The MFSA announced its supervision priorities for 2021 earlier this month, building on several of the underlying themes outlined in its three-year strategic plan for 2019-2021, but also adding direct supervisory focus on monitoring the impact of COVID-19 on the financial services sector.
In essence, this means that while several key themes such as corporate governance, financial crime compliance and ICT risk and cybersecurity will continue to dominate the supervisory agenda, banks should also expect deeper assessments on specific areas of interest. These include banks’ analysis, quantification and management of credit risk, as well as the viability of their business models in the post-COVID economy.
Banking supervision priorities for 2021
The MFSA’s supervision priorities are divided into cross-sectoral and sector-specific priorities. Five targeted priorities have been identified for the banking sector:
Corporate governance will remain high on the agenda, with the MFSA seeking to add fresh impetus to suitability and board effectiveness assessments. It also aims to strengthen its communication and training with boards, especially non-executive directors, and review remuneration and succession planning arrangements.
Following up on on-site inspections conducted as part of the Supervisory Review and Evaluation Process (SREP), being European supervisors’ main methodology for banking supervision, and associated mitigation actions. The conclusion of these inspections will have allowed the MFSA to provide all banks with a SREP score for the first time ever. The MFSA will follow up on remediation and take enforcement action if necessary.
Post-COVID business model viability is a key cross-sectoral theme which also features as a sector-specific priority. The MFSA has stressed the importance of estimating increasing compliance costs within business plans and also seeks to lay the foundations for assessing the impact of climate change on business models.
Also linked to the fallout of COVID-19 is the growing focus on the analysis and quantification of credit risk, including the assessment of asset quality and banks’ preparedness for managing balance sheet and operational challenges arising from higher credit risk. The MFSA has already approached banks to conduct a thematic review on credit risk.
Following its efforts on consumer protection through product oversight and governance arrangements during 2019 and 2020, the MFSA’s conduct supervision function will shift its attention to the robustness of banks’ creditworthiness assessments when providing facilities, as well as launching new conduct of business rules for the banking sector.
These five sector-specific priorities build on several of the key themes promoted in recent years. Two other cross-sectoral priorities which remain very relevant to banks are the MFSA’s objective to continue strengthening its monitoring of financial crime compliance, as well as its intention to undertake thematic desk-based reviews on ICT risk and cybersecurity matters, including outsourcing to cloud service providers. The latter has added significance considering the publication of the MFSA Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements earlier this month.
Spotlight on risk and compliance functions
The MFSA’s supervision priorities continue to reinforce the effort it has undertaken to bolster its supervisory capacity, as evidenced in the development of several new functions in recent months, covering financial crime, conduct, ICT and cybersecurity, as well as the strengthening of the banking supervision function. This has led to a significant increase in supervisory inspections, with a fresh thematic review on credit risk management having been communicated to banks earlier this month.
The MFSA will undoubtedly seek to continue broadening and deepening the scope of its supervision over the coming year. This will place further strain on banks’ risk and compliance functions, particularly among smaller institutions that have traditionally combined the management of multiple functions including risk, compliance, the MLRO role and other legal responsibilities.
Apart from the challenges this creates on banks’ ability to meet their growing risk management and compliance responsibilities, an under-resourced second line of defence bears the risk of submitting diluted and oftentimes superficial reporting to boards and committees and, consequently, contributes to gaps in the understanding of board members of the full risk profile of their bank.
The MFSA’s expectation is that banks will significantly strengthen investment in risk and compliance infrastructures and resources to manage the growing suite of material risks they face, as well as the increase in supervisory reporting expectations. Apart from enhancing human resources, risk and compliance departments will need to leverage tools and software that harness data and support decision-making, while integrating previously siloed approaches to ensure better responsiveness and effectiveness.
David Herrera, Senior manager, Deloitte Malta