Banking supervision priorities in 2021

Every year, BaFin and the Bundesbank define their priorities for supervising less significant institutions (LSIs) in Germany. After first specifying the main risks to LSIs, they proceed to determine supervisory measures to address these risks in line with a risk-oriented supervision. Supervisory priorities for the significant institutions (SIs), supervised directly by the European Central Bank (ECB), are set by the Single Supervisory Mechanism (SSM). These are taken into account when determining LSI priorities.

The fallout from the COVID-19 pandemic will have a major bearing on supervisory activities in 2021. The most visible effect of the pandemic at institutions will be the rise in credit risk. When and to what extent borrowers default on loans will depend on how the pandemic plays out, how it affects economic activity, and what effects the comprehensive government support measures will have.

As the COVID-19 pandemic adds to the pace of the digital transformation, IT systems become steadily more important for banks’ business activities. Having powerful, state-of-the-art IT systems and being highly resilient to cyberattacks is crucial for keeping operations running smoothly at institutions.

Given this backdrop, the supervisory priorities for 2021 will be to closely supervise institutions in the context of the COVID-19 pandemic, primarily from a credit risk angle, and to scrutinise and address cyber/IT risks at institutions.

These priorities will be duly considered when dealing with the areas for action listed below, in particular.

To monitor institutions’ resilience to the fallout from the COVID-19 pandemic, supervisory activities will include the following:

  • requesting and assessing, on a needs-oriented basis, risk reports and disclosures on the impact of the pandemic and the evolution of credit risk;
  • setting focal points for credit risk pursuant to Section 30 of the German Banking Act (Kreditwesengesetz) in the audits of the credit institutions’ annual accounts;
  • carrying out ad hoc inspections to examine the credit quality of institutions’ portfolios and their internal capital adequacy.

To review institutions’ IT and cybersecurity, banking supervisors’ activities will include the following:

  • using meetings with management and associations to query arrangements made by institutions to shield their IT systems from cyberattacks and internal incidents;
  • assessing cyber and IT risks in ad hoc inspections and as part of the routine supervisory review and evaluation process (SREP);
  • using meetings with management and associations to raise the topic of the (growing) tendency to outsource IT services, particularly in light of concentration risk.

Other relevant risks to German LSIs identified by BaFin and the Bundesbank are business model risk, interest rate risk, country risk, and environmental and climate risk. As regards country risk, supervisors will be looking particularly at what Brexit means for institutions following expiry of the transition period at the end of 2020. As for environmental and climate risk, banking supervisors will use their meetings with institutions and associations to assess the extent to which institutions are properly incorporating this risk into their risk management.