of the deficiencies, the need for timeliness, the degree of awareness, capacity and reliability of the corporate governance, and the availability of human, technical and capital resources at the intermediary. In the case of organisational deficiencies, additional capital requirements will be imposed if the bank does not appear to be able to ensure the removal of the deficiencies within an adequate period of time. The SREP decision is also a strategic moment of reconciliation between the MUV Pillar II process and the BRRD because it provides for the possibility of activating early intervention measures in case of trigger events foreseen by the BRRD.

Early intervention measures may be triggered by events that could have a significant prudential impact19 on the institution’s financial condition. They should be considered if the institution’s overall or individual SREP score is 4 and even if the SREP score inclusive was 3, but individual elements for governance and internal control, business model strategy, capital adequacy or liquidity score were instead 4. However, the early intervention measures are the result of ongoing monitoring of compliance with the requirements of the CRR and CRDIV with respect to the anomalous situations foreseen by the BRRD in the supervisory activity.

In the SREP decision the Authorities also define the so-called Pillar 2 Requirement (P2R), which is applied in addition to the minimum Pillar 1 requirement in order to cover all risks that are underestimated and not considered in internal risk governance. The P2R is one of the outcomes of the SREP and is legally binding. As part of the SREP process, an additional capital requirement is also identified, known as Pillar 2 Guidance or P2G, which is not legally binding, but which indicates to banks the level of capital deemed adequate to cope with stress situations and is defined by the Authorities downstream of the supervisory macro stress testing process (EU-wide stress test).

By its very nature, the entire process of Pillar 2 prudential supervision gives shape and content to the fundamental moments of intermediaries’ strategic planning, business choices, capital and liquidity allocation, funding plan, governance and organisational structure. The SREP is certainly a holistic approach to supervision that calls for an equally integrated approach by individual intermediaries to business choices, risk, capital and liquidity management both in normal and stressed conditions (Crisis and Recovery Risk Management), governance and the overall Risk Management framework. In this perspective, the SREP certainly represents a regulatory “stimulus” to a significant qualitative leap in the functions that deal with risks, capital and liquidity in the bank, recognising them as having a primary role in the strategic planning of the bank, as well as a flexible and proactive integration of the corporate control functions ( Table 4 ).

Business Model Analysis Degree of feasibility (within the year) and sustainability (over a three-year horizon) of the business model declared by the bank.
Identification of the key elements of the Business Model and assessment of the main areas of vulnerability.
Governance and Risk Management Assessment Adequacy of the governance model including the main control functions (risk management, internal audit and compliance).
Adequacy of the Risk Management system/infrastructure and degree of establishment of a “risk culture”.
Assessment of risks to Capital Adequacy of capital to cover specific risk categories (e.g. credit, market, operational and interest rate risk in the banking book). Overall assessment of ICAAP (documentation, data quality, risk measurement processes, capital planning, ...).
Assessment of risks to Liquidity and Funding Adequacy of overall liquidity management processes/governance; Funding capacity.

Table 4.

SREP process::Building blocks.

3.1 Business model analysis (BMA) and viability assessment

Within the SREP process, one of the main moments of assessment is represented by the analysis of the business model of financial intermediaries and the related operational and strategic risks (Business Model Analysis) aimed at establishing the economic (viability) and strategic sustainability of the business model20 of the institution based on its ability to generate acceptable profits over the next 12 months and over a three-year horizon. With the BMA, legislators attempt to investigate in detail the profitability of the current and prospective business model, but also to assess its resilience and weaknesses, which could jeopardise the future survival of the bank and which may not be highlighted by other elements of the SREP. The business model is not to be confused with the concept of “intermediation model”. On closer inspection, the former refers to a broader concept that encompasses both the issue of the intermediation model and other aspects such as the use of technology, the creation of value for the set of stakeholders and the management and operation of the most relevant processes (Maurizio [8]). The business model describes the logic with which an organisation creates, distributes and captures value [9]. However, there is no unambiguous definition of the business model in the literature, nor have European legislators ventured to define it in relation to the financial intermediation sector (Di [10]).

From this perspective, it is clear that the introduction of the BMA within the SREP process is a clear sign of the importance that European lawmakers assign to strategic planning and therefore to the choice of the intermediary’s business model, which, as is well known, has a large impact on the levels of profit produced. The latter is an issue of strategic importance given the negative trend in profitability in the context of the low profitability of Italian and European banks caused by the international financial crisis and the strong tightening of prudential supervisory obligations on risk, capital and liquidity, which require a thorough review of the intermediary’s strategic choices along possible lines of development of intermediation margins (Artificial Intelligence, attention to sustainable or rather ESG-oriented finance, etc.). The possibility for a bank to exploit resources with a high technological content, albeit following significant initial investments, allows it to achieve cost-reduction objectives, especially with regard to traditional credit activities, but in general for all activities whose costs (e.g. personnel costs) are not adequately remunerated by the revenues generated [11].

While it is true that business model choices have an impact on the profitability of individual banks, they also have important implications for the stability of the entire financial system (through funding structure,21 revenue composition, cost composition, ownership structure), which is why the BMA has been given an important role in the overall Pillar 2 prudential control process.

The BMA starts with a preliminary assessment of the environment the bank operates in, with particular reference to its core activities. In this initial step, the supervisor is required to assess a number of parameters (total revenues/costs, market position, etc.) and monitor their evolution over time in order to have a clear picture of the condition of the institution and to establish the relevance of its business areas in the context of reference. Competent authorities should use this preliminary assessment to establish the materiality of business lines/areas (i.e. determine which geographic areas, subsidiaries/branches, business lines and product lines are the most relevant based on profit contribution, risk and/or organisational/regulatory priorities -specific requirements for public sector banks to offer certain products- identify the peer group based on competing product/business lines that target the same source of profits/customers, support the application of the proportionality principle.

After the preliminary macroeconomic assessment, the competent authority should focus on the current business model, on the business lines that are most important in terms of viability or future sustainability of the current business model and/or that are most likely to increase the institution’s exposure to existing or new vulnerabilities, whereby they should assess the relevance of the business lines, previous SREP findings, findings and observations of internal and external audit reports, the importance of strategic plans identifying any business lines to be substantially increased or decreased, results of topical supervisory reviews, observed changes in the business model and peer comparisons (i.e. whether a business line has performed atypically compared to peers). As outlined in the EBA guidelines on the SREP process, the areas for which authorities are tasked with conducting analysis should include, at a minimum, an assessment of the trend in profits and losses in recent years, looking at the most significant indicators of banking activity such as net interest income, net banking income, cost-to-income ratio and loan impairment rate; the composition of the balance sheet in recent years, with particular attention to the composition of liabilities; the concentration of assets by customer, sector or geographic area; an assessment of the intermediary’s risk appetite, taking into account the formal definition of the current limits and the real tendency to respect them in practice; and finally an assessment that takes into account both internal and external factors capable of impacting on the functioning of the business model.

It should be made clear that the BMA has as its ultimate goal:

  • The feasibility/viability of the current business model over a 12-month horizon.

  • The sustainability of strategic plans over a three-year horizon.

In other words, the supervisors’ “ultimate” objective is to assess whether the financial intermediary, with its business model and strategy, is credibly capable of generating acceptable returns over a short (12-month) and long-term (three-year) time horizon.

The BMA does not aim to give a rating to the possible business models since the choice of these remains the responsibility of the management body, but to assess viability and sustainability, therefore verifying the bank’s ability to generate “acceptable returns” in the time horizons considered (12 months and 36 months). With regard to viability, having carried out the preliminary analysis, the Supervisor considers:

  • RoE vs CoE (i.e. whether the business model considered allows for a higher RoE than CoE on a structural basis).

  • Adequacy of the funding mix with respect to the bank’s business model and strategy.

  • Risk appetite: supervisors must assess whether the institution’s business model or strategy is consistent with acceptable levels of risk, including in relation to its peer group.

After the preliminary assessment, that of the entrepreneurial context, the detailed analysis of the current business model for the purposes of assessing the viability thereof, the Authority must analyse the forward-looking strategy and financial plans: the competent authorities should carry out a quantitative and qualitative analysis – over a period of at least three years – of the financial projections and the strategic plan of the entity to understand the assumptions, plausibility and riskiness of the business strategies. With regard to sustainability, the following are considered:

  • The credibility (plausibility) of the assumptions underlying the strategic plans and the economic-financial projections with respect to the view of the super-investors in relation to the current and expected business environment.

  • The impact of supervisors’ estimates on the business environment (if different from that assumed by the bank).

  • The level of risk of the strategy, both in relation to ambition with respect to the business context and in terms of execution risk.

The most obvious problem that arises in the assessment phase of the financial intermediary’s business model concerns the existence of documents capable of providing comprehensive information to the supervisory authority on the subject in question. Indeed, in many cases it is difficult to find the documentation relating to the detailed description of the business model adopted or, again, a definition of the responsibilities of the corporate functions involved in the implementation of the activities aimed at complying with the regulatory obligations on the subject. After the process described above and at the end of the BMA process, the authority will have the task of formulating an overall opinion on the business model adopted by the intermediary, highlighting any critical points identified.

3.2 Governance assessment and the strategic role of risk management: the risk culture

The second assessment of the SREP process is devoted to the following areas: Internal governance framework; Risk management framework and risk culture; Risk infrastructure and data and reporting.

At this stage of the assessment, the main objective of the supervisory authority is to evaluate whether the bank’s governance system and risk management process are adequate and consistent with the adopted business model and with what is planned in the risk appetite framework. More specifically, the suitability of the governance is assessed and whether the governance is adequately informed about the risks assumed by the bank, the risk management policies, the impact of the risk management policies on the banking activity as well as the level of capitalisation and whether this level is in balance with the risks assumed. It also assesses whether the bank has remuneration policies that comply with applicable regulations and whether the bank has an adequate system of internal controls (focusing on the risk management and compliance function), and in particular whether: (a) risk management policies have been properly defined and documented; (b) whether operational limits to the risk that can be taken are properly defined for the various business units and the bank’s risk appetite; (c) whether these limits are complied with; (d) whether the risk management function is able to measure, control and manage the risks the bank is exposed to; and (e) whether the bank in its operations complies with the rules affecting its business and internal regulations. Finally, in order for the analysis to be complete, the authority examines the technological infrastructure supporting the risk management process, as well as the quality of the data and the data collection mechanism. In fact, it is easy to see how scarce or irrelevant information can compromise the proper operation of the banking business, especially in terms of risk management and control. In summary, the areas impacted by this analysis are:

  1. Overall internal governance framework.

  2. Corporate and risk culture.

  3. Organisation and operation of the management body.

  4. Remuneration policies and practices.

  5. Risk management framework, including ICAAP and ILAAP.

  6. Internal control framework, including the internal audit function.

  7. Information systems and business continuity.

  8. Recovery planning arrangements.

Particular attention is paid to the assessment of the Risk management framework and the diffusion of an adequate risk culture at all organisational levels of the bank. The attention paid by supervisors to the three corporate control functions and in particular to the Risk Management function highlights the strategic role assumed by this function in recent years: there is no possibility of planning the opening of new branches, offering new products, changing the funding plan without taking into account the impact of these choices on the governance of risks, capital and liquidity. Given the strategic role that this function plays in the overall governance of the bank, it is clear that it must be staffed with adequate professionalism to oversee the various tasks and responsibilities that regulation has greatly articulated in recent years. In carrying out its activities, the Risk Management then has the moral obligation to spread the culture of risk at every organisational level; it is the culture of risk that is the real engine of change to guide the bank in the current hyper-regulated, volatile and complex market context. As pointed out by FSB [12]22weaknesses in risk culture are often considered a root cause of the global financial crisis, headline risk and compliance”. A sound risk culture should be able to ensure:

  • An appropriate risk–return combination, consistent with the financial institution’s risk appetite.

  • An effective system of controls, commensurate with the size and complexity of the financial institution.

  • The quality of risk models, the accuracy of data, the ability to measure risks accurately, using appropriate tools.

  • Limit possible violations of the policies followed.

A sound and widespread risk culture is the sine qua non for an effectively integrated risk governance that is capable of bringing together, in a reasoned manner, the supervisory and management views, the current and forward looking perspectives, and the business-as-usual and stressed perspectives. The board should continually promote, monitor and evaluate the institution’s risk culture, assess the impact of the institution’s risk culture on financial stability, risk profile and sound governance and make adjustments where necessary; and provide risk-taking rewards and penalties for those individuals within a bank who are in a position to make decisions regarding the risk they are managing.

For this reason, the culture of risk, being the humus of the sound and prudent management of a bank, cannot remain the exclusive property of the relative Risk Management function, but must become part of the common language and cultural baggage of the other actors involved in the governance of the company at any organisational level. In this perspective, it seems useful to clarify the skills and professionalism required by the corporate control functions, and therefore also by the Risk Management.

3.3 First conclusions: towards new skills and expertise. EBA and ESMA view

On 26 September 2017, EBA and ESMA [13] issued guidelines pursuant to article 9(1) of Directive 2014/65/EU (MiFID II) and article 91(12) of Directive 2013/36/EU (CRD IV). The Guidelines explicitly identify Key Function Holders (KFH), i.e. those responsible for certain key functions in the governance of the bank, as individuals to be assessed with the same criteria as corporate officers. They provide the criteria to be considered in the assessment of corporate officers and key function holders, outline the direction along which the supervisory authority develops the assessment of governance and key control functions in the context of the SREP process and aim to harmonise at a European level and improve the effectiveness of the assessment process for members of corporate governance and key function holders of banks, and therefore to strengthen the suitability of the governance structures of the European banking system. The guidelines came into force in June 2018 and are in any case inspired by the principle of proportionality, so its prescriptions must be calibrated in relation to the nature, size and operational complexity of the financial intermediary. The guidelines are addressed to board members, heads of corporate control functions, Chief Financial Officers (CFOs), and heads of business lines that otherwise exert influence on the bank’s direction and governance.

In compliance with the guidelines, banking and financial institutions must ensure and assess that KFH have an appropriate level of reputation, honesty, integrity, knowledge, skills and experience:

  • When applying for the authorisation;

  • When appointing a new KFH (within one month of appointment);

  • When necessary to ensure “ongoing” monitoring, in particular when “events” occur that make it appropriate to reassess the fitness of KFH (changes in the organisational structure, occurrence of episodes with reputational impact, changes in the business model).

In this regard, banks and financial institutions should establish their own fitness policy, including an appropriate induction plan (for new appointments) and ongoing training to ensure that they are familiar with the required areas and have the necessary skills. The Guidelines outline a perimeter of competencies for the fitness assessment of KFHs that includes not only their previous experience but also technical competencies23 (banking and financial markets, legal requirements, regulatory framework, strategic planning, etc.) and a very articulated set of soft skills including: independence of mind, decision-making ability, authenticity (consistency with stated values), communication and judgement skills (examines, recognises and understands the essential elements of issues with respect to which he/she is able to weigh different courses of action and project himself/herself beyond his/her area of responsibility), customer and quality orientation (of products, services, relationships), leadership, loyalty (identifies with the company, its value system defends the interests of the company and operates objectively and critically with a sense of involvement), stress resistance, negotiation skills, awareness of the external context (he/she is well informed about financial, economic, social and other relevant developments at a national and international level that may affect the company), ability to work in a team, persuasiveness, strategic acumen (he/she is able to develop a realistic vision of future developments by translating it into long-term objectives, e.g. by applying scenario analysis), ability to chair meetings efficiently and effectively creating an open atmosphere that encourages everyone to participate.

Independence of mind should not be confused with the independence required of members of the management body. In the latter case, reference is made to the fact that a member of the body in question must not have had any present or recent relationship or connection of any kind with the intermediary that could influence the latter’s ability to take balanced and independent decisions in the performance of his/her functions. For example, the fact that a member of the board of directors is considered to be “independent” does not mean that the member simultaneously has independence of mind [14]. The latter is in fact a set of necessary behavioural skills, including courage, conviction and strength to effectively evaluate and challenge the proposed decisions of other board members, the ability to ask questions of board members and to resist group-think.


  1. 1. Masera (2019): Community banks and land banks: can the hiatus on both sides of the Atlantic be bridged? Ecra editions. Page 35
  2. 2. Porretta P., Santoboni F. (2016), Liquidity ratio e liquidity pillar 2.Prescrizioni regolamentari e impatti gestionali nelle banche, CEDAM, ISBN 9788813363987
  3. 3. Masera (2019): Community banks and land banks: can the hiatus on both sides of the Atlantic be bridged? Ecra Editions. Page 48
  4. 4. Dombret Andreas (2017), Sometimes small is beautiful, and less is more - a Small Banking Box in EU banking regulation
  5. 5. Sabine Lautenschläger (2017), Is small beautiful? Supervision, regulation and the size of banks. IMF seminar, 14 October
  6. 6. ECB (2018a), MVU’s SREP methodology for LSIs,
  7. 7. ECB (2018b), SSM LSI SREP Methodology 2018 edition,
  8. 8. Maurizio Pierigè (2018): “Banks, the business model to come”. Risk Managementmagazine, September-December
  9. 9. Alexander Osterwalder, Yves Pigneur (2012): Creating business models. FAG Editions. Page 14
  10. 10. Antonio M., Nieri L., Costa E., Guggiola G. (2019), “Banks’ strategy and business model analysis: a proposal between rules and management principles”. Bancaria, June. Bancaria editrice, Basel Committee on Bankjoint eing Supervision (2019): Proportionality in bank regulation and supervision – a survey on current practices,
  11. 11. Vacca C., Sibilio N.I, Cusmano L, P. Soprani (2016), Banking business models: analysis and evolutionary perspectives. Bancaria, April. Bancaria editrice
  12. 12. FSB in A Framework for Assessing Risk Culture (2014)
  13. 13. EBA and ESMA (2017a), Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body,
  14. 14. EBA and ESMA (2017b), cit, para. 9


  • Council Regulation (EU) no. 1024/2013 of 15 October 2013 conferring specific tasks upon the European Central Bank concerning policies relating to the prudential supervision of credit institutions.
  • Regulation (EU) no. 806/2014 establishing uniform rules and procedures for the resolution of credit institutions and certain investment firms under the Single Resolution Mechanism and the Single Resolution Fund.
  • Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on Deposit Guarantee Schemes.
  • Regulation (EU) no. 468/2014 of the European Central Bank of 16 April 2014.
  • In Italy, CRD IV has been implemented by Circular No. 285 of the Bank of Italy.
  • Update of the CRD 4 Directive and the CRR Regulation by the EU Commission, made through a first proposal on 23 November 2016, and which will address market risk, interest rate risk, leverage ratio, Net Stable Funding Ratio, TLAC/MREL requirements, large exposures, counterparty risk, SME support factor, exposure to CCPs.
  • The Regulation will amend certain aspects of securitisation procedures carried out by banks.
  • It must be calculated and reported quarterly to the Supervisory Authorities.
  • The objective is to determine an order of priority of individual LSIs to be applied in the allocation of supervisory resources within the MVU, both for NCAs and the ECB.
  • MVU’s SREP methodology for LSIs. ECB, 2018.
  • MVU Supervision Manual. ECB, March 2018.
  • 14 As of 2016, the average size of European LSIs stood at around €1.5 billion, with German institutions accounting for a large part of this with €5.5 billion in assets (ECB, 2017). Moreover, the business models of less significant European intermediaries, although predominantly oriented towards a retail banking approach, are characterised by variety and by the market segments concerned. In fact, they are also present in sectors such as real estate or private banking, depending on the national context of reference.
  • The Wall Street reform known as the Dodd-Frank Act is a complex intervention sought by the Obama administration to promote a stricter and more complete regulation of US finance while encouraging a protection of consumers and the US economic system. Source: Borsa Italiana.
  • The LCR rules for European banks are defined in the CRR (Articles 411 to 416). The concept and requirements of LCR were devised by the Basel Committee of Banking Supervision in 2009 as a response to the 2008 financial crisis, which was caused by banks issuing risky loans and other egregious banking activities. Liquidity coverage ratio or LCR refers to the percentage amount of cash, cash equivalents, or short-term securities that large banks are required to hold as reserves to meet their short-term financial obligations during a crisis event. The LCR is calculated by dividing a financial institution’s most liquid assets by its cash outflows over a 30-day period. Banks must maintain a ratio of 100% to satisfy the requirement.
  • NSFR is a liquidity ratio requiring banks to hold enough stable funding to cover the duration of their long-term assets. For both funding and assets, long-term is mainly defined as more than one year, with lower requirements applying to anything between six months and a year to avoid a cliff-edge effect. Banks must maintain a ratio of 100% to satisfy the requirement.
  • The normative sources of reference for the SREP process are: - Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) (EBA/GL/2014/13) issued on 19 December 2014 – Applicable from 1 January 2016 - Guidelines on the revised common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing issued 19 June 2018.
  • Banks are divided into four categories: Category 1: Global systemically important institutions (Global SIFIs) and other systemically important institutions (article 131 of Directive 2013/36/EU. Category 2: large-medium entities. Category 3: small and medium-sized entities. Category 4: small entities.
  • For each block, the Authority is asked to assign a score on a scale from 1 to 4, with 1 being the best and 4 the worst.
  • For example, a severe operational risk due to improper business operations, fraud, natural catastrophes, severe cyber incidents, a significant deterioration of the minimum requirement for MREL eligible capital and liabilities, or rating downgrades.
  • The EBA defines the concepts of economic and strategic sustainability as follows: The viability of the entity’s business model is its ability to generate acceptable profits over the next 12 months. The sustainability of the institution’s strategy is its ability to generate acceptable profits over a time horizon of at least three years, depending on its strategic plans and financial forecasts.
  • As an example, as can easily be guessed the risks associated with the structure of the funding assume greater weight if the funding is wholesale, while they have less impact with reference to funding mainly based on deposits, which is more stable by definition. A market-oriented model certainly hides more pitfalls than a traditional credit intermediation model due to the greater volatility of its results. Finally, with regard to the last two points, situations of instability can certainly derive from cost inefficiency and from ownership policies oriented more towards satisfying shareholders rather than practices consistent with the objective of stability and profitability in the short and medium term. See Financial Stability Review. ECB, May 2016.
  • FSB in A Framework for Assessing Risk Culture (2014).
  • In this regard, it should be noted that the amended article 26 of the Consolidated Law on Banking specifies that "persons performing administrative, managerial and control functions in banks must be fit for the performance of their duties.... The officers must meet the requirements of professionalism, good repute and independence, satisfy criteria of competence and propriety, and devote the necessary time to the effective performance of their duties, so as to ensure the bank’s sound and prudent management.… The management and supervisory bodies of banks assess the fitness of their members and the overall adequacy of the body, documenting the analysis process and providing reasons for the assessment".

Written By

Pasqualina Porretta and Fabrizio Santoboni

Submitted: 19 February 2021 Reviewed: 01 March 2021 Published: 02 July 2021