Skip to main content

Strengthening banks’ Counterparty Credit Risk (CCR) management practices to meet increasing supervisory expectations

At a glance

  • It is no secret that policymakers globally are increasingly concerned about the growing financial risk outside the banking system. This has resulted in a large number of global, regional and national regulatory workstreams targeting the resilience of non-bank financial institutions (NBFIs) which we analysed in a previous article.
  • Many of these workstreams remain work in progress. In the meantime, supervisors continue to emphasise the key role that the robustness of banks’ counterparty credit risk (CCR) management practices plays in reducing the perceived risk stemming from NBFIs.
  • CCR has been singled out in the latest ECB and PRA supervisory priorities, the FCA wholesale bank portfolio letter, and the PRA “Dear CRO” letters on fixed income financing and private equity related financing activities.
  • The ECB and the BCBS have also published guidelines for CCR management including on governance, due diligence, risk measurement and stress testing which supervisors will benchmark banks against.
  • Supervisors are concerned that banks have not acted quickly or effectively enough to improve risk management and controls in response to previously identified weaknesses in CCR management. Time is now running short for banks to act before supervisors start to intervene even more forcefully to address what they perceive in some cases as ineffective remediation.
  • We have analysed the PRA, FCA, ECB and BCBS expectations on CCR management and identified five priority areas which feature in many of them, indicating that supervisors around the world are thinking about the risk issues along similar lines.
  • Banks should be looking to improve their CCR arrangements not only to contend with rising supervisory expectations, but to position themselves to weather storms better in an environment of increased funding costs, tighter financing conditions, and increased volatility.
  • The deficiencies identified by the supervisors may be more acute for smaller banks with more limited risk management resources. Identified leading practices are also relevant for firms outside the banking sector which are exposed to CCR.
  • In the analysis we set out below we discuss the key weaknesses identified by supervisors in banks’ CCR management practices and what they expect banks to do to remediate them. Banks should consider performing a gap analysis against supervisory expectations. The PRA has already mandated a gap analysis in its “Dear CRO” letter on private equity related financing activities. The analysis and remediation plan for any identified gaps are due for submission to the PRA by the end of August 2024. Where gaps are identified, supervisors expect banks to do a read-across to other relevant business areas where similar gaps may exist.


After 15 years of substantial growth, NBFIs account for c50% of UK (and global)1  financial sector assets, while the framework for identifying any systemic risks that NBFIs may pose to financial stability and the toolkit that regulators have for responding to them are much less developed than for banks. Banks and NBFIs are deeply interconnected – through loans, securitisations, derivatives, and funding relationships. According to ECB estimates, around 20% of euro area banks’ funding is provided by NBFIs2. NBFIs are also an essential driver of profitability. Prime brokerage, for instance, accounted for more than half of the revenues from banks’ equities businesses in 20233.

Whilst policymakers around the world are progressing various workstreams targeting NBFI resilience, supervisors continue to emphasise the important role that banks’ play in maintaining financial stability through ensuring the robustness of their CCR management practices. Fundamentally, most banks get the basics of CCR right, consistent with what is required by the Capital Requirements Directive (CRD) and by the Capital Requirements Regulation (CRR). However, as laid bare by various market shocks, supervisors expect banks to develop their CCR frameworks and associated capabilities to build additional resilience against market shocks and tail events.

We have taken stock of the key messages about the deficiencies identified by the supervisors and their expectations for improvement. We have then identified five areas common to the PRA, FCA, ECB and BCBS publications where banks can expect increased supervisory scrutiny. These five priority areas are:

  • Counterparty due diligence, including an ability to distinguish between different types of exposure and understand correlations and concentrations among clients.
  • Governance and risk management, where the Board should consider CCR exposures in setting the business strategy and satisfy itself that the scale of those exposures is consistent with the overall risk profile of the bank.
  • Risk measurement and risk appetite, and how banks need to overcome the challenges of capturing, combining and measuring all aspects of CCR.
  • Stress testing, where banks need to incorporate a wider range of stresses into their stress testing and evidence how they use the results to inform their business and risk management decisions.
  • Data and reporting require banks to invest in capabilities which enable them to identify and aggregate CCR exposures and overcome the difficulties of often fragmented systems in different business lines and legal entities.

Below we investigate these areas in greater detail.

Five areas for improvement

1. Counterparty due diligence

Supervisory expectations

  • Improve customer due diligence and understanding of client business profiles and extend enhanced principles to all client types.

In an environment where banks’ exposure to a wide variety of NBFIs is growing in complexity, the ECB, the PRA and the FCA have all noted that banks should improve their customer due diligence and understanding of client business profiles to distinguish better between different types of exposures and understand correlations and risk concentrations between clients. For example, following the LDI crisis in the UK, the PRA expects banks to differentiate between mandated and pooled LDI funds, with distinct on-boarding procedures for each.

In the past, in response to supervisory requirements, banks have been improving due diligence processes for specific types of counterparties, such as hedge funds in prime brokerage business. However, the PRA is very clear that banks should extend enhanced due diligence principles, client disclosure standards and CCR management controls to all client types in all relevant trading businesses.

  • Consider non-financial risk factors.

In assessing the riskiness of a counterparty, supervisors expect banks to look beyond financial metrics and consider non-financial risk and other qualitative metrics such as the quality of clients’ disclosures and their reliance on third parties for the provision of critical services. A more conservative approach to risk management may be needed for counterparties which underperform in these categories.

  • Ensure continuous due diligence.

The BCBS draft guidelines emphasise that due diligence obligations do not end with onboarding a counterparty and should be continuous, incorporating information about material counterparty developments. Any material change in a counterparty’s leverage or risk profile should trigger a revised assessment. Specifically, in the case of NBFIs, ongoing due diligence should ensure that they have sufficient shock absorbing capacity and appropriate risk policies, procedures, and controls.

Challenges and leading practice

Enhanced client on-boarding can be achieved through a deeper understanding of the economics of the underlying exposures and of the key drivers of counterparties’ performance. Banks can also improve the granularity of on-boarding processes and analysis of the inherent riskiness of underlying trades including directional market risk. To achieve this, banks need to consider excessive leverage or concentration risk, and idiosyncratic and wrong way risk (WWR). Most importantly, the information gathered during due diligence should feed directly into CCR decisions, including risk ratings, limits, contractual terms such as margin requirements and collateral haircuts, as well as risk mitigants.

The BCBS consultation suggest that banks should request additional disclosures from complex counterparties which could carry a higher risk, such as details of portfolio compositions, use of leverage, value-at-risk metrics, or stress test results. Obtaining such information could be challenging if counterparties are not willing to disclose this data due to its proprietary nature and equivalent data is not available through a third party. If this information is not available, banks could consider the use of additional risk mitigation measures.

Ensuring a common set of onboarding procedures for a particular type of counterparty across all the business units and legal entities of a banking group can also be complex and time-consuming. Similarly challenging is to differentiate adequately between the on-boarding procedures for different types of counterparties. To solve both of those challenges banks may need to enhance the capacity and capability of front office and risk management teams.

2. Governance and risk management

Supervisory expectations

  • Build a dedicated CCR strategy and management framework.

Supervisors expect banks to have a dedicated CCR strategy and management framework across all three lines of defence (LoD) with well-defined responsibilities and reporting lines, approved by the Board. Most of the deficiencies identified by the supervisors relate to a lack of collaboration across the CCR management function, limited CCR coverage and siloed thinking.

Challenges and leading practice

Even in some more sophisticated banks with dedicated CCR teams in the 1LoD, the ECB found insufficient capacity to ensure full coverage of all relevant counterparties. In the 2LoD, dedicated CCR teams in more advanced banks have specialist knowledge of both market and credit risk while in less advanced institutions CCR risk managers rely on separate market and credit risk teams.

CCR is also often embedded within the wider credit risk function and may not be recognised as a distinct risk type.

In the 3LoD, internal audits often tackle CCR from the perspective of individual business units, with only a few more sophisticated banks with internal model permission or extensive derivatives businesses having adopted a more holistic approach to CCR assurance work.

In assessing CCR governance, the ECB found only few banks had a specific CCR governance committee or dedicated fora to discuss CCR topics across business lines. In most banks CCR is generally discussed monthly or even less frequently and often in conjunction with general credit risk topics. Only a few banks have dedicated CCR MI, usually as part of credit risk reporting, and the various elements of CCR can be scattered across several reports.

To satisfy increasing supervisory expectations, banks need to ensure adequate coverage of all relevant counterparties across all business lines and develop a holistic view of CCR. This view needs to be consistently reflected in credit and market risk assessments to evaluate the overall risk to the bank. Firms with material or complex CCR exposures should have a dedicated CCR resource in both the 1LoD and 2LoD. The 3LoD should assess CCR processes and governance across business lines, legal entities and jurisdictions.

Banks should focus on breaking up siloes in CCR management and ensure that all the relevant risks are factored in before taking risk management actions. Boards should also play an active role in CCR governance by considering CCR exposures in business strategy decisions and ensuring aggregate exposures are in line with risk appetite. Boards should satisfy themselves that the scale and composition of CCR exposures are appropriate in the context of the overall risk profile of the bank.

3. Risk measurement and risk appetite

Supervisory expectations

  • Develop exposure metrics to capture all aspects of CCR.

The ECB has identified substantial room for improvement with regards to risk measurement. Supervisors expect banks to develop exposure metrics that will capture CCR across all products, business lines and legal entities, thereby providing a holistic view of the totality of CCR exposures.

The BCBS draft guidelines note that CCR metrics, supported by a clear and actionable taxonomy, should account for instances when perceived risk mitigants, or diversification benefits, may not work as intended. Whilst focusing on the holistic understanding of CCR, banks should also be able to identify, evaluate and capture idiosyncratic risks properly and understand their effect on portfolio correlations and risk concentrations.

  • Improve the measurement of CCR portfolio wind-down cost.

Banks are also expected to measure the costs of CCR portfolio wind-down more accurately. While supervisors regard the use of the regulatory margin period of risk (MPOR) as a useful tool, they do not see it as sufficient to account for all such costs and expect banks to develop complementary measures. These should take into account the impact of a netting set wind-down on hedging positions with other counterparties and reflect potential additional market risk losses from any unmatched hedging positions. This is particularly relevant for less liquid collateral or hard-to-replace transactions.

Challenges and leading practice

One of the challenges for banks is developing tools for measuring CCR which capture and combine all elements of the risk, including credit and market risk, at the portfolio, counterparty, and individual risk factor level. Use of Monte Carlo Simulation models to determine counterparty exposure profiles is computationally intensive and often requires the use of simplifying assumptions for modelling the underlying risk factors. Breaking down portfolio or netting set level metrics to individual trade level for more granular analysis can also require the use of approximations.

Another challenge is to consider risk appetite comprehensively for CCR at counterparty and portfolio level. The ECB found that the level of detail for risk appetite policies varies between banks. Some banks explicitly mention CCR in their risk appetite statement (RAS) but only a few banks set global limits for CCR, general wrong way risk (GWWR) or specific wrong way risk (SWWR). CCR is often embedded within the risk appetite and metrics for credit risk, which may not fully capture all the CCR specific risks.

GWWR can be particularly challenging to identify and quantify, especially if it arises only in certain tail market scenarios. Banks may need to invest in high-quality scenario analysis of credible severity to model it accurately. Sound assessment of SWWR will likely require well-resourced and experienced teams across both 1LoD and 2LoD making the correct assessments on a case-by-case basis using their knowledge of the counterparty and its business model gained through the onboarding process and ongoing due diligence. Such practices need to be well-defined and documented with the responsibilities across 1LoDs and 2LoDs clearly delineated.

Exposure metrics, such as potential future exposure (PFE), should be complemented with additional metrics calibrated to periods of stress to capture residual and tail risks better. This is particularly relevant in the case of overcollateralised portfolios with highly leveraged counterparties, where the PFE and regulatory exposure may point to low or non-existent exposure, but where residual risk may be significant. Stress testing and scenario analysis (see section 4) can provide important complementary insights into the risk profiles of specific counterparties and can help identify GWWR.

In addition, the ECB has also noted4  that banks using the internal model method (IMM) for calculating the CCR need to consider if their models are sufficient to cover all aspects of CCR risk. The ECB expects banks to apply a “risk not in effective expected positive exposure” (RNIEPE) add-on for the risks that are not adequately captured as part of IMM exposure value.

Banks should set the risk appetite for CCR distinctly in policies and RAS, differentiating by exposure and counterparty type, client rating and potentially other terms of business. Risk management frameworks need to be dynamic and able to absorb non-standard inputs, such as the outcome of a non-financial risk assessment.

4. Stress testing

Supervisory expectations

  • Incorporate new and broader stresses into CCR stress testing framework.

The CRR requires banks to incorporate CCR into their stress testing frameworks. However, supervisors do not consider these practices to be sufficiently developed, especially with regards to exposures to high-risk counterparties vulnerable to tail risk events and potential close-out risk.

Supervisors expect banks to incorporate new and broader stresses into their CCR stress testing framework. These stress scenarios should leverage lessons learned from various market events and a better understanding of client profiles, including their vulnerability to market shocks via WWR, leverage and maturity mismatches, and their potential exposure to tail events. Risk managers should challenge themselves to consider risks that were previously deemed improbable including hypothetical geopolitical and natural disaster scenarios and apply market shocks simultaneously to trades and collateral. Stress tests should be granular enough to capture exposure to material risk factors and idiosyncratic risk.

  • Ensure decisions take account of the outcomes of stress testing.

Supervisors also focus on the prominence of stress testing for risk management processes and decision making. The ECB found that a few banks do assess stress testing results, but none use this information as a mandatory call for action. Supervisors expect banks to integrate stress test results fully into their risk management processes and use them when setting business terms and margin requirements. This is especially relevant for exposures to NBFIs for which “stress testing may be the only systemic approach to identify and quantify main portfolio vulnerabilities”5.

Challenges and leading practice

The ECB highlighted establishing a comprehensive stress testing programme for CCR as one of the key challenges for banks. Although the majority of banks conduct regular stress testing at a portfolio and counterparty level, only half of the reviewed banks regularly use risk factor-specific stress tests to identify vulnerabilities in their CCR portfolio.

Performing regular stress tests at different levels of aggregation (portfolio, counterparty, risk factor) requires high quality data and systems infrastructure to provide timely and actionable insights into counterparties’ risk profiles. In the case of NBFI counterparties, there may be a lack of historical loss data, as trading with these counterparties may be relatively recent. A clear and documented stress testing framework should be implemented consistently across business lines and the frequency of stress testing should be continually revised to reflect material changes in the risk environment.

Leading practice includes performing a number of separate CCR stress tests at different frequencies (daily, monthly, quarterly, annually) and with different stress scenarios and shocks. In the absence of historical data on periods of stress and losses, banks should determine forward-looking hypothetical stress scenarios. Some banks use daily stress testing to set CCR limits for 1LoD trading desks at an individual counterparty level. The nature of each stress test should complement the others, and the assumptions and limitations of each stress test should be clearly communicated to senior management.

5. Data and reporting

Supervisory expectations

  • Ensure a holistic approach to CCR reporting.

CCR reporting is subject to general risk reporting and risk data aggregation standards, first outlined in the BCBS principles for effective risk data aggregation and risk reporting (BCBS 239) and therefore should be timely, accurate and of sufficient specificity. The BCBS draft guidelines are clear that banks should avoid a fragmented reporting environment for CCR.

The PRA expects banks to flag all relevant transactions and exposure data systematically, together with the respective collateral pledges, enabling risk managers to identify and consolidate relevant CCR information. The resulting CCR MI should provide a holistic view of CCR exposure, recognising and measuring the presence of overlapping credit exposures, collateral pledges, and financial claims where the performance and recovery values are interlinked. Supervisors encourage additional focus on potentially concentrated positions and illiquid collateral.

Challenges and leading practice

Building comprehensive data capabilities, overarching exposure measures, and reporting to senior management are particularly challenging if information is not easily transferable between different systems in various business lines and legal entities. In many cases banks are using bespoke technology and systems for particular business units or activities with no alignment of data formats and metrics across the group as a whole, resulting in a fractured CCR data landscape.

Banks should have capabilities to aggregate and measure risk exposure seamlessly across products, businesses, legal entities, geographies and risk factors to ensure effective monitoring of concentrations at counterparty and portfolio level. It is important that data related controls, including over the data feed process, are integrated into CCR governance and control frameworks rather than being managed in silos by operational teams. A central data warehouse with common data formats and definitions can facilitate the aggregation of the data and the calculations required for the different CCR metrics.


Policymakers are busy developing a globally consistent approach which will consider both the idiosyncratic and systemic risks potentially posed by NBFIs. However, until this work is complete and new rules are adopted consistently by key supervisors around the world, banks should expect increased supervisory scrutiny of their risk management frameworks, particularly for more leveraged NBFI counterparties. Banks can prepare by overhauling their CCR frameworks to improve counterparty due-diligence, governance and risk management, risk measurement and risk appetite, stress testing, data aggregation and reporting to address increasing supervisory expectations.

As the growth of financial assets outside of the banking system continues, so do banks’ exposures to a wide variety of complex, interconnected counterparties. Banks must respond to this by investing in additional risk management resources and infrastructure and by evolving with the changing market environment to promote safe, sound, and sustainable outcomes.

As we saw with collapse of Archegos, the downsides to getting CCR wrong can verge of the catastrophic. However, getting it right has significant upsides. A bank with sound risk management, a detailed understanding of its counterparties and their risk profiles and a clear sense of its own capabilities will service its clients better.

Non-bank financial intermediaries as providers of funding to euro area banks (

Prime brokerage: the multi-billion dollar cash cow redefining banks’ trading divisions | IFR (

ECB updates Guide to internal models (