ECB 2022 annual report on banking supervision - key topics and implications for banks

Published Date
Jun 22, 2023
Related people
The ECB published its 2022 annual report on banking supervision (Annual Report) on 21 March 2023, highlighting the main supervisory activities in the past year. The Annual Report also outlines the supervisory priorities for 2023-2025, which aim to ensure that banks are resilient, well governed, and prepared for emerging risks. In this blog post, we summarise the key topics and implications for banks, including on leveraged lending, IT and cyber risk, and climate risk. All of these themes will continue to be important during 2023 and beyond.

Changing supervisory priorities in 2022

In 2022, the ECB adapted its supervision to the changing economic environment and the impact of the Covid-19 pandemic. The ECB focused on three main areas as set out in the ECB’s medium term supervisory priorities 2022-2024

  1. Ensuring that banks emerge healthily from the pandemic
  2. Addressing banks’ structural weaknesses in digitalisation strategies and governance
  3. Assessing other emerging risks, including climate-related and environmental risks (C&E risks), exposures to counterparty credit risk, IT outsourcing and cyber risks

However, as the year progressed, the ECB shifted its focus towards tackling the risks stemming from the effects of the war in Ukraine and high inflation, which posed more imminent threats than the pandemic.

Supervisory priorities for 2023-2025

For 2023-2025, the ECB has re-focused its medium-term priorities to take into account the changed macro-economic outlook. The ECB expects banks to:

  1. Strengthen their resilience to the immediate consequences of macro-financial and geopolitical shock 
  2. Address digitalisation challenges and cyber risks more strategically
  3. Strengthen their management bodies’ steering capabilities
  4. Step up their efforts in addressing climate change by incorporating the significant physical and transactional risks into their strategies

For more detail on the 2023-25 ECB supervisory priorities, read our dedicated blog post here

Leveraged lending under scrutiny 

One of the areas where the ECB increased its supervisory scrutiny in 2022 was leveraged lending. The ECB had long been concerned about banks’ risk management in this area and issued guidance on leveraged transactions in 2017.

In March 2022, the ECB sent a “Dear CEO” letter to banks, clarifying its expectations and warning of possible supervisory actions if deficiencies persist. The ECB followed up on this letter by conducting on-site inspections and applying capital charges to several banks whose risk-taking it deemed excessive. The ECB announced it would continue to apply such charges through the SREP 2023 if necessary.

Banks should therefore review their leveraged lending policies and practices and ensure they comply with the ECB’s guidance and expectations. Banks should also be prepared for further supervisory scrutiny and possible measures in this area. Read more on the ECB’s stance on leveraged transaction in our blog post here.  

IT and cyber risks

Another area where the ECB identified significant deficiencies in 2022 was IT and cyber risk, which refers to the risk of disruption, loss, or damage to information systems or data due to malicious or accidental events. The ECB conducted a number of on-site inspections and revealed weaknesses in basic cybersecurity.

Additionally, the ECB analysed banks’ outsourcing registers and found that many banks rely on external ICT providers for critical functions, such as cloud computing, data processing, or payment services. The ECB emphasised the importance of effective oversight and risk management of outsourcing arrangements, especially in light of the increasing cyber threats and regulatory requirements.

The ECB highlighted IT and cyber risk as one of its key priorities for 2023-2025 and urged banks to address the gaps and shortcomings in this area. The ECB also reminded banks of the upcoming application of the Digital Operational Resilience Act (DORA), which will introduce new rules and standards for digital operational resilience in the financial sector.

Climate and environmental risks 

The ECB was very active concerning C&E risk in 2022 and conducted a thematic review and climate stress test. The results of these suggest that most banks still fall far short of ECB supervisory expectations. 

In March 2022, ECB published an assessment of banks’ progress on C&E risk disclosures, again concluding that – while progress had been made – banks did not fully meet supervisory expectations. The ECB conducted a third assessment of banks’ C&E disclosures and published the report in April 2023.

The ECB has sent individual feedback letters to institutions, setting out the individual deficiencies and setting deadlines to meet supervisory expectations by the end of 2024. The ECB made clear it may take enforcement actions if the deadline is not met.

Climate risk already featured heavily in the 2022 SREP cycle. The ECB took a number of measures, which for a few institutions negatively impacted Pillar 2 requirements. The ECB will continue to increase the supervisory pressure on banks to address C&E risks in 2023-2025.

Banks should therefore take urgent action to integrate C&E risks into their strategies, risk management, and disclosuresnto align with supervisory expectations.

Brexit banks to face further scrutiny

Another continuum of 2021 is the ECB’s scrutiny of Brexit banks and their integration into European banking supervision. The first phase of the so-called desk mapping review of seven banks and affiliated investment firms, concluded in 2022. The ECB found that banks did not fully meet supervisory expectations. The ECB is issuing binding decisions that may require Brexit banks to appoint more senior staff located in the EU, establish solid governance and internal control frameworks for remote booking practices, or limit reliance on intragroup hedging.

It is not over for Brexit banks, as the ECB’s investigations of credit-shifting techniques, reliance on parent liquidity and funding, and internal model approval is ongoing.

ECB steps up anti-money laundering efforts

Despite not having direct competence for anti-money laundering/counter-terrorist financing (AML/CFT) supervision, the ECB enhanced its framework for reflecting ML/TF risk in its banking supervision in 2022. The ECB improved its information exchange with national AML supervisors, updated its SREP methodology to incorporate ML/TF risk, and revised its guide to fit and proper assessments to take a stricter stance on AML/CFT-related facts. The ECB also reassessed the suitability of four board members due to AML/CFT shortcomings in 2022.

Crypto business models key driver for licence applications

The number of licence applications to the ECB remained stable in 2022, with four investment firms obtaining credit institution licences under the new investment firm regime.

Digital innovation, especially crypto assets, was a key driver for licence applications, with most coming from Germany due to its specific national licensing requirements. The ECB seeks to harmonise its assessment of crypto-asset activities across the EU, which should become easier with the application of the markets in crypto-assets regulation (MiCAR) from 30 December 2024. MiCAR introduces a uniform licence regime for crypto-asset services in the EU.

Fit and proper procedures

The ECB processed a similar number of fit and proper procedures in 2022 as in 2021, with an average processing time of 102 days. The ECB expressed concerns about the appointee in almost one-third of notifications and imposed ancillary provisions to ensure their suitability.

The ECB changed its policy on ancillary provisions from 2023, making them more specific to the corrective needs identified, with clear deadlines and avoiding duplication of existing legislative requirements.


In 2022, the ECB processed ten sanction proceedings resulting in eight ECB decisions. It imposed six penalties amounting to over EUR 12 million


Further Reading 

The full Annual Report is available here.

Read more on the ECB's 2023-2025 supervisory priorities here


Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger