European Union: The Draft ECB-SSM Supervisory Guide To "On-Site Inspections And Internal Model Investigations": Where Are We Now?

Quick Take – clearer expectations despite Guide being still in draft

The nature of what and how supervisory inspections and investigations can be conducted are quite fundamental to supervisory engagement across the Eurozone's Banking Union but also, for globally active Banking Union Supervised Institutions (BUSIs) in terms of other jurisdictions and when and what can in terms of information and supervisory activity be shared across geographical locations. This Client Alert addresses some of the issues arising from these pending rules including how supervisory investigations and thematic reviews are to be conducted in respect of BUSIs' activity within the ECB-SSM's prudential regulatory mandate as well as how these rules co-exist with approaches taken by national competent authorities (NCAs) across as well as outside the Banking Union in respect of conduct of business supervisory mandates.

One year on and still in draft

During the summer of 2017 the European Central Bank (ECB) acting in its role within the Single Supervisory Mechanism (SSM) of the Banking Union published a consultation on its draft "Guide to on-site inspections and internal model investigations" (the OSIIM Guide)¹. One year on, the OSIIM Guide remains, at the time of writing in draft, despite the fact that the topics it addresses, still in draft. In summary, on-site inspections (OSIs) and internal model investigations (IMIs), termed in the OSIIM Guide jointly as "inspections" are key supervisory tools of the SSM.

These SSM tools are further complemented by the powers of NCAs in the EU-27 and other competent powers of the European System of Financial Supervision (ESFS). At present the SSM conducts about 300 inspections a year for the ca. 125 credit institutions it directly supervises. Going forward, the level and frequency of inspections are likely to increase, as the SSM's "targeted review of internal models" (TRIM) is considered to be the latest of series of multi-year supervisory projects and consequently the ECB-SSM has increased its set of IMI powers and dedicated resources on the matter.

The OSIIM Guide consultation period, which ran July 27 to September 15, 2017 was regarded as quite a compact timeline given the book of work of most relevant stakeholders as well as the fact that this is an "open consultation", i.e., interested parties could comment on the whole breadth of the document. The OSIIM Guide is also accompanied by a FAQ² explaining the policy rationale and the context for a number of the provisions, but to date, neither the final version is yet to materialize nor has there been any announcement of another round of consultations given the scope and impact of the policy proposals. That being said, the ECB-SSM is already applying some of the concepts of the OSIIM Guide not only on TRIM but also on other supervisory touchpoints.

This marks an emerging practice by the Banking Union super-supervisor in applying draft rules as part of its engagement and/or "supervisory dialogue" thereby pushing the regulatory/supervisory perimeter further and doing so faster. For those firms relocating to the Banking Union, due to Brexit or otherwise and irrespective of whether they themselves are or will form part of a BUSI's group or themselves be a BUSI, the OSIIM's Guides provisions may sharpen the supervisory tone of engagement beyond what some firms may be used to. In addition, the ECB-SSM is increasingly tacking its thematic investigations and inspection workstreams in a more coordinated fashion with its international peers. That means that a development in the United States can cascade into action and application of the OSIIM Guide in respect of EU activity in a much more profound fashion than has previously been the case.

This Client Alert assesses the contents of the still in draft, but applied in practice, OSIIM Guide, how this development fits into wider EU and Eurozone specific workstreams and how, when compared to other SSM Guides 'qua rulebooks', this might affect BUSIs to whom the OSIIM Guide's provisions are addressed. Further coverage on this important development will follow once the final version of the OSIIM Guide is available. At present, the OSIIM Guide is available in fourteen languages, but notably during a portion of the consultation period it was only available in English.

Unlike other SSM Guides, this Guide's overriding purpose is stated clearly in that:

"...the objective of the Guide is to provide a useful reference document for the supervised entities and other legal entities for which the ECB has decided to launch on-site inspection, as well as for the work of the on-site inspection team."

The scope of the OSIIM Guide applies to a range of entities and thus the OSIIM Guide should be seen as a dynamic tool that will evolve over time. Equally, as with other SSM rules, the contents of the OSIIM Guide may, over time, be rolled-out to a wider breadth of BUSIs or mirrored by other NCAs outside the Banking Union. Despite its "draft" status, the guide is of relevance to and indirectly applied during any OSI to-date and thus BUSIs need to be mindful of the OSIIM Guide when engaging with the investigation teams. Despite being framed as a "Guide" much of the concepts are drafted akin to and thus should be interpreted as being equivalent to rules if not quite firm supervisory principles and expectations.

Scope of application of the OSIIM Guide

The OSIIM Guide is drafted as applying to all BUSIs, regardless of whether they are categorized as significant credit institutions (SCIs) for Banking Union purposes, and thus subject to direct supervision by the ECB component of the SSM, or those BUSIs that are categorized as less significant institutions (LSIs) and thus subject to indirect ECB-led supervision and direct NCA-led supervision. That being said, the OSIIM Guide however aims to go beyond the jurisdictional scope of the Eurozone and its Banking Union's SSM. It also states that the OSIIM Guide applies:

"...to other legal entities which are within the scope of inspections because they have a business relationship with the supervised entity."

The OSIIM Guide introduced the term "inspected legal entities" (ILEs) which encompasses the body of SCIs, LSIs and "other legal entities", which could include non-BUSI entities. In terms of geographical and extraterritorial reach, the OSIIM Guide clearly applies to situations where the SSM's ECB component operates. This includes non-Banking Union states (supported by the NCAs) and in third-countries. Consequently, once the UK becomes, from an EU perspective, a third-country, the OSIIM Guide would apply in respect of ILEs located in the UK.

Notwithstanding the above, the scope and application of the OSIIM Guide to the LSIs creates certain legal and supervisory uncertainty. As the FAQ currently states, the OSIIM Guide will only apply to LSIs where the ECB decides to make use of its powers to directly supervise the relevant LSI. Even if this is to be the case, it is quite conceivable that the OSIIM Guide will be followed by relevant NCAs in the Banking Union in relation to inspections of LSIs, as the general practice amongst the various NCAs is to align and apply the ECB guidelines and standards (incl. those still and draft and/or marked as non-binding) as far as possible when exercising their own powers.

Structure and contents of the OSIIM Guide

The OSIIM Guide is composed of three sections detailing 1: a General Framework; 2: the Inspection Process; and 3: applicable Principles for Inspections. The third section is where perhaps the majority of comments were expected to be directed towards during the consultation process, but in practice, Section 1 has also sparked some debate. The legal basis for the aforementioned sections are laid out in the founding legislation of the SSM and the CRR/CRD IV regime, along with the provisions of the SSM's internal non-public Supervisory Manual detailing processes and apportionment of responsibilities within the SSM and the interactions between centralized functions within the ECB and the individual NCAs.

Section 1 of the OSIIM Guide recaps the tasks of individual decision makers by walking through the roles of the Supervisory Board, the roles of the Joint Supervisory Teams (JSTs), the role of the JST Coordinator (JSTC), the Head of Mission (HoM) and the approach to finalizing supervisory examination programmes (SEP) as well as conducting OSIs and IMIs, in a manner that conforms with the supervisory objectives.

These supervisory objectives stipulate that inspections are conducted on a risk-based, proportional, intrusive, forward-looking and action-orientated manner. To ensure these supervisory objectives are met, the HoM and the inspection team operate independently of but in coordination with the relevant JST. Furthermore, the final report(s) as well as stipulated supervisory expectations will feed into the JST wider supervisory work (i.e. the inspection teams have the capacity to impact directly the work and JST supervisory outlook for a given entity).

Consequently, one of the key takeaways for BUSIs and ILEs alike, in relation to the final version of the OSIIM Guide, is that the composition of inspection teams and JSTs will matter. The composition of such teams will dictate the supervisory experience of BUSIs. Whilst the SSM, in its four years of operations, has made headway at a rapid pace, there are, as some BUSIs have commented, divergences in the experience and resourcing of certain JSTs and inspection teams. Some of these constraints are often related to language or technical experience of inspectors. This is not addressed in the OSIIM Guide and ideally merits redress to ensure resource constraints are alleviated.

What seems to be addressed by the OSIIM Guide, however, is the mitigation of any resource constrains. As outlined in the FAQ the inspection teams can be comprised of ECB inspectors, supervisors employed by NCAs, JST members and external consultants. Despite being still in draft form, the OSIIM Guide approach to inspection team composition is already applied today, raising some concerns across the various ILEs. Namely, some financial institutions are concerned that the use of external consultants may affect their remediation efforts in light of the SSM expectations, as well as other workstreams in the wider Banking Union sense. This concern stems from the fact that certain inspection teams include at times members of external consultants that also act on behalf of that said financial institution. These third-parties have, as well as the ILEs, are subject to conflicts of interests management obligations, however, it remains yet unclear whether ILEs may wish to challenge such investigation team's composition or in the alternative, make better use of specialist legal counsel who not only bring the benefit of privilege, but more stringent rules on conflicts of interest management and client care.

Similarly, whilst JSTs and inspection teams are tasked with coordinating with Banking Union NCAs, along with other supervisory authorities within the ESFS, there is a growing consensus amongst BUSIs that greater coordination within the teams as well as across the authorities would be appreciated. This would avoid duplication and allow for a more efficient and balanced supervisory engagement process, especially across "business as usual" compliance workstreams. Furthermore, a number of BUSIs have experienced difficulties with progressing certain "change" initiatives and/or remediation activities as the information-flow across the larger JST teams and across authorities is not always timely/transparent. This is especially desirable where the NCAs in the Banking Union are separated from their conduct of business supervisory counterparts at the national level. There are a number of Banking Union supervisory priorities that require a high-degree of conduct of business input so coordination amongst supervisors is important during any SSM or national-led inspection process.

Section 2 of the OSIIM Guide sets out the individual main steps in the inspection process: These are set out in further detail in the Annex to this Client Alert. These steps include:

1. Notification of an inspection to the ILE;
2. First request for information;
3. Kick-off Meeting;
4. On-site fieldwork phase;
5. Exit meeting based on a draft report which has been shared with the relevant NCAs and ECB-SSM DG MS IV (on-site inspections) prior to being sent by the HoM with a standardised feedback template to the ILE prior to the exit meeting where the ILE has a possibility to comment on the draft report;
6. Publication of final report within two weeks of the exit meeting, the HoM, taking on board any relevant written comments (if any) following the feedback (if any) at the exit meeting finalises the draft report and sends the ILE, and possibly the parent entity, if within a supervised group of BUSIs, the final report plus a letter of action/supervisory communications;
7. Closing Meeting; and
8. ILE's provision of its draft action plan followed by a final action plan and a follow-up from the inspection team of the ILE's final action plan.

Anyone reading the OSIIM Guide and the various steps might be forgiven to assume that the OSI and IMI provisions are always comparably slower than processes of NCAs and other national authorities in the ESFS potentially being able to act faster and earlier. That being said, the SSM does have the organizational power to accelerate the individual steps in a concurrent manner and thus react when it needs to in a more rapid fashion whilst still sequentially going through the process. And this is a risk that ILEs may want to note when amending internal policies to reflect how the OSIIM Guide may impact their business operations and when to engage support from external counsel³ in relation to scheduled inspections, thematic reviews or so-called "deep dives" or "dawn raids".

More importantly and pressingly, ILEs need to further revisit their internal governance, in order to ensure that their action plans are prepared, presented and executed in a timely manner, where external counsel/support might need to be engaged at an earlier stage given the tight timelines for response. In addition, ILEs need to be mindful when designing their internal processes in relation to inspections and other supervisory reviews management, to ensure the right degree of flexibility and engagement of internal stakeholders and external counsel, in light of the deferring practices and timelines for FED, BaFin, PRA/FCA, independent reviews, etc.⁴

Section 2 of the OSIIM Guide specifically sets out, what it terms "...a wide variety of inspection techniques..." these include any of the individual or a combination of the following techniques:

• Observation, information verification and analysis: With an aim to check and evaluate the information provided by the ILE and to observe the relevant processes;
• Targeted interviews: By meeting with relevant staff at the ILE, the inspection team collects information about inspected areas and compares the documented processes and organizational structures with the practices of the ILE, which the inspection team may challenge the interviewees. "Significant interviews" with ILEs must be conducted by at least two inspectors;
• Walk-throughs: Hereby the inspection team meets with relevant staff and ensures that the process that the ILE reports is actually embedded and applied in practice. The process aims to also evaluate consistency of provisions and locating gaps and weaknesses;
• Sampling/case by case examinations: Hereby the inspection team takes targeted or random samples of data or datasets so as to validate the results and also to gauge the level of problems in certain areas or across the business including the quality of the ILE's risk management and efficacy of other governance and control functions (the latter are implied if not explicitly mentioned).The inspection team will share the methods of data extrapolation with the ILE;
• Confirmation of data: This involves the checking of integrity, accuracy and consistency of the ILE's data by various recalculation and benchmarking means; and:
• Model testing: This involves the ILE testing performance of its models and their output using scenario analysis with various hypothetical and historical market conditions dictated by the SSM.

Communicating the findings of an inspection and setting the remedial action plan

Following the conclusion of an inspection, the SSM will provide the ILE with a final report and also prepare the draft "recommendation". The draft recommendation is a supervisory communication that sets out the remedial actions applicable to the ILE. These supervisory communications can take two forms, namely:

1. A letter communicating supervisory expectations (Supervisory Expectations Letter or SEL) which is an SSM operational act and is thus not legally binding (but persuasive) and thus does not require a supervisory Decision, i.e., an ECB legal instrument approved by the Supervisory Board. In the event of a SEL being issued, the current draft of the OSIIM Guide states that the ILE recipient of such a SEL does not receive a formal right to be heard to appeal against the SSM's recommendations; or
2. A formal supervisory Decision which sets out legally binding supervisory measures addressed to the ILE. The ILE has a right to be heard in respect of a Decision.

The SSM in sending its supervisory communication, in particular in the case of a Decision, may exercise other supervisory powers, notably by imposing upon the ILE:

A.Conditions precedent: These suspend the legal effectiveness of the SSM's authorization or which change or extent an internal model until the ILE has taken specific remedial action to comply with its obligations;
B.Limitations: These restrict, prohibit or modify the use of a model and which may include a change to how an ILE calculates its own funds requirements, which would cause it to need to immediately raise regulatory capital;
C.Obligations: These introduce remedial actions on the ILE in order to restore compliance with its obligations; and
D. Recommendations: These set remedial actions upon the ILE and which whilst not legally binding, are sufficiently persuasive for an ILE to comply with the recommendation.

Given the variety of tools that are used by the SSM in its supervisory communications, a number of BUSIs have experienced some difficulties as to how to manage internally their deliverables towards the supervisors, as the granularity of and differentiation between these tools is not always fit for purpose in the context of BUSIs complexity and size. Further complexity is added to this matter, by any language barriers within the inspection teams as well as between the SSM and the BUSIs/other ESFS stakeholders, resulting in sometimes inconsistent use of terminology, or interpretation of it. Against this background, further clarification and harmonization in the use of and meaning behind the various supervisory tools used in the supervisory communications of all ESFS stakeholders is desired.

Section 3 of the OSIIM Guide: Applicable principles for inspections

Section 3 of the OSIIM Guide is arguably the most important for BUSIs during the consultation process. This section sets the tone of how the SSM inspection teams, the HoM and JSTC will discharge their supervisory mandate. It also sets the supervisory expectations applicable to the ILEs, i.e., what the SSM expects of those ILEs before, during and after an inspection.

Section 3 also details how the SSM sees its own rights vis-à-vis ILEs and equally ILEs' rights vis-à-vis the SSM. Needless to say, even after a final version is agreed upon, there are likely to be some differing views, some of which may end within the ECB-SSM's Administrative Board of Review and/or the Court of Justice of the European Union (CJEU).

Some of the ECB-SSM's powers and principles should be familiar to many BUSIs and ILEs and exist in more prescriptive detail in certain jurisdictions yet some are amended specifically for the SSM. Some BUSIs, however, may find the ILE-SSM interaction model completely different, requiring significant adjustments in their supervisory dialogue practices. Notably the OSIIM Guide addresses the following:

• ILEs and ECB-SSM are reminded of the supervisory principle that they should work together to ensure the proper conduct and efficiency of the inspection. ILE's are reminded that their internal rules and policies should not be misused to interfere with this goal. What is not mentioned, are the legitimate expectations of ILEs, as the supervised, that the inspectors and relevant teams are sufficiently resourced and skilled. Given the range of supervisory fees that BUSIs are burdened with beyond the SSM fees, the lack of interoperation and coordination within the SSM or with other ESFS stakeholders can detract from what should ideally be approached with efficiency in mind;
• ILEs are reminded that inspection teams may, within the scope of the inspection, conduct all necessary investigations of any persons and thus request any information, explanation or justification and thus be able to obtain and check every document it requires of whatsoever nature and to take copies and extracts. What this principle however fails to mention are the applicable rules and principles of legal privilege that may operate even when dealing with a supervisory authority. The OSIIM Guide remains also silent on the issue of internal processes and timeliness in terms of providing information, however, most of the inspection teams try to be mindful of ILE's complexity when requesting information. It goes without saying that any unreasonable delays or failure to provide timely data/information would be addressed by the OSI report;
• ILEs are reminded that an inspection team has the right to interview any person, regardless of their seniority, and may request the cooperation of qualified staff of the ILE. What this principle does not adequately acknowledge are those person's rights to be accompanied or represented by inter alia legal counsel in such circumstances;
• SSM inspection teams are reminded to act in an ethical and professional manner, in accordance with applicable laws, regulations and professional procedures and to observe professional secrecy. What this principle passes by are instances where a number of qualified experts from relevant BUSIs may, in the quest of talent, join the SSM, or where certain JSTs may have an overconcentration of national bias. Moreover, as the number of JST staff and inspections increase, the principles in the OSIIM Guide and the SSM's internal Supervisory Manual might need a practical check of JST staff members writing up their findings on their draft reports or final reports or simply meeting notes on public transportation, whether en route to a relevant meeting or for those outside of Frankfurt, commuting back to their "home" Member States. This is particularly important as the OSIIM Guide specifically reminds SSM inspection teams that they must comply with an ILE's internal rules on data protection, information systems and physical access to premises etc.;
• The principles in Section 3 also touch upon the rights of which language to be used during an inspection. Language matters for a number of reasons but notably that linguistic abilities can differ both within the SSM staff but equally in terms of the ILE's abilities. Any resulting disconnect can lead to a number of unintended supervisory outcomes occurring as has already been the case in respect of certain BUSIs;
• Section 3 rather directly states: "Inspected legal entitles are expressly asked whether they agree to use English when communicating with the inspection team and the JSTs, as a matter of efficiency." This aims to help the ECB-SSM more so than the ILE per se, however like any BUSIs who might be familiar with the practical difficulties in dealing in say Irish with the Central Bank of Ireland or Welsh with the former Financial Services Authority of the United Kingdom, English is expedient to the extent that both sides can easily communicate in it as well as have the multilingual resources, including resorting to their external counsel, to facilitate an efficient exchange of information and advice in the relevant languages and/or an English language version if needed. Communications and the inspection reports (draft and final) are drafted in English and may be accompanied by an official translation; and
• Moreover, language also matters given that both ILE and SSM staff may involve a number of non-native English speakers and thus even if English is the common working language used during an inspection, both sides have an interest in ensuring that each understands fully the context of concepts and expressions as they are used. Again, there are some instances of supervisory communications and conditions being "lost in translation" and these having led to adverse delays in supervisory outcomes.

As a practical tip, having multilingual external counsel being able to facilitate translation and/or sense check the differences between the English and local language version of supervisory communications from the SSM as well as the ECB-SSM's own use of certain concepts can help manage the multilingual process more cost efficiently.

Outlook and some next steps for BUSIs

The SSM and its various supervisory guides, even if termed non-legally binding, nevertheless could not be clearer in their contents and scope of application. In each instance, and here in the OSIIM Guide, the contents have persuasive obligations and communicate supervisory expectations so that these are qua rulebooks that set the supervisory tone.

This means that the OSIIM Guide builds a whole Chapter in how the Single Rulebook for financial services is applied within the Banking Union. This is welcome yet also potentially beneficial for BUSIs and a range of other entities that fall within the initial category of ILEs, or financial services firms more generally as the scope of the OSIIM Guide might be mirrored by other NCAs or rolled-out by the SSM to a wider scope of persons. In any event, the advent of the OSIIM Guide lays a clearer roadmap as:

1. JST compositions begin the rotation phase with members of the JSTs changing to new teams;
2. The area of thematic reviews and TRIM led OSIs and IMIs increases as this remains a supervisory priority for 2018 and beyond; and
3. The area of thematic and ad-hoc supervisory inspections, including to non-BUSI third country entities (hence the expansion of the scope of the OSIIM Guide by reference to ILE) increases as a result of BREXIT and other relocations to the EU-27 and Eurozone-19 and its Banking Union.

If you would like to receive more analysis from our wider Eurozone Group or in relation to the topics discussed above, including specifically what the OSIIM Guide might mean for future supervisory engagement and regulatory risk or how to take action, then please do get in touch with our Eurozone Hub Contacts listed to the right.

Annex - the SSM's OSI Process and its impact on Inspected Legal Entities (ILEs)

The below is indicative as both the ECB-SSM and the ILE may agree on frequency and timelines depending on the relevant deliverable, complexity

How our Eurozone Hub and the wider Eurozone Group can help with inspections affecting ILEs:

Our multi-disciplinary, multi-lingual and multi-jurisdictional qualified lawyers in our dedicated Eurozone Hub and the wider Eurozone Group regularly support firms in:

1. Testing readiness and resilience to inspections;
2. Scenario planning how supervisory priorities, thematic reviews and SREP issues may impact inspections;
3. Reviewing and improving scope of policies and processes and how these are embedded on an enterprise-wide basis;
4. Assisting with legal and regulatory due diligence;
5. Preparing and defending files;
6. Providing project management, data protection and IT solutions including process management and supervisory engagement support;
7. Assisting with implementation of supervisory remedial action plans; and
8. Providing support in any appeals process.

Footnotes

Footnotes

1. See the following landing page: https://www.bankingsupervision.europa.eu/legalframework/publiccons/html/osi.en.html and the following link for the draft OSIIM Guide:

2. See: https://www.bankingsupervision.europa.eu/legalframework/publiccons/pdf/osi/ssm.osiqa.en.pdf

3. What is interesting to note is that the OSIIM Guide makes no mention of an ILE's right, whether at the EU level and/or within individual national law and regulatory frameworks, to be represented or have counsel present in proceedings nor any reference to various rights to assert legal privilege.

4. For more information on the various timelines and practices, please contact Denton's Eurozone Hub who maintain a global special investigations working group comprised of contentious and non-contentious regulatory experts as well as litigators to provide immediate assistance in relation to supervisory action as well as "defending and/or explaining" BUSIs' files.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.