Our customers have probably noticed that nowadays, European bankers and financial experts are referring to many abbreviations: CRD6, CRR3, MiCA, PSD3, DORA Act, Climate Risk Guide, and AI Act, to name some of the more significant ones. These regulatory and legislative frameworks have already taken effect or are expected to do so soon: the clock is ticking towards implementation deadlines. I’d like to summarise what they entail, the reasons behind them, and my thoughts on their implications regarding challenges and opportunities in the EU banking system.
Historical Context of the Current Regulatory Landscape
It is helpful to look at the past to understand the times now. Let us recall the financial history of the past two decades, which partly spans my banking experience. The 2008 financial crisis, also known as the subprime mortgage crisis, had its roots in regulatory shortcomings of US safeguarding institutions, such as inadequate supervision of mortgage lending in a low-interest environment, allowing the proliferation of risky lending practices amidst low capital requirements and off-balance-sheet activities, a failure to identify and/or mitigate systemic risk, for instance from the ‘shadow banking system’ and credit default swaps, an instrument involving uncollateralised risk. Insufficient consumer protections and policies fuelling asset bubbles played their part. Still, the fragmentary nature of the federal frameworks made coordinating existing supervisory efforts in the US less effective, too. These factors all built up vulnerabilities that culminated in the 2008 financial crisis, which could be described as a perfect storm, starting with the collapse of Lehman Brothers in the United States and sending shock waves across the global economy, exposing systemic problems in the banking sector. It was time to build again, more robustly.
The immediate and long-lasting fiscal and monetary policy responses to 2008 were concerted on both sides of the pond, resulting in the period we have since referred to as ‘quantitative easing’. Another joint response of the US and the EU (with the UK) was to embark on implementing Basel III, the mother framework for many of the abbreviations listed in my introduction, overhauling financial regulations to centralise supervision in the EU and put more stringent controls in place that would stabilise its banking system, restore public confidence, and effectively prevent future crises.
This Keynesian approach was a common democratic reflex across the EU countries, although its top economies led it. Admittedly, there was tension between national and international priorities. However, the EU prioritised the long-term interests of its economic, social, and political union, which would be stronger, more competitive, and ‘democratically stable’ together. The move emphasised more coordinated oversight by transnational and national entities to mitigate systemic risks.
The EU banking landscape we operate in today directly results from such efforts to boost resilience against future shocks. Indeed, future shocks did come, first as the COVID-19 pandemic, then Russia’s invasion of Ukraine, the ensuing inflation, and most recently, the banking distress of March 2023. These shocks urged scrutiny and led to swift action in a renewed effort to complete Basel III.
Key Regulations and Their Objectives
- Basel III focuses on enhancing capital adequacy, stress testing, and market liquidity. It aims to improve banks’ ability to absorb shocks arising from financial and economic stress. As a result of Basel III, first agreed in September 2010 and finalised in 2017, banks have increased their Tier 1 capital ratio from an average of 7% in 2010 to over 12% in 2020.
- Capital Requirements Directive VI (CRD6) and Capital Requirements Regulation 3 (CRR3) are the latest EU legislation the European Parliament and European Council agreed upon in mid-2023 to finalise Basel III into EU Law. CRD6 was met with resistance mainly from non-EU banks and financial institutions, particularly in the UK and the US, about third-country branches. Complaints centred around market access, competitiveness, cost increases and market fragmentation. The national banking associations of Germany and France voiced concerns about the output floor, which would affect banks using internal risk models more, leading to their reduced lending capacity. Individual banks such as Deutsche Bank and BNP Paribas were critical of the implementation deadline. CRD6 could be finalised in December 2023; it is yet to officially enter into force 20 days after its publication in the Official Journal of the EU. Member states will be required to adopt and publish provisions transposing CRD6 within 18 months. Most provisions of CRD6 are expected to apply from November 2025 on, with specific ones related to cross-border services and new Third Country Branches (TCB) regimes taking effect in November 2026.
CRD6 introduces stricter capital requirements still, while CRR3 enhances risk reporting and management practices. There is a revised standardised approach for credit risk and a revised internal ratings-based (IRB) approach for credit risk. The operational risk framework is also revised. There is an output floor to limit the extent to which banks can benefit from internal model approaches relative to the standardised approaches. Evidently, it will reinforce risk management and ensure greater transparency in banking operations. CRD6/CRR3 are expected to further bolster capital reserves by an additional 1-2% of risk-weighted assets.
I’d like to briefly remind readers how the Capital Requirements Directives (CRDs) have evolved over time to incorporate successive Basel frameworks. CRD I was implemented in 2006 with the purpose of aligning EU banking regulation with the Basel II framework. CRD I focused on enhancing banks’ risk management practices, particularly in terms of credit risk, market risk, and operational risk. It introduced the three-pillar approach of Basel II: minimum capital requirements, supervisory review process, and market discipline. It brought about standardised, and Internal Ratings-Based (IRB) approaches to credit risk. Another highlight was capital requirements for operational risk. Empirical data indicates that CRD1 shielded European banks from 2008’s perfect storm thanks to higher capital adequacy regarding risk-weighted assets. The supervisory eye led to banks establishing robust risk models and laying their groundwork for stress testing, which later became crucial.
CRD II was launched in 2009 to address areas for improvement on CRD I in response to the 2008 financial crisis. It enhanced capital requirements for securitisation positions, improved risk management for large exposures and imposed higher standards for hybrid capital instruments. CRD III came into effect in 2010 to incorporate aspects of the Basel 2.5 framework, addressing issues such as market risk and securitisation. It increased capital requirements for trading book exposures, required higher capital charges for re-securitization exposures, and enhanced disclosure requirements for securitisation exposures.
The key change came with CRD IV in 2013, which aimed to implement the Basel III framework into EU law, significantly overhauling the regulatory landscape for banks. It brought about stricter capital requirements and a higher quality of capital, focusing on Common Equity Tier 1. It introduced the leverage ratio, Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR). Additionally, there were the capital conservation buffer and the countercyclical buffer. CRD IV enhanced requirements for large exposures and counterparty credit risk. CRD V came in 2019 to address the remaining elements of the Basel III framework and further strengthen the banking sector’s resilience. Some of its features were a revised leverage ratio framework and the introduction of leverage ratio buffers for global systemically important institutions (G-SIIs). It started a binding Net Stable Funding Ratio (NSFR). It revised counterparty credit risk rules, enhancing banks’ governance and remuneration measures.
So, getting to this point was neither easy nor fast. The process has sometimes been referred to as a tortoise race. Data sourcing, changes to capital calculation processes, and operationalising the output floor remain important challenges of the new laws that EU banks must overcome soon. Even if the US delays the July 1, 2025, set date of Basel 3 implementation, EU and UK authorities signal that they will hold banks accountable for applying the new standards on day 1 in a sustainable manner without delay.
Bracing for Big Changes: New Tech Revolutions and The Climate Transition
I group together the following set of regulations that deal with new technology, new forms of money, and climate risk to highlight that it is not only key lessons learnt from the past that spur regulations today. It also braces for the EU’s future through man-made or natural forces of change whose risk cannot be accurately calculated yet. Still, it may ‘get out of hand’ individually or together, along with financial risks that might be expected of the market cycle, not forgetting the threat of further geopolitical strife at Europe’s door. I will not go into as much detail on them; however, let us overview the basics:
- AI Act: This law aims to regulate artificial intelligence by classifying AI systems based on risk levels (unacceptable, high, limited, minimal). It imposes strict requirements on high-risk AI systems to ensure safety, transparency, and accountability, promoting trustworthy AI development and deployment across the EU. It regulates the use of artificial intelligence in financial services to ensure ethical use and mitigate risks associated with AI technologies.
- Markets in Crypto-Assets Regulation (MiCA): It seeks to establish a regulatory framework for crypto-assets, ensuring investor protection and market integrity.
The European crypto market reached €1 trillion in 2023, highlighting the need for comprehensive regulation. Apart from AML (Anti Money Laundering) and KYC (know your customer) requirements, crypto markets remain unregulated in the USA and the UK. Crypto dealing is outright prohibited in China, leading to an unregulated market.
Different jurisdictions may take different regulatory stances on the financial impact of new tech advances; however, the global economy’s interconnectedness would make your area susceptible to policy failures elsewhere. Notably, the US is leading the race in AI tech, crypto markets and data. On the other hand, ‘the crypto winter’ of 2022, the recent demise of SVB (Silicon Valley Bank) and the big debate about ‘AI containment’ indicate that perhaps prudence is called for. I understand that Europe would like a fair chance of adapting to changes on its own terms before the global tech corporations get to dismantle its financial institutions in the blink of a decade.
- ECB’s Climate Risk Guide, EBA Draft Guidelines on the management of ESG Risks: For the second year in a row, the European Central Bank (ECB) has identified climate-related risks as a key risk driver in the SSM Risk Map for the Euro area banking system. The ECB Guide on climate-related and environmental risks of November 2020 posited that financial institutions must integrate climate-related risks into their risk management frameworks. This involves identifying, measuring, managing, and monitoring these risks across the short, medium, and long term. EBA issued its draft Guidelines on ESG Risks in January 2024, open to public consultation until April 18, 2024. The guidelines emphasise the importance of consistent and comparable metrics, such as the Green Asset Ratio (GAR), to facilitate market discipline and stakeholder assessment. Claudia Buch (Head of the Supervisory Board) of ECB stated in her March 2023 speech that they are assessing progress and would “use all measures in their supervisory toolkit to ensure the sound management of climate and environmental risks”.
The climate economy transition has taken a defined course with the European Green Deal following the Paris Climate Accord. It is an issue that needs detailed discussion in future posts. The EU is going ahead to reach the 2050 Climate Goals. In parallel, The Corporate Sustainability Reporting Directive (CSRD) aims to improve and expand the scope of sustainability reporting by requiring more comprehensive and comparable disclosures from companies on their environmental and social impacts, thereby increasing corporate transparency and accountability.
- Payment Services Directive (PSD3): I have discussed PSD3 in my previous blog post. Let me summarise here that PSD3 aims to foster innovation and competition in the payment services sector while enhancing security and consumer protections. EU payment transactions grew by 15% annually, reaching €200 billion in 2023.
- Digital Operational Resilience Act (DORA): I left DORA to last because the renewal of data infrastructure is mission-critical and interlaces everything above, from risk assessment to compliance. DORA focuses on strengthening financial entities’ digital operational resilience to withstand, respond to, and recover from Information and Communication Technology (ICT)- related disruptions. Cybersecurity spending by EU banks is projected to increase by 10% annually, reaching €55 billion by 2026.
Impact
On EU Banks:
The impact is mainly threefold: Capital, Strategy and Operation Changes.
- Capital Requirements: Increased capital holdings to cushion against potential losses.
- Operational Changes: Enhanced capital buffers and stringent, more encompassing, multi-scenario risk management protocols.
- Strategic Implications: Rapid, forward-looking strategic adjustments to comply with new regulatory demands considering their effect on profitability and operational efficiency.
On Non-Bank Financial Entities:
- Compliance Challenges: Navigating new compliance landscapes, particularly in payment services and crypto-asset markets
- Innovation Opportunities: Leveraging regulatory frameworks to innovate and offer new financial products and services
- Room for Cooperation with Legacy Banks
Global Banking:
Non-EU banks must also adapt to the new EU standards to continue operations in Europe, which would involve restructuring and additional capital requirements. The regulations might, therefore, influence global banking practices, pushing for higher standards of risk management and operational resilience worldwide.
Regional Specificities:
Different EU member states face unique challenges and opportunities under these new regulations. Countries like Germany and France, with large banking sectors, may experience more significant impacts compared to smaller markets like Lithuania. The interplay between national policies and EU-wide regulations will shape the regional banking situation.
Outlook and Conclusions
The regulatory landscape is expected to evolve with increasing integration of technological advancements. Future regulations will likely focus on AI, cybersecurity, and climate risks.
The EU’s proactive stance will continue to set global standards, influencing banking practices worldwide. Its evolving regulatory framework seems complex at first glance. Each piece intends to serve in creating a resilient and transparent banking environment for a future that, from today, seems more uncertain than ever before. As some analysts point out, the EU’s increasingly regulated environment might herald the end of a uniform global economic order. Nevertheless, in many issues such as AI, data, and crypto money, for instance, they aim not to cut off the EU from advances but to protect its financial stability while pursuing those same advances in a checked way.
EU banks, old and new of all sizes, need to adapt strategically to thrive in a more dynamic environment contained within stricter regulations. Embracing the legislative changes will not only ensure compliance for its own sake as a minimum but also position EU’s financial institutions in a way that they could leverage new opportunities and lead in more aspects of the global banking sector. I say this because the approaches to these forces are diverging in our multipolar world, and it is yet unclear whose stance will “sustain” its economic area most, come the middle of this century. The EU is attempting to strike a balance between the prevalent approaches to its West and its East. Necessity is the mother of invention, yet an environment that balances safety with stimulation may lead to not the most but the best creativity. Our banking mindset amid all these new regulations is to view them not as brakes or walls merely but as lifeguards in a patchier sea of economic development.
Ekmel Cilingir
Chairman
European Merchant Bank