2017 Deloitte

• Perform in-depth investigations of risks, internal control systems and governance with a pre-defined scope and timeframe at the premises of a credit institution

• Conduct OSIs independently from ongoing supervision, but in close liaison with the Joint Supervisory Teams (JST)s

• Different from the supervisory visit conducted by JSTs as part of all the supervisory functions

• Conduct the OSI in accordance with the SSM Supervisory Manual and at the premises of the credit institution

Actions

On-Site Inspections (OSI) Readiness

OVERVIEW OF ECB ON SITE INSPECTIONS TIMELINES AND ACTIVITIES FOR OSI SUPPORT

OSI-PRINCIPLESOSI-SSM APPROACH

> An OSI can have different triggers and objectives and is usually related to the risk assessment of the credit institution by the JST

> The main risks will usually not be reviewed in an isolated manner but will be covered in different areas of the mission

> The timing and scope of an OSI are clearly defined

> An „ad hoc” inspection is mostly triggered by a specific event or transaction

> OSI teams can consist of ECB and/or NCA inspectors, as well as external resources

> Involvement of ECB staff is not mandatory but the methodology of the ECB must be applied

> ECB usually leads missions with higher risks and/or potential political impact

• Business Model AnalysisViability of business model and sustainability of strategies on the basis of the ability to generate returns

• Credit Risk and Counterparty RiskGovernance and organizational framework, Credit risk management and control framework including reporting systems, Credit risk profiles and Quality of exposures including provisioning policies

• Market Risk Internal market risk management framework, external non-regulatory reporting, compliance with regulatory and disclosure requirements

• Liquidity and Funding RiskLiquidity risk management framework; external regulatory and non-regulatory reporting, compliance with regulatory and disclosure requirements

• Operational RiskInternal operational risk management framework, IT risks, outsourcing

• Internal Governance and Risk Management Management body, internal structure and organization, governance processes, internal control functions, internal governance framework, remuneration, Risk Control unction, Compliance Function, Internal Audit Function

• Internal Capital Adequacy Assessment Process (ICAAP)ICAAP process, level of capital, reflected level of risk, stress tests, risk appetite, strategy and capital planning

• Pillar 1 Capital Requirements Calculation ProcessGovernance, internal controls and procedures, data integrity with accounting and data quality assurance process, calculation of regulatory capital for major risk types like credit risk, market risk and operational risk

Direct connection between SREP results and OSI planning:

• key input for the SSM’s strategic and operational planning.

• direct impact on the range and depth of off-site and on-site activities

Risk-based

Prioritize and focus inspection activities on

areas with higher risks or lower level of

controls

Proportional

Account for the size, the activities and the

risk profile of the institution

Intrusive

Judgement-based evaluations,

understanding the risk profiles and business

lines of supervised financial institutions

Forward-looking

Looking beyond present or historical figures

to foresee future negative impact

Action-oriented

Recommending remedial actions, corrective

measures to be taken by the credit institution

Potential Impact

• Additional Supervisory measures: Organizational deficiencies may lead to an intensified SREP and supervisory process, triggering further OSI’s with a direct impact on the organization

• Additional impairments: Specific and or collective loan loss provisioning in a substantive amount

• Additional Capital charges: Increase of the SREP factor; besides the size of additional SREP surcharge, also the competent authorities can impose requirements on the quality of capital to back the surcharge

Objectives

• Examine and assess the level, nature and features of inherent risks, taking into account the risk culture of the credit institution under supervision

• Examine and assess the appropriateness and quality of the credit institution's corporate governance and internal controls framework.

• Assess the control systems and risk management processes, detect weaknesses or vulnerabilities with a potential impact on the own funds of the institution

• Examine the quality of balance sheet items (focus assets) and the financial situation of the credit institution

• Assess compliance with banking regulation

Risk-based

Proportional

Intrusive

Forward-looking

Action-oriented

Principles

OSI is started

OSI ended

Before an OSI is announced

OSI is announced

JST follow up

• Create awareness

• Identification of potential OSI areas

• Perform health checks on critical areas

• Extrapolation of potential impact of an OSI

• Create awareness

• Perform workshops with stakeholders

• Draft request lists

• Perform focused health check

• Support collection of data and documents

• PMO support

• Coaching

• On-going quality assurance on delivered data and information

• Competence Centre for facing technical challenges

• Support in remedies of findings

• Prepare for JST follow up

OSI Mission Topics

The direct participation in OSIs under the lead of supervisoryauthorities provides substantial insights into the supervisorypriorities and regulatory requirements