On 23 November 2018, the European Central Bank (ECB) published a speech from its chair, Danièle Nouy (DN), entitled From a wish list to a to-do list: how supervisors can help banks prepare for crises.

In her speech DN states that “finishing the work on NPLs [non-performing loans] is at the top of our to-do list”.  DN explains that whilst progress has been made with NPLs there is still work to be done as NPLs totalling around €650 billion gross are still sitting on banks’ balance sheets as of June 2018. Whilst this is a significant reduction from the end of 2014, it is still very high, particularly as a significant proportion of these NPLs are very old.

DN also discusses certain non-traditional risks for banks including cyber risk. DN warns that banks need to enhance their resilience to cyberattacks, which are becoming more frequent and potentially more systemic. Over the past few years the ECB has seen many cyber incidents reported to banks by third-parties on which they have relied for IT services. DN states that this should “be a strong warning that outsourcing and reliance on third parties should be closely monitored” and that “regulators and supervisors should clarify the rules and expectations”. On this latter point DN adds that “work is well under way on this front” with the European Banking Authority already providing guidance on the expectations for cloud computing which ECB supervisors are now implementing.

DN also states that banks need to ensure that their “three lines of defence” model is adapted to the digital world and that this might require some adjustment. As a first line of defence, banks must define additional controls to ensure that IT systems are constantly available and secure. Second, they need to define an IT risk strategy. And third, they need to incorporate digitalisation into their audit plans.