Fixing the roof before it rains
EU and UK banks go into 2025 off the back of a year in which profitability was generally strong, and financial resilience metrics remained robust despite ongoing geopolitical and macroeconomic headwinds – although the potential ramifications of ongoing legal proceedings related to motor finance cloud the outlook for some UK banks.
However, banks’ homework list remains long: bolstering resilience to geopolitical, operational and cyber risks, further integrating climate and nature risk management capabilities and transition plans into strategic decision-making, taking advantage of the opportunities (and managing the risks) of digitalisation and Artificial Intelligence (AI), controlling liquidity risks from online banking and social media,1 and managing risks associated with non-bank financial institutions (NBFIs). All this while ensuring existing implementation programmes (including national frameworks for final Basel III standards, operational resilience, model risk management, operational resilience, model risk management, BCBS239 principles and the UK Consumer Duty) remain on track and maintaining profitability metrics.
Consequently, in 2025 we expect supervisors to make increasingly strident calls for banks to invest in “fixing the roof before it rains”, taking advantage of recent profitability to address long-standing issues. While there is an understandable tendency to frame such tasks as “remediation”, banks should see them as enablers of their medium-term strategic transformation. In fact, broader technological shifts (including supervisors’ own use of technology) and evolving customer and market preferences will inevitably require banks to transform their own capabilities.
The priority for banks in 2025 should be investment in two foundational areas of ongoing weakness, both of which underpin the broader spread of regulatory topics on banks’ plates and have significant business benefits if done well: data (in particular risk data aggregation and reporting), and risk culture and governance.
Neither of these two issues is new: and both are difficult, expensive and time-consuming to fix. As banks look to protect margins in 2025 by controlling costs, the temptation will be to repair or replace individual tiles rather than the whole roof. Yet further delaying necessary transformation in these two areas is not sustainable for two key reasons:
1) Bank boards and management bodies are under increasing pressure to demonstrate that they are steering their bank in a forward-looking and agile way,2 but this depends on several pre-requisites: a comprehensive and effective risk appetite, supported by high quality and timely management information (MI), increasingly informed by scenario analysis and stress testing. As the range of risks banks face broadens, identifying growth and profit opportunities whilst understanding the risk profile of those opportunities becomes increasingly complex. Banks also need to show they can effectively identify and manage ”novel” risks.3 Data capabilities and risk culture are important enablers, and improvements in both will be mutually reinforcing.
2) Supervisors are increasingly willing to use the sharper tools at their disposal to incentivise and/or compel banks to remediate weaknesses faster and more effectively. In 2025, data and governance issues are squarely in their crosshairs. Following its reforms to the Supervisory Review and Evaluation Process (SREP), the ECB is making greater use of enforcement tools that potentially change the economics of interim implementation solutions, and at their most severe can directly constrain banks’ ability to grow their business.4 In the UK, regulators continue to use Risk Management & Governance scalars and 166 skilled person reviews, and the Prudential Regulation Authority (PRA) will expect banks’ Basel 3.1 implementation to include robust governance over changes to capital calculations and clear demonstration that systems can deliver accurate timely capital calculations for both modelled and standardised approaches, where necessary.5 Supervisors in both the EU and UK have recently proposed requirements that more directly link executive remuneration to remediation of supervisory findings.6
Connecting data remediation to strategic execution
Banks must have the basics right with data issues – clear data lineage, maintenance of golden sources and development of robust detective and preventative controls.
But in 2025 we also expect supervisors to focus on “top-down” governance, incentives and accountability for data issues (including not just risk data aggregation and reporting, but also cloud outsourcing, risks associated with digitalisation and operational resilience). Supervisors have made explicit calls for banks to have greater IT expertise at the board and management body level –7,8 this will become increasingly important as banks look to new technologies, including AI, to improve efficiency and reduce manual effort (see Figure 1).
Figure: 1 primary measures planned by EU banks to reduce operating expenses/costs:
Source: European Banking Authority (EBA)9
If banks are going to transform their data, bank management must envision, develop, communicate, and deliver a clear strategy for high quality data that enables more effective business decision-making. Banks often view data remediation primarily as a compliance exercise,10 but there are also opportunities to generate strategic advantage. Reducing time spent reconciling data between teams will enable banks to respond quickly when the market shifts or becomes more volatile.11 And improved data can enable more efficient and effective customer service. For example, less fragmented IT infrastructure can provide banks with a more comprehensive view of their customers, enabling revenue growth and reduced cost-to-serve. Having a more joined up view of trends in conduct data across a range of internal and external sources could allow banks to enhance customer experience and optimise product strategies (and potentially mitigate conduct, legal, and reputational risks).
Taking a top-down view will enable banks to identify where synergies exist between data collected for different regulatory, supervisory or MI purposes. Banks often identify cohorts of customers for one purpose but fail to leverage that data for a broader range of potential uses, and this may be a missed opportunity in some cases. For example, data already collected for climate risk management and disclosures (counterparties’ sensitivity to energy prices; physical location of critical production facilities, data centres or third-party providers) may also be relevant for assessing counterparties’ exposure to geopolitical risks. And collecting more granular data for Consumer Duty purposes is an example of where investment in capabilities could help banks improve understanding of depositor profiles for liquidity risk management. Ensuring the right expertise is in the room at the management body level will help banks identify where data improvements deliver business benefits and/or help to reduce costs.
Figure 2 : expected vs achieved benefits resulting from BCBS 239
Source: Deloitte survey (2024)12
Basel 3.1/CRR3 implementation provides a good example of why fixing data is not just “good housekeeping”, but a crucial near-term task. As banks seek to understand the impact of the new rules, Risk and Finance departments are facing increasing demands from business units for data on exposures, exposure classifications, risk parameters, collateral eligibility and applicability for different risk weighted assets (RWA) approaches, and for second-order effects including output floor allocations, effects on incentive programmes, and changes to the costs of capital and internal funding. Banks with ongoing data challenges will find these requests a drain on resource, especially where processes depend on manual inputs.
From a strategic point of view, data capability will be a differentiator as banks optimise their capital allocation and navigate the “day 2” landscape. If banks’ data is not accurate, then strategic decisions on portfolio structure, collateral optimisation, risk transfer transactions, pricing, and appetite for new business will not be optimal. Those banks that can provide fast, accurate data will make better decisions about which customers to target, and protect their market position in the most profitable customer segments. Even if banks choose to delay certain strategic actions in light of uncertainty over the final form of the Basel rules in the US, laying the data foundations to respond effectively cannot wait.
Risk culture, governance, and the effectiveness of boards and management bodies will play a critical role in banks fixing their data issues. At the same time, specific governance-related initiatives demand attention in 2025. CRD6 requires banks to draw up individual statements setting out the roles and duties of all members of the management body, and to map out duties and reporting lines. Implementing the Senior Managers and Certification Regime (SM&CR) was a significant exercise for UK banks – some EU banks will need to treat it as a full-scale transformation programme, with CEO-level buy-in and even ownership.
UK banks (and banks in some other European jurisdictions)13 have already been through this journey, but some may need to revisit it. For example, as geopolitical and technology-related risks rise up the supervisory agenda, banks will need to decide who is ultimately responsible for those risks, and whether they have the right incentives and tools to control them effectively. Going through this mapping exercise can help banks to identify where targeted investments in people (topic-specific expertise at senior management level or below) or capabilities (data collection, scenario analysis and stress testing, or AI tools that facilitate more effective risk management) are required.
More broadly, regulation increasingly imposes an expectation of continuous improvement and empowers supervisors to require a broader range of remediation activity – examples include operational resilience,14 the UK’s Consumer Duty, and fraud and financial crime prevention.15 Where regulators and supervisors’ expectation is that remediation of existing weaknesses is just the beginning of an ongoing journey, and the business needs to incorporate evolving expectations into its operating model, banks’ implementation programmes will need to ensure – even more than normally – that the first line is fully on board. Banks will need to develop, implement and monitor a culture that is increasingly comfortable with continuous self-examination, reflection, root cause analysis, and learning from errors and challenges. This is especially important as banks grow: several recent enforcement actions against banks have had their roots in controls not keeping pace with growth of the business.
While the prospect of major new regulatory initiatives being introduced in the short term appears low, banks continue to face ongoing implementation and remediation work, as well as responding to evolving supervisory expectations. The call for banks to remediate long-standing issues will become louder in 2025. In a challenging macroeconomic and geopolitical environment, banks that identify strategic benefits in effecting transformational change in their data, culture and governance will reap rewards in both business performance and supervisory relationships.
Key considerations for retail and commercial banks:
|
---|