Pillar 2 inspections distinguish between different areas of emphasis, which can form the subject of an inspection individually or in combination. These inspections assess proper business organisation pursuant to Sections 25a and 25b of the Banking Act in conjunction with the Minimum requirements for risk management (MaRisk) and/or the Supervisory Requirements for IT in Financial Institutions (BAIT). Inspections of significant institutions are also based on SSM supervisory requirements (e.g. EBA Guidelines or the ECB Guide to the internal capital adequacy assessment process (ICAAP)). Typical areas of emphasis are as follows.
Internal capital adequacy (ICAAP)
An inspection of the internal capital adequacy assessment process (ICAAP) assesses whether an institution has appropriate and effective processes in place to calculate and maintain capital adequacy. Alongside the supervisory requirements derived from the MaRisk, the assessment is also based on the prudential paper “Supervisory assessment of bank-internal capital adequacy concepts”.
ICAAP inspections are often combined with a particularly in-depth assessment of specific types of risk, such as counterparty credit risk, market risk, interest rate risk or operational risk. Inspections of liquidity risk are also carried out.
Examining lending processes is a common type of on-site inspection at credit institutions. The focus here lies on inspecting an institution’s organisational and operational rules. The requirements set out in BTO 1 of the MaRisk form the basis for such inspections. Those provisions differentiate between various sub-processes, including the granting and further processing of loans, early detection of risks, intensified loan management and processing of problem loans as well as appropriate risk provisioning.
Prudential assessment of adequate risk provisioning (PAAR)
PAAR inspections supplement selected process-oriented inspections of credit business (see Credit business). The inspections focus on assessing the impairment of individual loans. Specifically, this involves assessing and examining the sustainability of borrowers’ debt-servicing capacity as well as a valuation of the credit collateral provided. The outcome of these inspections can be additional loan loss provisioning at the inspected institutions.
Information technology (IT) and cybersecurity
For IT inspections, the scope of the inspections relates to the organisational and technical requirements set out in Sections 25a and 25b of the Banking Act and the further details on these provided in the MaRisk and BAIT circulars or § 26 ZAG and §27 ZAG and their details in the ZAIT circular. These system inspections are designed to assess the adequacy of risk management in light of the specific circumstances of each institution. This provides an overall picture of an institution’s digital risks which, coupled with the process-oriented approach to IT inspections, has proved to be a very effective way of working for the Bundesbank.
Business model analysis and profitability
The business model analysis and inspection of profitability aim to assess the viability (short-term horizon) and sustainability (medium-term horizon) of a business model’s profitability. These inspections take into account both quantitative aspects (e.g. current and planned net income from interest, trading, and fees and commissions) and qualitative aspects (e.g. the process of defining the business strategy and operational business plans derived from it).
Internal governance basically covers all of an institution’s standards and principles for defining its objectives, strategies, risk management procedures, business organisation, areas of responsibility, reporting lines and internal controls. Depending on the inspection mandate, sub-areas of an institution’s internal governance are examined. The subject of such an inspection may be, for example, the risk control function, MaRisk compliance function, internal audit, or ensuring general segregation of duties (e.g. between front office and back office).
An inspection of trading business assesses the appropriateness and effectiveness of the institution’s organisational structure for executing and settling trades. Besides requirements for the organisational structure (segregation of trading from the settlement and control functions and the risk control function), these inspections examine the organisational requirements for trading processes in particular (including the recording, confirmation, execution and control of trades).