Banking business in Europe – how consistent are regulation and supervision really?
The supervision of banks in the euro area underwent a fundamental transformation at the end of 2014. With the establishment of the Single Supervisory Mechanism (SSM), which – integrated into the European Central Bank – is responsible for supervising all banks in the eurozone, new rules apply to all those involved. The initial criticism of the SSM set-up quickly gave way to respect for the short time in which it was launched and how quickly a competent team was brought on board. After more than three years of operation, it is now clearer what the strengths of the SSM are and where there is still room for improvement.
Special features of the SSM
Let us recall some of the institutional and legal peculiarities of the SSM. On the one hand, the SSM is firmly integrated into the structures of the European Central Bank; it obtains important services required for its operational activities (purchasing, IT, human resources) from the ECB's central units. The Governing Council of the ECB also has an influence on some of the SSM's decisions. At the same time, however, banking supervision is strictly separated from the ECB's monetary policy tasks. The SSM is accountable to the European Court of Auditors and the European Parliament in various areas.
In its supervisory work, the SSM distinguishes between "significant institutions" (SIs) and "less significant institutions" (LSIs); the latter are primarily the responsibility of the national supervisory authorities. If supervised SIs are of the opinion that a decision of the SSM should be amended, the Administrative Board of Review (ABoR) may be involved or the institutions may take legal action at European level. German LSIs, on the other hand, must first enter into a bilateral dialogue with BaFin (the Federal Financial Supervisory Authority) or take legal action at national level.
SSM and EBA
One of the SSM's many powers is to issue guidance for supervised institutions. This guidance is not automatically legally binding, but as a rule the institutions comply with the SSM's wishes. Things become interesting when another participant – the European Banking Authority (EBA) – comes into play in this area. The EBA is responsible for all 28 EU Member States, while the responsibility of the ECB and the SSM is confined to the 19 eurozone countries (and non-eurozone countries which opt to declare the SSM responsible for their banks). In its function, the EBA is the standard-setter for prudential financial regulation. It aims to provide a framework for the competent supervisory authorities in order to ensure uniform supervisory practice. BaFin is responsible for the LSIs in Germany. It cooperates with the SSM and provides input into decisions.
Theory is one thing, reality is often the other. Anyone who wants to understand the intricacies of cooperation between supervisory authorities not only has to delve deeply into the details of the laws and regulations but also needs to take a close look at the actual local supervisory practice of banking supervisors.
The fact that many questions may remain unanswered is illustrated by a practical example: take outsourcing to third parties. Institutions are confronted with a number of questions here: how do they identify, assess and manage the risk arising from such relationships and what countermeasures do they have to take if necessary?
For German institutions, answers to these questions can be found in the so-called ‘MaRisk’ (Minimum Requirements for Risk Management, current BaFin version of 27 October 2017), in the guidelines on outsourcing issued by CEBS (Committee of European Banking Supervisors, predecessor of the EBA) in 2006 and – in particular – in the EBA recommendations on outsourcing to cloud service providers (of 20 December 2017). As far as the EBA recommendations are concerned, national supervisors can decide for themselves whether or not to implement them. If they do not, they must inform the EBA thereof. The EBA must then officially disclose this.
MaRisk and EBA recommendations
The MaRisk, on the other hand, are recognised requirements for institutions subject to BaFin supervision; nevertheless, in the view of the German SIs, it has not been fully clarified whether the MaRisk also apply to them and how they interact with EBA or SSM rules. If a SI is also active in another EU country, the question is which rules apply there and whether the EBA or SSM rules may replace or complement the rules in force locally.
Back to the EBA rules on outsourcing to cloud service providers: if national supervisors decide not to implement the EBA recommendations in their country, it remains unclear what the consequences and impact of such non-implementation are for/on other national supervisors in the EU and the SSM, but also for/on those institutions that use cross-border outsourcing to cloud service providers. For example, supervisors who have recognised the EBA rules could prohibit transactions from countries that have not recognised these.
Without going into any further detail, this example illustrates one thing: the coexistence of central eurozone banking supervision by the SSM, EU-wide banking regulation by the EBA, national banking supervision, and national rules still in place can lead to confusing situations. These are more difficult for all those involved to handle than was originally assumed.
The answer can therefore only be understanding the European internal market as such and harmonising laws, regulations and supervisory practices on the ground – at least for SIs – accordingly. Those involved are aware of this and are already working on it. Unfortunately, it is not yet possible to predict – even in the case of outsourcing – how long this will take.