The 2019 priorities for BaFin’s Banking Supervision Sector included the stress test for credit institutions under national supervision as well as the transposition of the Second Payment Services Directive (PSD2) – which in itself was somewhat stressful.
The Banking Supervision Sector again took on many different challenging topics in 2019 – long before the coronavirus crisis appeared on the horizon. In addition to their regular supervisory activities, the Banking Supervision Sector addressed their supervisory priorities for 2019: conducting the 2019 LSI stress test with an assessment of the impact on profitability and interest rate risks, evaluating IT systems and related IT processes, as well as the transposition of the Second Payment Services Directive 2 (PSD2).
In addition, the exemption of German promotional banks from the scope of the European Capital Requirements Directive (CRD) took effect in 2019. Since they are thus no longer subject to the European Single Supervisory Mechanism (SSM), the promotional banks have again become subject solely to the national supervision of BaFin and the Bundesbank.
Supervisory priorities in 2019
The supervisors’ day-to-day activities are largely determined by the priorities governing the supervision of less significant institutions (LSIs) in Germany; BaFin’s Banking Supervision staff set out these priorities together with the Bundesbank on an annual basis. In determining the 2019 supervisory priorities, BaFin and the Bundesbank focused on a series of risks affecting the LSI sector: profitability risk, interest rate risk, digitalisation/IT risks, credit risk (including developments in the real estate sector), country risk, legal and reputational risk.
BaFin therefore monitored the institutions on an ongoing basis, also inspecting whether their risk provisioning and their risk management and controlling processes in the area of real estate were adequate. In addition, the supervisors turned their attention to profitability and interest rate risks in the supervisory review and evaluation process (SREP) in 2019.
Banking Supervision conducted inspections under section 44 of the German Baking Act (Kreditwesengesetz – KWG) for 161 LSIs last year. One-third of these inspections focused on credit risks; roughly 10% focused on interest rate risks and about 3% on digitalisation and/or IT risks. In addition, Banking Supervision also conducted 1,242 discussions with management bodies, about one-third of which involved BaFin.
Conducting the 2019 LSI stress test with an assessment of the impact on profitability and interest rate risks
The low profitability of the German banking system – coupled with the prospect of continuing low interest rates – has been a matter of concern for Banking Supervision for some time. In 2019, the LSI stress test – consisting of a survey and an actual stress test – served as a significant source of information, enabling Banking Supervision to better assess how the low interest rate environment was affecting the earnings and capital resources of the German credit institutions. On the whole, about 1,400 small and medium-sized credit institutions subject to direct national supervision participated in the test. The participants thus constituted approximately 89% of all credit institutions in Germany and approximately 38% of the aggregate total assets.
The survey part consisted of two sections. First, BaFin and the Bundesbank enquired about the credit institutions’ specific planning and projection data for their income statement and about selected balance sheet items. Second, the institutions were asked to simulate their earnings for the period 2019 to 2023, in five interest rate scenarios predefined by the supervisors.
In the survey part of the test, the credit institutions’ answers made it clear that the return on assets of some banks was weak. According to the institutions’ specific planning, however, they had anticipated, on average, an increase of about 10% over the coming five years; it must be noted that at the time, about half the institutions were still assuming interest rates would increase within the planning period. Admittedly, the prospect of continuing low interest rates made it seem more likely that the German banking sector would see a decline in profitability.
One interest rate scenario in the test part of the stress test involved constant interest rates; in this scenario, the return on assets decreased accordingly by more than 10%. The least favourable interest rate scenario, with declining interest rates, involved a significant drop in the return on assets of more than 50%. But on average, even in this least favourable of the five interest rate scenarios, German institutions still remained profitable.
Supervisory programme 2019: Banking Supervision
BaFin uses the risks detected in the test part of the stress test to calculate the institutions’ Pillar 2 Capital Guidance (P2G). An institution’s failure to comply with the P2G signals to the supervisors that an important early warning threshold has been crossed. Furthermore, the supervisors use the findings for their individual supervisory tasks, for example for requesting and evaluating written statements and capital plans. In the case of vulnerable institutions, BaFin and the Bundesbank are stepping up their discussions with the management bodies, keeping an especially close eye on the institutions and thus contributing to the stability of the German banking market.
Inspecting IT systems and related IT processes
As digitalisation advances, the importance of IT systems and IT services for banks’ business activities is growing, and the scope of requirements for the security, availability and functionality of these systems and services is continuing to grow as well.
For this reason, BaFin published its Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) in 2017, setting out what it deemed to be proper business organisation, effective IT risk management and adequate technical and organisational resources for banks.
In 2018, BaFin set up a new organisational unit to be responsible for IT supervision, payment transactions and cyber security. This organisational unit includes a team specially tasked with conducting IT inspections for banks and insurance undertakings.
In 2019, aiming to detect IT risks, Banking Supervision ordered inspections with an emphasis on the IT area. The inspections were then conducted primarily at online banks and institutions where IT security incidents or other IT issues had occurred in the past. The scope of the inspections generally included all the areas subject to the BAIT, but especially information risk management and information security management. The inspection team examined aspects such as whether the banks had effectively implemented adequate information and cyber security measures and if they had conducted protection requirements analyses and risk analyses that could be used to detect potential threats.
A number of serious deficiencies were found also in individual institutions’ outsourcing management and other external procurement practices in terms of IT services. The team checked, for example, whether the banks were identifying and assessing the risks associated with purchasing IT services and whether they were adequately monitoring and managing these risks.
BaFin conducted the inspections together with the Bundesbank, urging the banks to take appropriate measures to remedy the shortcomings as quickly as possible.
Ever since the transposition of the PSD2 entered into force on 13 January 2018, enterprises that provide payment initiation and account information services have required authorisation to operate as payment institutions. If they offer only account information services, a simplified authorisation procedure is applied. Such enterprises need only register in order to become payment institutions. In addition, some CRR credit institutions and e-money institutions are permitted to provide these services within the scope of the authorisation they already have. Enterprises that provided these services before there was an authorisation requirement are subject to a transitional provision.
In 2019, BaFin authorised 10 enterprises to provide payment initiation and account information services. It also registered 12 enterprises as providing solely account information services. It was evident that there was still a great deal of interest in well-established payment services, such as the money remittance business. Consequently, the number of payment institutions and e-money institutions in Germany doubled between 13 January 2018 and 31 December 2019, totalling 76.
Since 14 September 2019, banks have been required to provide payment initiation and account information service providers with a technical interface and, as an emergency mechanism, also to grant them access to accounts via the customer interface. On request, BaFin can release a bank from this requirement. Nevertheless, it did not grant any such exceptions in 2019 since none of the applicant institutions were able to fulfil the necessary requirements for the functionality and stability of the interface.
Likewise since 14 September 2019, the requirement for strong customer authentication (SCA) has been in effect, particularly with regard to the initiation of electronic payments (see expert article on the BaFin website dated 23 October 2019). This is having its greatest impact on online card payments, as this sort of authentication was not common for such payments in the past. In the course of 2019, however, it became clear that many online retailers throughout Europe had not adapted their processes to the extent that customers could perform SCA during the payment process. This gave rise to a number of uncertainties. As a result, BaFin has decided – in consultation with the European Banking Authority (EBA) and the other national supervisory authorities – to tolerate failure to offer SCA for online card payments until 31 December 2020. In the meantime, however, BaFin will be keeping a close eye on the market developments, working to ensure the timely implementation of the requirement within the grace period.
Priorities for 2020
BaFin’s Banking Supervision Sector, in cooperation with the Bundesbank, has also defined its priorities for 2020 – these are available online. A new challenge has now been added to the list: the coronavirus crisis. BaFin is keeping market participants up to date in this respect.
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.