Abstract
Much progress has been achieved in strengthening Iceland’s banking regulatory and supervisory framework since the IMF’s prior BCP assessment was undertaken in 2014. The Ministry of Finance and Economic Affairs (Iceland) (MoFEA) together with the Central Bank of Iceland (CBI) undertook a thorough legislative reform agenda which included the transposition of the EU legislative framework and EBA guidelines into Icelandic banking law, enacted a new law for banking resolution as well as established the Resolution Authority within CBI, and adopted new liquidity requirements (Basel III). Further, CBI fully implemented its risk based supervisory framework, adopting supervisory methodology that focuses on high-impact financial institutions, ensuring deep analysis by off-site supervisors on capital, liquidity, business model analysis, as well as governance and internal controls. CBI, together with other relevant agencies, also developed and implemented a new AML/CFT legislative and supervisory framework for banks (applicable to all regulatory institutions that CBI now regulates since the merger with the FSA).
Executive Summary1
1. Much progress has been achieved in strengthening Iceland’s banking regulatory and supervisory framework since the IMF’s prior BCP assessment was undertaken in 2014. The Ministry of Finance and Economic Affairs (Iceland) (MoFEA) together with the Central Bank of Iceland (CBI) undertook a thorough legislative reform agenda which included the transposition of the EU legislative framework and EBA guidelines into Icelandic banking law, enacted a new law for banking resolution as well as established the Resolution Authority within CBI, and adopted new liquidity requirements (Basel III). Further, CBI fully implemented its risk based supervisory framework, adopting supervisory methodology that focuses on high-impact financial institutions, ensuring deep analysis by off-site supervisors on capital, liquidity, business model analysis, as well as governance and internal controls. CBI, together with other relevant agencies, also developed and implemented a new AML/CFT legislative and supervisory framework for banks (applicable to all regulatory institutions that CBI now regulates since the merger with the FSA).
2. CBI successfully merged with the Financial Supervisory Authority (FSA) beginning 2020, however further changes are needed to protect CBI’s independence, accountability, and operational effectiveness for banking supervision. Upon the merger with the FSA, CBI adopted a new organizational structure that included the establishment of three oversight committees (Monetary Policy, Financial Stability and Financial Supervision). The Financial Supervision Committee (FMEN), which has government representation, is tasked with reviewing and approving matters related to all categories of financial institutions, not just banks, that CBI now regulates post-merger. This includes approving the results of CBI/FSA’s risk assessment of banks and other related matters. Government representation on FMEN may have a perceived or real conflict of interest (as two of the largest commercial banks, and one of the savings banks, are either state-owned or have a significant government interest) as well as potentially impeding CBI’s ability to act independently . CBI, as the prudential supervisor of banks, needs to have full discretion to take any supervisory action or decision regarding banks without the interference of government or industry representatives. CBI needs to strengthen its delegation of authority to ensure clear accountability, not only regarding the roles and responsibilities from the Governor, the Deputy Governor of Financial Supervision, and the FMEN to supervisory staff within CBI, but the legal basis on which CBI is able to make decisions regarding banks. Last, legislative amendments are required to ensure the protection of CBI/FSA supervisors from lawsuits and to support them with the cost of defending themselves.
3. CBI’s ability to access funding for banking regulation and supervision is hampered by the MoFEA/parliamentary budgetary processes that is a legacy funding structure from the prior FME. CBI is included in Part C of the State budget together with State-owned companies. The budget process for financial supervision associated with the FSA, however, requires the MoFEA, based on the funding appropriation in the budget, to determine the allocation of funds for the operations of the FSA. CBI must submit an annual report to the MoFEA, accompanied by an opinion from the Consultative Committee of Supervised Entities and from FMEN, on the estimated cost of FSA’s operations over a three-year period. CBI needs to develop and implement a streamlined process, together with approval from various oversight agencies, to ensure it has an ability to address additional funding needs for banking supervision during the mid-parliamentary budget cycle. At this time, CBI cannot assist/reallocate its own funds to the functions of the FSA (which is legally a part of CBI) in cases of emergency funding needs for banking supervision.
4. Key legislative amendments have been enacted in the banking laws to ensure Iceland’s compliance with the European Union’s (EU) regulatory framework for banking supervision. The EU regulatory framework for banks has been transposed into national law, as well as the requirement for banks to comply with EBA guidelines. CBI, however, has not issued guidelines to banks in the key risks that would ensure the EU rules are tailored to the Icelandic environment and provide clarity of CBI’s supervisory expectations to the banking industry for appropriate, risk-based, and proportionate implementation. CBI can use discretion as to where this additional guidance is needed given the extent of the newly adopted EU framework.
5. CBI/FSA’s Supervisory Review and Evaluation Process (SREP) demonstrates a comprehensive off-site supervisory approach for major banks. CBI/FSA utilizes a supervisory review and evaluation process (SREP) for less significant institutions (LSI) under the single supervisory mechanism (SSM) overseen by the European Central Bank (ECB). CBI/FSA’s SREP, involving deep assessments of banks capital, liquidity and business model analysis, together with the quarterly risk assessments equate to good supervisory coverage by off-site supervisors. CBI/FSA’s SREP methodology is based on proportionality and therefore focuses on the institutions with the highest impact rating which dictates the frequency of the minimum engagement model with banks (yearly for D-SIBs), including engagement with Boards and key control functions. CBI/FSA’s SREP for low/medium-low impact banks needs to be re-assessed to ensure adequate supervisory coverage is working in practice.
6. CBI implements a conservative approach to both capital and liquidity requirements, resulting in highly capitalized and adequate liquidity levels for banks. Although Iceland has adopted the EU framework into its legislation, the deviations in the EU framework from the Basel standards for capital and liquidity are not considered material at this point of time for Iceland. Icelandic bank’s capital requirements include extensive capital buffers and Pillar 2 requirements which are based on in-house benchmark models that CBI has developed and disclosed to the banking industry to capture risk exposures that are not covered in Pillar 1, including concentration risk and interest rate risk in the banking book (IRRBB). Total average capital adequacy ratios for domestic systemically important banks (D-SIBs) were approximately 23 percent, well above minimum regulatory requirements. Further, Icelandic banks are required to meet the minimum Basel III liquidity requirements of 100 percent total liquidity coverage ratio (LCR) ( including LCR of ISK (40 percent2), LCR FX (100%), as well as a net stable funding ratio of 100 percent. All banks are operating well above minimum LCR/NSFR requirements (e.g., as at June 30, 2022, D-SIBs reported on average greater than 400 percent LCR and 120 percent NSFR3).
7. CBI/FSA’s on-site inspection and off-site supervision program needs to be reassessed to ensure FSA has an adequate view of the effectiveness of bank’s risk management practices across all risk areas, especially for D-SIBs. As part of the banking supervisory planning processes, CBI/FSA’s financial supervisors tend to focus on the need for assurance on important topical areas for banks (e.g., large borrowers, asset classification for stage 2 or 3 loans, etc.) wherein the on-site inspection program is tasked to undertake the review dictated by banking supervision. An adjustment to the off-site/on-site mix would enhance the necessary risk-based supervisory approach and develop CBI/FSA’s view on the effectiveness of bank’s risk management practices across all material risks. These reviews, including scoping for more intrusive on-site inspections, should be planned out, on a multi-year risk-based planning cycle, with input from all three departments that oversee banking supervision (Banking, Compliance and Inspections, and Financial Stability who is responsible for the inherent liquidity risks of banks).
8. CBI/FSA’s current complement of banking supervisors, including risk specialists is strong, however a few risk areas need augmentation. Since the merger with the FSA, CBI has made several key changes to banking supervision. The current structure has off-site lead financial supervisors and risk specialists. The Compliance and Inspection Department has risk specialists with banking industry experience and the Financial Stability Department supports overall banking supervision with the monitoring of liquidity risk on a bank and banking industry basis. The number of lead financial supervisors, together with a few key risk areas (e.g., market risk, interest rate risk in the banking book (IRRBB) and operational risk) needs to be addressed given key person vulnerabilities.
9. CBI’s banking supervisory and regulatory framework pertaining to AML/CFT requirements is considered adequate. CBI has made great efforts to build up the area of expertise in AML/CFT to implement a risk based supervisory assessment model for banks and has carried out deep on-site inspections to assure itself of the effectiveness of bank’s risk management practices regarding compliance with applicable AML/CFT legislative and supervisory requirements. Banks’ AML/CFT preventive frameworks are still maturing, and supervisory efforts need to continue to ensure that: (i) banks receive adequate onsite attention (potentially more frequent engagement, targeted at the highest money laundering/terrorist financing risk areas); and (ii) the results of supervisory activities are concluded and communicated to banks in a timely manner. (CBI has released “lessons learned” paper, engaged the banking industry through conferences and has built a very detailed website outlining applicable laws, regulations, guidelines, etc. That being said, CBI needs to reassess the need to develop AML/CFT guidance to ensure that banks know, understand and comply with the extensive CBI AML/CFT regulatory and supervisory requirements for banks. Results of on-site inspections should go to the Board as well as to senior management to ensure accountabilities with respect to this key risk are clear for banks. While AML/CFT considerations are included as part of the SREP process, CBI should consider better integrating a bank’s risk rating on compliance with AML/CFT requirements into the overall SREP score of the bank, in particular, where material AML/CFT deficiencies have been identified.
Main Findings
10. This Chapter summarizes the outcome of the BCP assessment in Iceland, acknowledging progress made since the last 2014 ROSC and highlighting main findings detailed under each CP. Tables on compliance with the BCPs and recommended actions are attached after the detailed assessment at the end of report.
A. Responsibilities, Objectives, Powers, and Independence (CP1-2)
11. CBI merged with the FSA beginning 2020 changing its responsibilities, objectives, and powers regarding banking supervision and regulation. The Financial Supervision Committee (FMEN) makes critical legal decisions covering all institutions that CBI now regulates post-merger, including decisions regarding the business of banking. Government representation on FMEN poses a unique challenge to CBI’s independence in that decisions made regarding the prudential supervision of banks should be at the discretion of the supervisory authority (CBI) without interference from government or industry influence. In addition, there is a potential conflict of interest, real or perceived, with government representation on FMEN who currently oversees the sign-off of the SREP of the DSIBs, in particular as two of which are either state owned or have significant government interest in the banks. It is acknowledged that the Minister of Finance sits on the Financial Stability Council, which is appropriate and necessary, especially in dealing with sector wide banking or financial stability issues.
12. CBI needs to implement a legal delegation of authority framework which would set out the specific powers, duties, and functions for the administration of banking legislation and regulation that the Governor can delegate to other individuals within the CBI. This delegations of authority framework would go beyond a “signatory policy” to a legal description of what powers, duties and functions will be passed down from the head of the authority (Governor) and to whom (FMEN, Deputy Governor of Financial Supervision, Heads of Departments, and so on), and under what circumstances. Currently FMEN has a “rule of procedures” that lists out certain decision that can be passed from the FMEN to the DG and CBI has an internal signatory paper describing a list of documents that can be signed by staff. These two descriptions do not go far enough on the delegation of authorities. The proposed delegation of authorities is necessary to ensure that operational effectiveness and accountabilities are clear as decisions pertaining to prudential supervision of banks should not be unnecessarily impeded nor the level of sign-off be questioned legally, especially when issues and timely decisions need to be taken in case of an emergency situation or the need to utilize prompt corrective measures (e.g., dealing with a problem bank).
13. CBI needs to ensure it has adequate banking supervision resources (key risk specialists) as well as implementing changes to its funding model which is overly complicated and needs to be streamlined. Further, CBI’s lack of key human resources (financial supervisors, risk specialists (key person vulnerabilities) on market risk/IRRBB, operational risk, etc.) may impede its ability to effectively deliver on its mandate for banking supervision.
14. Certain key legislative amendments and supervisory guidance are needed in addition to CBI having the power to initiate and propose legislation regarding the prudential regulation and supervision of banks. The CBI Act does not clearly indicate the process and reasons for dismissal of the Governor and/or a member of the supervisory Board. Nor does the Act provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. Further, although the EU regulatory framework for banks was transposed into law, CBI needs to issue supervisory guidance that is not only tailored to the Icelandic jurisdiction but provides additional clarity to the banking industry on CBI’s supervisory expectations across material risk areas. CBI does not have the power to initiate and propose legislation directly to parliament regarding the prudential regulation and supervision of banks.
B. Permitted Activities, Licensing, and Change of Control (CP4-7)
15. The Icelandic legal and regulatory framework is aligned with the broad EU definitions and scope of permitted activities and licensing requirements. Such a large scope of regulation and supervision provides CBI with a strong legal foundation to effectively control the activities of banks and credit institutions. This approach is relevant for Iceland, since major banks have adopted a so-called universal banking business model (with permitted activities extending to insurance, securities market, etc.), requiring close supervisory scrutiny from CBI.
16. Issuance of new bank licenses in Iceland has been very limited for many years, yet licensing requirements and processing are well structured. Based on a solid framework for processing licensing applications, which are supported by detailed requirements, comprehensive licensing criteria, and a risk-based assessment methodology, CBI is able to implement a thorough examination of application requests from entities for a banking license, as well as from natural persons for their appointment as members of the board of directors or senior management. CBI has adequate powers to require adjustments of proposed plans, if need be, or to reject applications. Minimum initial capital requirements at the licensing stage are the equivalent in ISK of EUR 5 million for banks.
17. Regulation of transfer of significant ownership has been enhanced, though the number of cases has been limited. CBI pays increasing attention to the ownership structure of banks, and requires full transparency of banks’ shareholding structure, up to the ultimate beneficial owners (UBOs). The definition of a “qualifying holding” is not restricted to quantitative thresholds (starting at 10 percent). CBI also considers the significant influence on the management of the bank, which is a more qualitative criterion and better adapted to the Icelandic environment, given the significant interconnectedness of business and personal relationships in a rather small country. Nevertheless, existing legislation should be further enhanced to require that banks notify CBI as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest, in order that CBI proceed with early examination of shareholders’ suitability issues which may impact banks.
18. Regulation of major acquisitions has also been enhanced. CBI has adequate powers to examine and possibly reject any major acquisition envisaged by a bank. Based on the recent case of a major acquisition made by a non-systemic Icelandic bank through its UK subsidiary, CBI adequately assessed the impact this acquisition would have on the Icelandic bank. CBI regulates the bank on a consolidated basis, by acting as the home group supervisor in conjunction with the host supervisor of the subsidiary.
C. Supervisory Cooperation, and Consolidated Supervision (CP3, 12, 13)
19. Cooperation and collaboration arrangements for banking supervision have been developed, though not critical for Iceland, given that the banking system is largely domestically based. CBI signed several Memorandum of Understandings (MoUs) with foreign regulatory authorities, but these cooperation arrangements are barely used because of the very limited number of cross border entities. Alternatively, CBI is more engaged with multilateral cooperation; notably with Nordic countries, to share supervisory information and best practices, however these arrangements could be strengthened from a crisis management perspective. At the domestic level, CBI is part of a national cooperation arrangement for AML/CFT, and it maintains continuous interaction with the MoFEA informally. A representative from the MoFEA participates on the FMEN and therefore banking supervision information is shared, Confidentiality of information shared through cooperation arrangements is reflected in the MoUs and within the legislation.
20. A comprehensive framework for consolidated supervision of banking groups is in place, yet oversight powers on parent companies beyond regulated mother companies of banking groups should be clarified. Consolidated supervision is mostly referring to EU rules, and effectively implemented based on regulatory reporting and through SREP. Consolidated supervision is not critical for Iceland given the current structure of the banks. Above and beyond the consolidation perimeter of regulated banking groups, the existing legal framework allows CBI to oversee banks’ shareholders, including parent companies and their subsidiaries. Effective CBI oversight of banks’ shareholdings on a regular basis, not only at the licensing stage or at the change of ownership stage, may be further developed.
21. Although the need for CBI to develop home-host relationships is not presently required, there is a dedicated legal and institutional framework in place. Given the immateriality of cross-border banking entities within the Icelandic banks, there has been no need to set-up supervisory colleges nor conduct on-site inspections abroad. Cross-border cooperation for supervisory purposes is implemented on a case-by-case basis. CBI is well connected to other supervisory authorities which may be relevant to ensure effective relationships, especially among Nordic countries.
D. Supervisory Approach, Techniques, Tools, and Reporting (CP8-10)
22. CBI/FSA utilizes a supervisory review and evaluation process (SREP) for less significant institutions (LSI) under the Single Supervisory Mechanism4 (SSM) overseen by the European Central Bank5 (ECB). CBI/FSA’s, based on the categorization of institutions, annual SREP assessments are undertaken for the D-SIBs based on the high-impact category rating for these banks. CBI/FSA, therefore, spends a considerable amount of time assessing the forward-looking analysis through the utilization of stress testing methodology for the business model analysis (BMA) as well for the assessment of ICAAP and ILAAP. Meetings are carried out with management on a topic-specific basis for SREP and to discuss the quarterly risk assessments. SREP for low/medium impact banks is not carried out with same frequency, in accordance with the minimum engagement model. CBI needs to assess if the timing of undertaking a SREP assessment for the lower impact banks is working well in practice (e.g., these banks are assessed but not in conjunction with CBI’s current minimum engagement model).
23. CBI’s off-site supervision function undertakes full SREP assessments, however the onsite program needs to encompass a deeper scope of supervisory work. CBI needs a more comprehensive program, utilizing not just thematic reviews focusing on risk areas of concern, but covering material risks with a risk-based approach over a multi-year cycle. While on-site inspectors carry out their inspections on a timely basis and results of inspection reports are provided to banks’ management on a timely basis, the “formal letters” being issued to the Board, which include remedial/corrective actions are somewhat delayed as supervisors await all three thematic on-site inspections to be completed and the legal sign off processes to complete the letters. This current process is undermining the effectiveness of CBI’s communication which should be done on a timely basis. CBI needs to maintain its’ internal standard on the completion of reviews to date of communication to the banks, especially the results to the Board of Directors.
24. CBI’s IT infrastructure, supervisory data collection, and interfaces built or being built for supervisors are very dynamic. CBI collects data from a variety of sources (FINREP, COREP and goes beyond the EU framework with the loan portfolio analysis report (LPA), credit registry data, ad hoc data requests, etc.). Further, the interfaces are in the process of being built or already built (Power BI, Vaki) which enable supervisors to effectively work with key data points, produce graphs and analysis to support the SREP and risk assessment processes. Further, CBI utilizes data verification methodology in line with EU expectations.
E. Early Intervention, Corrective Action, and Sanctioning (CP11)
25. CBI/FSA has an appropriate range of supervisory measures to address, at an early stage, when a bank is not complying with laws, regulations, rules and/or guidelines. CBI/FSA has a tendency to require additional Pillar 2 capital rather than make use of the other intervention tools and supervisory measures available to them, as banks push back when told to book additional specific provisions for example. Further, CBI/FSA has established a working committee to develop and implement internal escalation procedures which help CBI to effectively operationalize such a plan when needed.
F. Corporate Governance, and Internal Control (CP14, 26)
26. As part of its SREP process, CBI undertakes an assessment of bank’s internal governance and institution-wide controls. Based on CBI’s SREP methodology, a proportionate approach is taken regarding low and medium-low impact banks wherein contact with the Board and key control functions may be less frequent or even “infrequent”. CBI/FSA should re-assess the minimum engagement model to ensure adequate coverage is in place, that makes sense in practice. Further, CBI carries out fit and proper assessments when Board members are on-boarded. However, CBI /FSA should assess Board members’ “duty of care” and “duty of loyalty”. Last, although banks may combine audit and risk committees, these two committees should be kept distinct, in accordance with Basel Standards.
27. Based on EU rules and EBA guidelines, CBI has implemented a more stringent off-site supervisory review of internal control frameworks of major banks. CBI has put some emphasis in upgrading the internal control culture in banks. While CBI has developed intense supervisory dialogue and more thorough off-site reviews of internal control processes through the annual SREP of D-SIBs, supervisory assessments of internal control functions in smaller banks has been less effective. Moving forward, CBI should assess the adequacy of banks’ internal control frameworks more thoroughly by performing full-scope on-site inspections covering the usual so-called three lines of defense, including: (i) internal control departments/processes embedded within operational (business and support) workstreams at first level; (ii) independent internal control functions in charge of risk management, compliance, as well as oversight of most risk-sensitive operational workstreams (checks and balances, and “four-eyes” principle) at second level; and (iii) the independent internal audit function for the entire bank at third level. Additional human resources may be required in that regard.
G. Capital Adequacy (CP16)
28. CBI has effective powers to enforce adequate prudential capital requirements for banks. The prudential definition of capital, as well as the rules to calculate the capital adequacy requirements have been transposed from the European framework with no significant national discretion options. Risk-weighting of credit risk, market risk, and operational risk exposures used for Pillar 1 capital requirements is based on the standard approaches. Icelandic banks don’t use internal ratings-based (IRB) approaches for the regulatory calculation of capital, though they use internal models for their internal capital adequacy assessment processes (ICAAP). Banks’ internal models are reviewed by CBI, though not formally approved as IRB models, and ICAAP results are challenged by CBI through the SREP. The findings raised in the EU Regulatory Consistency Assessment Programme (RCAP)6 and in the EA BCP assessment7, which outline the deviations from the Basel standards, still stand, although are not considered material for Iceland.
29. CBI’s total capital requirements for banks are considered adequate, given the extensive additional capital buffers as well as the Pillar 2 requirements. Major banks are classified as D-SIBs. In addition to the minimum capital adequacy ratio of 8 percent, they are subject to a capital conservation buffer (2.5 percent), a systemic risk buffer (3 percent), a so-called other systemically important institution (O-SII) buffer (2 percent), a macroprudential countercyclical capital buffer (2 percent), and ad-hoc Pillar 2 additional capital requirements, which are strong (from 2.6 to 3.5 percent). For determining Pillar 2 requirements, CBI uses in-house benchmarking models aimed at supplementing Pillar 1 requirements for risk areas that CBI considers as not being adequately covered by Pillar 1. Although D-SIBs typically argue against the Pillar 2 requirements, CBI enforces its additional Pillar 2 assessment requirements as part of the ICAAP review process. CBI’s methodology and decisions on capital adequacy requirements are publicly disclosed for each major bank for full transparency. On average, total regulatory capital ratios for D-SIBs stands above 23 percent, which is well above minimum capital requirements, considered high and conservative.
H. Risk Management (CP15, 17-25)
Risk Management Framework (CP15)
30. CBI’s SREP does not assess, to the depth necessary, the effectiveness of bank’s risk management practices across all risk areas. This includes an assessment of banks’ adherence to board-approved risk policies and procedures, across all material risk domains, encompassing: whether banks are operating within risk limits as dictated by the Board, strength of banks’ ICT systems (measuring, assessing, reporting risks), whether exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds, whether bank’s use of models, including whether banks perform regular and independent validation and testing of such models. and the adequacy of banks’ resources for their risk management functions (independence, direct access to the board, clear segregation of duties, etc.). CBI should issue guidance that adequately describes CBI’s expectations for the implementation of sound risk management practices, at least for the key risk areas (credit, operational, IRRBB, market).
Credit Risk and Problem Assets (CP17-18)
31. CBI/FSA needs to assure themselves that banks (especially D-SIBs) have effectively implemented EBA’s guidelines on loan origination and monitoring. Typically, through on-site thematic reviews, CBI has been able to assess the strength of bank’s practices covering important topics or particular areas of concern (e.g., large exposures, etc.). Banking supervisors together with credit risk specialists do not necessarily undertake deep assessments of the effectiveness of bank’s credit administration policies/processes (especially for all D-SIBs) across a variety of products (e.g. real estate back loans, personal loans, corporate loans, etc.), that would include how banks are treating in practice and in accordance with board approved credit policies/risk limits regarding: a) existing exposures, new exposures and the renewing/refinancing/rescheduled of loans in practice; b) the borrower’s ability and willingness to repay loans; c) whether the documentation (including legal covenants, contractual requirements) are in place; d) collateral and other forms of credit risk mitigation (e.g. bank’s loan valuation methodologies); e) whether asset classification systems are adequate; and f) the quality of bank’s information systems, (e.g. whether such systems in practice provide accurate and timely identification, aggregation and reporting of credit risk exposures). Financial supervisors and credit risk experts would benefit from additional training on the EU rules and EBA guidelines (including affording enough time to supervisors to undertake the training), the Supervisory Handbook needs to be updated, and CBI should consider putting in place external prudential standards that are tailored to the Islandic jurisdiction.
32. Banks and CBI/FSA, to a certain extent, rely on the view of banks’ external auditors with respect to asset classification, loan-loss provisioning, and write-offs of banks’ loans. CBI requires commercial banks to be IFRS 9-compliant whereas smaller savings banks are obliged to follow national standards for the preparation of their annual accounts. CBI has undertaken on-site reviews to verify banks’ assumptions on the classification and stage-rating of problem loans. However, CBI needs to undertake a deeper assessment across all loan products to assess for example collateral and guarantees, as well as banks’ asset classification systems. CBI tends to increase Pillar 2 additional capital requirements rather than order banks to book additional specific loan-loss provisions (due to bank’s pushing back on CBI’s assessment).
Concentration Risk and Large Borrow Limits, Transactions with Related Parties
33. CBI undertakes the assessment of credit concentration risk and large borrowers as part of the SREP’s ICAAP review, as well as quarterly risk monitoring. However, it needs to ensure that banks have adequate limits in place to monitor and track concentration exposures. Some of banks’ risk reports embed tracking of concentration risk limits, and other reports, such as the credit registry provide CBI with the necessary information, to assess from an off-site perspective, banks’ exposures on a quarterly basis. CBI also needs to assess the effectiveness of banks’ risk management processes pertaining to concentration risk in practice which would provide additional assurance. Last, given two of the DSIBs have significant State shareholdings, it would be appropriate to monitor aggregate exposures to the State for these banks, as these loans are normally exempt.
34. CBI/FSA’s definitions8 of a related party and a related party transaction need to be broader to ensure the adequate capture of the risk related to such transaction. The definition of a related party needs to capture not only qualified holdings in the company, but to extend the definition to the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates, and special purpose entities) that the bank exerts control over, or that exerts control over the bank, to comply with the Basel Standards. Further, CBI/FSA’s definition of a related party transaction is potentially not broad enough to capture related party transactions that include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. CBI/FSA should require bank Boards to review and approve related party transactions over a certain threshold (specified by the bank Boards) as well as undertaking deeper supervisory reviews to determine if banks’ policies and processes in fact prevent persons from benefiting from such transactions and/or persons related to such a person from being part of the process of granting and managing the transaction. Moreover, CBI/FSA should require banks to set limits on the aggregation of total exposures to related parties and that such limits are at a minimum as strict as those for single counterparties or groups of connected counterparties.
Country Risk, Transfer Risk, Market Risk, Interest Rate Risk in the Banking Book (CP21-23)
35. Though country risk and transfer risk are not identified by CBI as a significant risk domain to which Icelandic banks are exposed, banks are not subject to clear prudential regulatory and supervisory requirements. The legal and regulatory framework applicable to banks relating to prudential requirements on the risk management of country risk and transfer risk, including the minimum requirement for bank’s policies and processes, as well as internal CBI guidance does not exist. Therefore, CBI should clarify prudential requirements for banks and implement a supervisory strategy regarding country risk and transfer risk, aimed at implementing a tailored, proportionate and risk-based supervisory framework.
36. Although prudential requirements on market risk management are aligned with EU rules and EBA guidelines, which are incorporated in Icelandic regulation without significant national options, the effectiveness of on-site supervision of market risk is not optimal. Off-site supervision of market risk has been carefully implemented in recent years with demonstrated technical expertise, including daily monitoring of major banks’ market risk exposures, as well as reviewing banks’ internal models for market risk management, banks’ stress testing processes and outcomes, and banks’ overall risk management policies and documentation. The risk exposure of the Icelandic banking sector to market risk is considered rather low by CBI, compared to other risk domains. Even so, CBI’s overall view on banks’ effectiveness of market risk should still be upgraded by performing on-site inspections covering the overall market risk management framework of major banks comprehensively throughout a reasonable multi-year on-site supervisory cycle, which is lacking at this time. In addition, CBI has only one part-time market risk specialist among banking supervisors, which may expose CBI to a significant “key-person” risk, as well as limit the possibility of this expert being adequately challenged.
37. Similar observations regarding CBI’s oversight of IRRBB as market risk, except banks’ exposures to interest rate risk is more material in Iceland. Even before inflation rising and interest rates hikes since late 2021, banks are largely exposed to inherent IRRBB, given the size of their loan portfolios, including a mix of (i) loans with interest rates indexed or non-indexed on inflation, and/or (ii) loans at fixed or variable interest rates. Such mix of loan pricing methods have been gradually changing, due to the shift of debtors’ attitudes towards fixed interest-rate formulas of housing loans, to try to escape the impact of increasing interest payments as much as possible. In that context, IRRBB management is mostly supervised by CBI through enforcing specific Pillar 2 additional capital requirements. Similar to market risk, the off-site supervision of IRRBB management in the banking sector has been closely implemented by the same risk specialist. For similar reasons as for market risk, the overall effectiveness of banking supervision of IRRBB should be deepened by performing on-site inspections covering the overall IRRBB management framework of major banks comprehensively, which has been lacking for several years. CBI should also address the “key-person” risk on IRRBB among banking supervisors by increasing staffing and expertise.
Liquidity Risk (CP24)
38. Banks comply with LCR, NSFR, and other liquidity reporting requirements, as established by the EU framework - which includes some deviations from the international standards. CBI regularly makes assessments of banks’ liquidity and funding risk management frameworks and liquidity positions through and by monitoring internal reports, prudential reports, and market information. Further CBI/FSA’s annual SREP conducts a comprehensive assessment of banks’ overall liquidity and funding risk management frameworks and positions to determine whether bank delivers an adequate level of resilience to liquidity stress given each bank’s role in the financial system. The ongoing evaluation of the effectiveness of risk management and control for liquidity and funding risks is mainly focused on specific requirements such as stress tests, governance, monitoring systems, reporting, contingency funding plans and public disclosure. CBI annually performs a comprehensive assessment of banks overall liquidity risk management framework and positions to determine whether a bank delivers an adequate level of resilience to liquidity stress given the bank’s role in the financial system through SREP. The findings raised in the EU RCAPs pertaining to EU LCR rules9 and EU NSFR rules10, as well as the EA BCP, which outline the deviations from the Basel standards, still stand, although are not considered material for Iceland.
Operational Risk (CP25)
39. Substantial progress has been made by CBI to develop a more comprehensive and qualitative supervision of operational risk management, beyond the quantitative approach of Pillar 2 additional capital requirements, however, more work needs to be done. Icelandic D-SIBs are quite exposed to various forms of operational risk, given their universal banking model, considering the country-specific environment, including steady transition towards large digitalization of banking and payment services. Prudential regulations on operational risk mostly rely on relevant EBA guidelines, but supervisory expectations for proper implementation have not fully been tailored to the specific risk profile on the Icelandic banking sector regarding operational risk, nor adjusted to consider proportionality. Even for ICT risk and cybersecurity management, update of supervisory guidance is needed. Nevertheless, CBI has undertaken the review of operational risk through off-site supervision, mainly through SREP, which has been performed annually for major banks but only two times since 2016 for smaller banks.
40. CBI should build a comprehensive risk-based supervisory strategy on operational risk and undertake more comprehensive on-site inspections to assess the adequacy of banks’ operational risk management policies, procedures and practices. CBI should undertake a thorough risk mapping and assessment of the banking sector’s exposure to the large and complex range of operational risk categories, sources, threats, and vulnerabilities, at banking system level, and for individual banks. With limited human resources, on-site inspections regarding operational risk have been targeted on a selected range of sensitive topics, such as outsourcing, which are relevant but topically too limited. CBI, therefore, should develop and implement a more comprehensive approach to assessing bank’s operational risk management practices, especially in major banks, by undertaking a review of bank’s ICT risk management and cybersecurity policies, procedures and practices, which would require additional human resources and expertise.
I. Financial Reporting, External Audit, Disclosure and Transparency (CP27-28)
41. CBI applies an adequate financial reporting framework for the Icelandic banking sector that is comparable to other EU member states. Iceland’s national legislation, EU rules and EBA guidelines enable a uniform standardization and benchmarking of banks’ financial reporting with other European countries enables comparable reporting standards.
42. Although legal powers of CBI over banks’ external auditors have been recently upgraded, enhanced prudential oversight powers would be desirable. CBI has been provided with the additional legal powers to request the replacement of an external auditor who in certain circumstances, missed alerting supervisors in the case of a major breach of regulation, a potential threat or impactful issue, or if financial accounts were not certified. Nevertheless, CBI is not consulted on, nor can provide an objection to the appointment of banks’ external auditors, for instance in the case where an external auditor is deemed to have inadequate expertise or independence. In addition, the legal rotation requirement of banks’ external auditors, though aligned with EU rules, looks unreasonably long, with maximum duration of their mandate possibly ranging from 10 years, up to 24 years.
43. Major banks disclose detailed information, including Pillar 3 reports and ESG reports. Financial disclosure of D-SIBs’ financial statements is made annually with quarterly updates in Icelandic and English. Financial disclosure is less accessible and detailed for savings banks (Icelandic only). Supervisory disclosure of information by CBI looks quite rich in Icelandic, including regulation, guidance, general information, reports, even decisions on individual banks (for instance, Pillar 2 decisions, and sanctions). The recent disclosure of the financial supervision strategy for 2022-24 is a commendable achievement towards better transparency from the CBI. Yet the quality of English-translated supervisory disclosure may still be enhanced for the benefit of foreign stakeholders, notably on the regulatory and supervisory framework and policies.
J. Abuse of Financial Services (CP29)
44. CBI’s banking supervisory and regulatory framework pertaining to AML/CFT requirements is considered adequate. CBI has made great efforts to build up the area of expertise in AML/CFT to implement its new risk-based supervisory assessment model for banks (including the annual collection of critical data as part of its off-site risk assessment program), and has carried out deep on-site inspections to assure itself of the effectiveness of banks’ risk management frameworks and practices regarding compliance with applicable AML/CFT legislative and supervisory requirements (including carrying out the testing of the effectiveness of bank’s AML/CFT systems and controls pertaining to customer due diligence and suspicious transactions reporting). Banks’ AML/CFT preventive frameworks are still maturing, and supervisory efforts need to continue to ensure that: (i) banks receive adequate onsite attention (potentially more frequent engagement, targeted at the highest money laundering/terrorist financing risk areas); and (ii) the results of supervisory activities are concluded and communicated to banks in a timely manner (. CBI has released a “lessons learned” paper, engaged the banking industry through conferences, and has built a very detailed website outlining applicable laws, regulations, guidelines, and other useful information. That being said, CBI should reassess the need to develop AML/CFT supervisory guidance to ensure that banks know, understand, and comply with the extensive CBI AML/CFT regulatory and supervisory requirements for banks. Further, CBI needs to reassess its minimum engagement model to ensure that: communication is not only with the money laundering reporting officer (MLRO), but with the Board and senior management (CEO, CRO), including the provision of the on-site inspection report to the Board, and not just senior management, to ensure adequate accountabilities with respect to this key risk are clear for banks. In addition, the minimum engagement model should be updated to ensure adequate coverage for low/medium impact banks (e.g., savings banks). Furthermore, the length of time it takes for the results of the draft inspection report to be formalized needs to be shortened to ensure timely communication of the results. Last, while AML/CFT considerations are included as part of the SREP process, CBI should consider better integrating banks’ risk ratings on compliance with AML/CFT requirements into the SREP methodology and the overall SREP score of banks, in particular, where material AML/CFT deficiencies have been identified.
Assessment Methodology
45. The assessment of the implementation of the Basel Core Principles (BCP) by CBI is part of the FSAP undertaken by the International Monetary Fund (IMF) in 2022/23. It reflects the regulatory and supervisory frameworks in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which are addressed in the broader FSAP exercise. The BCP assessment mission took place between November 19th and December 10th, 2022.
46. An assessment of the effectiveness of banking supervision requires a review of the legal framework, and a detailed examination of the policies and practices of the institution(s) responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on banking supervision and regulation in Iceland and did not cover the specificities of regulation and supervision of other financial institutions. The assessors reviewed the framework of laws, regulations, procedures, guidelines and other materials mainly provided by CBI and held extensive meetings with CBI officials. The assessors also held additional meetings with the MoFEA, the banks, and an external audit firm. The authorities provided a BCP self-assessment, responses to additional questionnaires, and access to supervisory documents and files, staff and supervisory systems. In this request the assessors appreciate the excellent cooperation received from the authorities and extend their gratitude to the staff who participated and facilitated the exercise.
47. The standards were evaluated in the context of the Icelandic banking system’s structure and complexity. The BCP must be capable of application in a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breath of application, according to the methodology, a proportionate approach is adopted both in terms of expectations on supervisors for the discharge of their own functions and in terms of the standards supervisors impose on banks. An assessment of a country against BCP must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, risk profile and cross-border operations of the banks being supervised. The assessment considers the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another.
48. The current assessment is based on the 2012 version of BCPs issued by the Basel Committee on Banking Supervision (BCBS). Iceland underwent a full BCP assessment in 2014, resulting in a detailed assessment repost (DAR) that was not made public at the time, but a Report on the Observance of Standards and Codes (2014 ROSC) was also prepared, including a summary of findings and recommendations, which was disclosed in September 2014. The previous BCP assessment was based on the 2012 BCP assessment methodology, therefore the current assessment will utilize the same methodology and approach.
49. Iceland has opted to be assessed and graded against the essential criteria only. In general, to assess compliance, the BCP Methodology uses a set of essential and additional assessment criteria for each principle. The essential criteria (EC) set out the minimum baseline requirements for sound supervisory practices and are universally applicable to all countries. The additional criteria (AC) are recommended best practices against which the authorities of some complex financial systems may agree to be assessed and rated. The assessment of compliance with each Core Principle (CP), based on the EC only in the case of Iceland, is made on a qualitative basis, using a five-part rating system explained below. The assessment of compliance with each CP requires a judgment on whether the criteria are fulfilled in practice. Evidence of effective application of relevant laws and regulations is essential to confirm that the criteria are met. Iceland has opted to be assessed against the ECs only, therefore the BCP self-assessment has not covered the AC.
50. The assessment has made use of the following categories to determine compliance: compliant; largely compliant, materially non-compliant, non-compliant and non-applicable. An assessment of “compliant” is given when all the essential criteria are met without any significant deficiencies, including instances where the principle has been achieved through other means. A “largely compliant” assessment is given when only minor shortcomings are observed that do not raise any concerns about the authority’s ability and clear intent to achieve full compliance with the principle within a prescribed period of time. The assessment “largely compliant” can be used when the system has no material risks are left unaddressed. A principle is considered to be “materially non-compliant” in case of severe shortcomings, despite the existence of formal rules and procedures and there is evidence that supervision has clearly been ineffective or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. A principle is assessed “non-compliant” if it is not substantially implemented, several essential criteria are not complied with, or supervision is manifestly ineffective. Finally, a category of “non-applicable” is reserved for those cases where the criteria do not relate to the country’s circumstances.
51. An assessment of compliance with the BCP is not, and is not intended to be, an exact science. The assessment criteria should not be seen as a checklist approach to compliance, but as a qualitative exercise involving judgement by the assessment team. While compliance with the BCP can be met in different ways, compliance with some criteria may be more critical for the effectiveness of supervision, depending on the situation and circumstances in a given jurisdiction. Hence, the number of criteria complied with is not always an indication of the overall compliance grade for any given principle. Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the Icelandic authorities with an internationally consistent measure of the quality of their banking supervision framework in relation to the BCP, which are internationally acknowledged as minimum standards. Emphasis should be placed on the commentary that accompany the grade of each principle, rather than on the grade itself.
Overview of Institutional and Market Structure
52. This Chapter presents a quick overview of the regulatory and supervisory framework of the overall financial sector in Iceland. This is high-level background information aimed at introducing the country-specific context in which the BCP assessment has been delivered. Detailed information and data may be accessible from public sources, notably CBI, Icelandic government agencies, as well as the IMF and other international institutions.
A. Institutional and Legal Framework for Banking Regulation and Supervision
53. The institutional set-up in Iceland for banking regulation and supervision is shared by agencies with distinct and complementary mandates, including:
The Central Bank of Iceland (CBI) is the primary banking supervisory authority in Iceland. CBI is an independent institution owned by the State and operates in close cooperation with under the Prime Minister and the MoFEA. Its objective is to promote price stability, financial stability, and sound and secure financial activities. The Bank also undertakes such tasks that are consistent with its role as a CBI, such as maintaining international reserves and promoting a safe, effective financial system, including domestic and cross-border payment intermediation. The Financial Supervisory Authority (FSA, previously known as the FME) was merged with CBI beginning 2020, now referred to as “The Financial Supervisory Authority of the Central Bank of Iceland” (CBI/FSA), wherein CBI now administers all functions previously entrusted to the FME by law and Governmental directive. CBI/FSA is an integrated supervisor with both a prudential and a regulatory role overseeing supervisory activities, including banking. CBI/FSA ensures that the activities of supervised entities are in compliance with the laws, regulations, rules, or company statutes governing such activities.
The Ministry of Finance and Economic Affairs (MoFEA) administers matters relating to financial stability and financial markets. It has regulatory but no direct supervisory powers with regards to the supervision of banks. The MoFEA oversees the enacting of the banking legislative process, generally in consultation with CBI. The MoFEA implements regulations regarding various matters, for example, among other things, the implementation of EU regulation, delegated and implemented regulations (level 2 acts), which are implemented by either domestic regulations issued by the MoFEA, or delegated and implemented regulations for technical standards (level 2 acts) by CBI. In addition, representatives of MoFEA, appointed by the Prime Minister, sit or observe on several of CBI’s committees (e.g., FSN, FMEN). Further, the MoFEA participates in the EFTA Working Group on Financial Services, that ensures that all EEA relevant EU legislation in the field of financial services is incorporated into the EEA Agreement.
The Resolution Authority was established within CBI and entrusted with the powers of resolution with the adoption of Act no. 70/2020 on Resolution of Credit Institutions and Investment Firms (the Resolution Act). This Act provides the Governor/CBI with the power to take decisions on resolution procedures and apply resolution measures in the case of credit institutions and investment firms that are failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so). According to Article 4 of the Act, CBI’s Resolution Authority shall be separate from other activities within the Bank’s organizational structure. CBI’s Resolution Authority formally commenced operation in November 2020, and it has issued rules on the practice of the Resolution Authority no. 1733/2021 in accordance with Article 4 of the Resolution Act.
54. CBI merged with the Financial Services Authority beginning 2020 which brought about several distinct changes to CBI’s internal organization structure in general and specific to banking supervision. The application of CBI’s policy instruments and powers are now in the hands of three committees: Monetary Policy Committee, Financial Stability Committee (FSN) and Financial Supervision Committee (FMEN). In addition:
Monetary Policy Committee takes decisions on the application of CBI’s monetary policy instruments regarding interest rate decisions, transactions with credit institutions other than loans of last resort, decisions on reserve requirements, and securities and foreign exchange market transactions aimed at achieving price stability.
Financial Stability Committee (FSN) is responsible for assessing the developments in the financial system, systemic risk, and financial stability, including taking necessary actions to strengthen and preserve financial stability in Iceland.
Financial Supervision Committee (FMEN) is tasked with reviewing and taking decisions related to all categories of financial institutions that CBI regulates, including banks.
The Supervisory Board monitors CBI’s compliance with the statutory provisions applying to its activities. Note that the monitoring by the Supervisory board of CBI does not include case handling or decisions on specific matters.
55. Financial Stability Council (FSC) enables cooperation between the MoFEA and CBI on financial stability issues of macro-critical importance that may possibly impact the financial system at country level. The FSC is chaired by the MoFEA, and other members include the Governor of CBI. The FSC’s mandate is (i) to formulate official policy on financial stability; (ii) to monitor economic imbalances, financial system risks, undesirable incentives and other conditions that are likely to jeopardize financial stability; and (iii) to assess the effectiveness of macroprudential policy tools. The role of the FSC has been reduced since the FSN emerged as a decision-making committee.
56. Iceland has a suitable legal framework for banking supervision wherein the supervisory authority has the necessary powers to conduct ongoing supervision, including the use of corrective actions on a timely basis. Beyond the recent adoption of the EU framework into national legislation (see below), there are no other legal reforms currently outstanding except a “Draft Bill of Legislation” which was presented to parliament during the FSAP mission, proposing some changes to the division of legal decision-making powers and responsibilities between the FMEN and CBI. The Draft Bill, published on the public consultation portal on-line, essentially proposes to clarify CBI’s discretion to make legal decisions regarding the prudential supervision of banks (e.g., redistributing decision making on financial supervision within the CBI from the FMEN).
57. Introduction of EU rules and EBA guidelines into the national legal framework for Iceland’s banking regulation and supervision framework had a considerable impact for a country with nine banks. Iceland is not designated as a member State of the European Union (EU); however, it is party to the European Economic Area (EEA Agreement) which unites the EU member States and the three EFTA EEA States (Iceland, Liechtenstein, and Norway) into one single market governed by the same basic rules. According to Article 7 of the EEA-Agreement, the EEA EFTA States are obliged to implement EU legislation that has been incorporated into the Agreement. Regulations shall, as such, be made part of the internal legal order of the EEA EFTA States, whereas directives are binding as to their objective but give the States a choice of form and method of implementation. For Iceland, the common market rules and regulations have had a considerable impact given the EU regulations and the EBA directives were transposed directly into Icelandic laws. This huge endeavor has had an impact on both CBI and the banking industry, considering Iceland has only nine banks, only three of which are classified as Domestic Systemically Important Banks (D-SIBs) from Iceland’s perspective, but in terms of size of total assets, would be categorized as “less significant institutions” compared to other financial institutions in the EU area.
58. CBI’s funding mechanism for the portion of budget needed to fund banking supervision for the FSA, is overly complicated and based on the previous funding model of the FME. The funding model for banking supervision which is dependent upon the MoFEA to submit a request for Parliamentary approval (Part A - involves remitting bank supervisory fees to the Treasury) and differs substantially from the funding of CBI (Part C is not subject to a fiscal authority or, for example, CBI’s income and expenses are excluded from government revenue and expenditure). A remedy is needed to ensure CBI, as the banking supervisory authority, has the necessary operational independence and autonomy to ensure it has adequate resourcing to deliver on its mandate as the banking supervisory authority.
B. Overview of the Banking Sector11
59. The Icelandic financial system is mostly concentrated with banks and pension funds. As shown in Table 1 below, as at Q3 2022, the Icelandic financial sector is made up of the following: (i) a highly concentrated banking sector (representing approximately 156 percent of GDP or 5 trillion ISK in total assets), made up of 9 banks, of which 3 D-SIBs, a 4th commercial bank with limited crossborder activity, and 5 savings banks (one of which recently licensed); (ii) 1 payment institution (representing 18 billion ISK in assets); (iii) 4 credit undertakings (represent only 7 percent of GDP or 226 billion ISK in total assets); (iv) insurance companies (both life and non-life) (8 percent of GDP or 270 billion ISK in total assets); (v) pension funds represent the largest component of the financial system (representing approximately 217 percent of GDP or 7.1 trillion ISK in total assets) and not only represent significant shareholdings in the banks, act as source of bank funding, but compete head on in the housing loans market; (vi) asset management companies (represent 35 percent of GDP or 1.1 trillion ISK in total assets under administration); and (vii) and investment firms with immaterial total assets.
Iceland: Structure of Regulated Financial Institutions
Iceland: Structure of Regulated Financial Institutions
Number of institutions |
Assets (in ISK, billions) |
Assets (as percent of GDP) |
|
Banks |
|||
Domestic banks |
9 |
5066 |
156 |
of which: commercial banks |
4 |
5034 |
155 |
of which: savings banks |
5 |
32 |
1 |
Foreign banks |
- |
- |
- |
Non-bank credit institutions |
5 |
244 |
8 |
Payment institutions |
1 |
18 |
1 |
Credit undertakings |
4 |
226 |
7 |
Insurance companies |
10 |
270 |
8 |
Life insurance companies |
4 |
22 |
0,7 |
Non-life insurance companies |
612 |
248 |
7,6 |
Pension funds |
21 |
708313 |
217 |
Asset management companies |
2314 |
112415 |
35 |
Investment firms |
8 |
1 |
0 |
TOTAL |
76 |
13788 |
424 |
Iceland: Structure of Regulated Financial Institutions
Number of institutions |
Assets (in ISK, billions) |
Assets (as percent of GDP) |
|
Banks |
|||
Domestic banks |
9 |
5066 |
156 |
of which: commercial banks |
4 |
5034 |
155 |
of which: savings banks |
5 |
32 |
1 |
Foreign banks |
- |
- |
- |
Non-bank credit institutions |
5 |
244 |
8 |
Payment institutions |
1 |
18 |
1 |
Credit undertakings |
4 |
226 |
7 |
Insurance companies |
10 |
270 |
8 |
Life insurance companies |
4 |
22 |
0,7 |
Non-life insurance companies |
612 |
248 |
7,6 |
Pension funds |
21 |
708313 |
217 |
Asset management companies |
2314 |
112415 |
35 |
Investment firms |
8 |
1 |
0 |
TOTAL |
76 |
13788 |
424 |
60. The D-SIBs ownership structure varies between public and state ownership. Financial system assets totaled 424 percent of GDP at the end of June 2022. The current banking landscape has been completely restructured following the “Global Financial Crisis” 16in 2008-10. The structure of the banking sector in Iceland has been somewhat stable since this time, with the 3 major banks dominating the market. All major banks became State-owned banks post-crisis restructuration and the government’s strategy has been to reduce State shareholdings by gradual privatization through public offerings when market conditions permit. In November 2022, two major banks still had significant public ownership, with Landsbankinn still under full control of the State (98,2 percent), while Islandbanki’s capital is now partially owned by the State, and Arion Bank has no more State shareholding. In March 2022, the State sold a 22.5 percent stake in Islandsbanki, which has been the subject of much public debate in Iceland due to alleged conflicts of interest involving qualifying holdings which increased the bank’s capital share however, it did not require CBI’s formal legal approval. Following that sale, the State now owns 42.5 percent of shares in Islandsbanki, with other remaining investors holding 57.5 percent.
61. Pension funds play an increasing role in the financial services sector. About 43 percent of total assets of the financial sector are owned by pension funds. Pension funds are the largest investors in the Icelandic financial market. They are direct mortgage lenders, and also provide funding to banks through the purchase of banks’ bonds (covered bonds). Moreover, they also undertake the financing of businesses directly, through bond purchases, and indirectly, through investment funds. Furthermore, pension funds are also the largest investors in the domestic equity market and among the largest owners of two of Iceland’s three D-SIBs. Pension funds in Iceland are not credit institutions; they are regulated based on a specific legal and prudential framework and supervised/regulated by CBI/MoFEA. CBI’s extended scope of oversight on the financial sector, covering pension funds as well as banks, is a good opportunity for CBI to identify common topics and/or cross-category issues that may deserve supervisory attention and action to mitigate potential system risks. In that regard, pension funds have become increasingly more powerful in Iceland due to this level of interconnectedness.
62. Cross-border banking is very limited in Iceland. No Icelandic banking group has opened any branch nor subsidiary abroad until recently, when a non-major bank acquired the control of a UK subsidiary of minor importance in the UK market. Conversely, no foreign bank has opened any branch nor subsidiary in Iceland. Nevertheless, there are some cross-border establishments outside the banking sector, for example in sectors like asset management companies, and payment institutions. Though there is no national restriction for opening cross-border entities, and the definition of permissible activities for banks is quite large, as it is in the European Union (EU), Iceland has stayed quite isolated from banking globalization. Of note, there is not much information on cross-border banking activities that are developed remotely by the banking sector without the intermediation of any regulated branch or subsidiary in home or host countries, within, or without the EEA, by Icelandic banks with non-residents, and by foreign banks with Icelandic residents.
63. Iceland’s banking sector has weathered the COVID-19 pandemic well. CBI acted quickly after the upsurge of the pandemic in Q1 2020, and banks coordinated to offer temporary loan moratoria to debtors. These exceptional support measures were lifted by end-2020. During the COVID-19 pandemic, Authorities have not been obliged to provide much additional support targeting the banking sector. Notably, no relaxation was decided by CBI regarding prudential regulation and supervision, though supervisory processes were adapted to teleworking. CBI provided emergency liquidity assistance (ELA) to support banks, by relaxing rules on collateral eligibility. Further, the countercyclical capital buffer (CCyB) was reduced to 0 percent, which was part of CBI’s existing macroprudential measures designed to be used in such circumstances. The CCyB was reactivated to 2 percent in September 2021, with effect in September 2022, given the steady recovery of the Icelandic economy, even after the upsurge of inflation and the war in Ukraine. Nevertheless, supervisory activities were impacted during the pandemic, such as on-site inspections which could not be delivered in the field as usual.
64. Asset quality remains strong in the banking sector in Iceland, although the coverage ratio of non-performing loans (NPL) to loan-loss provisions is somewhat low. The NPL ratio stands around 2 percent of total credit as at Q3 2022, while the NPL coverage ratio stands at approximately 25 percent. According to CBI, low provisioning would be justified by large collateralization of bank loans and supported by high valuation of collateral. On average, the NPL ratio of the 3 major banks calculated based on EBA guidelines stood at 1.6 percent as of Q2 2022. By H1 2022, 10.3 percent of the D-SIBs’ corporate loans and 1.5 percent of loans to individuals were forborne and performing. Banks assume that a large share of forborne loans will be reclassified as non-forborne performing loans by end-2022. As a result, the impact of the pandemic on loan classification may become negligible by 2023.
65. The capital base of the Icelandic banking sector is quite strong, with major banking groups having capital adequacy ratios above 20 percent, mostly based of high-quality CET1 capital. CBI applies the EU capital requirement directive and regulation, which ensures benchmarking of Icelandic banks with regional peers. Capital adequacy is closely monitored by CBI, based on banks’ Internal Capital Adequacy Assessment Programs (ICAAP), which are challenged by CBI using supervisory calculation models and benchmarks aimed at tailoring capital requirements applicable to each D-SIB’s specific risk profile. In that regard, supervisory requirements determined by CBI based on Pillar 2 of the Basel framework are quite conservative, while methodology implemented in Iceland as well as the results are publicly disclosed on CBI’s website in a transparent manner17. In all, Icelandic banks’ capital base has not been seriously impacted by the pandemic and recent turmoil of the global economy, and the systemically important part of the banking sector at the national level has significant buffers to absorb external shocks. On average, the capital adequacy ratio and leverage ratio of the 3 major banks stood at 23 percent and 13 percent respectively as of Q2 2022, far higher than minimum regulatory standards.
66. Banks’ liquidity risk and funding levels are closely monitored by CBI, given that Iceland is a small, independent, and mostly domestic-oriented marketplace in the regional area, thus exposed to volatility factors of the national economy. Iceland has enforced Basel standards on the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR), which stand at quite high levels for major Icelandic banks. Market funding does not seem to be an issue for banks since pension funds may be a reliable source of external funding in addition to customer deposits. LCR of the 3 major banks stood between 144 percent and 163 percent as of Q2 2022, far higher than the minimum standard. Nonetheless, banks’ liquidity ratios have decreased recently. Competition for deposits has picked up, and market conditions for bond issuance in Iceland and abroad have been more challenging in 2022. Credit spreads on the banks’ foreign market funding have been on the rise and their foreign refinancing risk is increasing. CBI’s FSN is monitoring this situation closely.
67. Profitability of the banking sector has resisted adverse conditions supported by the steady recovery of the Icelandic economy after the pandemic receded. Steady bank profitability has benefited from the rebound of the local economy, notably from back-to-normal tourism activities. Banks have demonstrated their capacity to adapt to emerging technologies and customer trends, such as the general shift towards a cashless economy and electronic banking and payment services. Yet banks’ business models are highly dependent on the national environment and the country’s economic performance, given the domestic nature of the banking sector. On average, main profitability indicators of the 3 major banks stayed resilient during H2 2022, as shown for instance by 9.8 percent ROE and 1.4 percent ROA, with an average low cost-to-income ratio standing at a low 47.5 percent, resulting from aggressive reduction of costs, including staffing and local network of banks’ branches.
Preconditions for Effective Banking Supervision
A. Sound and Sustainable Macroeconomic Policies
68. Iceland GDP growth has steadily rebounded after the pandemic receded. Despite growing global uncertainty, Iceland’s GDP growth prospects have improved. According to CBI’s latest macroeconomic forecast, published in November 2022, preliminary national accounts data suggest that GDP growth in Iceland reached 6.8 percent in H1 2022. GDP growth for 2022 as a whole is estimated at 5.6 percent. However, the outlook for 2023 has improved, and GDP growth is now projected at 2.8 percent, due largely to the prospect of more rapid growth in domestic demand, which in turn is due in part to revised disposable income data indicating that households are better able to support their expenses than was previously assumed. Unemployment is low, significant labor shortages remain, job openings are numerous, and, as a result, there is still a considerable strain on resources. Inflation is still very high at 9.4 percent in October 2022 and is expected to remain high for some time ahead, but to decrease in 2023, although estimates on future inflation trends are quite volatile. CBI has aggressively hiked the rate on seven-day term deposits up to 6 percent throughout 2022.
69. The government budget deficit was lower than projected in 2021, and public debt remains stable. The 2021 general government deficit stood at 8.9 percent of GDP. The relatively mild impact of the pandemic on economic activity during most of the year resulted in lower transfers. Expiring support measures were partly offset by stronger government consumption and active labor market policies, including hiring incentives. Public debt growth moderated due to a favorable growth-interest dynamic and the partial privatization of Islandsbanki, with net debt ending 7 percentage points of GDP lower than envisaged, at 59.9 percent of GDP. The planned fiscal consolidation aims to restore fiscal buffers and reactivate the existing fiscal rules. Contingency margins are appropriately planned and should be used in a targeted manner if downside risks materialize, while potential windfall revenues should be saved. The fiscal framework has served Iceland well, and its integrity should be preserved.
70. Specific aspects of the macroeconomic situation and policies may potentially affect the performance and structure of the banking system. Current macroeconomic conditions may have various positive and negative effects at some point on the banking sector. From a high-level perspective, and with much cautious given global uncertainty, the following considerations may be highlighted usefully from the BCP assessment viewpoint: (i) steady growth and low unemployment may be strong structural drivers of banks’ profitability; (ii) buoyant real estate market may also be supporting bank profitability as long as it may last, and it may also be beneficial to banks’ asset quality, since higher collateral valuation may help reducing expected loan losses and subsequent provisioning; (iii) yet Authorities should beware of a possible real estate bubble that might result in significant adjustment of banks’ valuation of their credit exposures; (iv) high and long-lasting inflation, which has been quite unusual for decades, may have some structural impact on banks’ management of asset and liabilities pricing and activity, therefore on bank profitability; (v) in that regard, the usual Icelandic bank practice of inflation-indexed interest rates loans and/or variable interest rates loans may be changing in such new high interest rate environment, and future trends of banks’ net margins are not yet fully clear; (vi) major banks’ business models are being adapted to global evolution of the economic and risk environment, yet such adaptation for less significant institutions like savings banks looks less clear from public sources of information; (vii) pensions funds are becoming critical players within the financial system, getting more control power on banks on many fronts, which might become a source of concern because regulation and supervision of pension funds should be enhanced (see the FSAP TN on pension fund oversight).
B. Well-Established Framework for Financial Stability Policy Formulation
71. The framework for macrofinancial surveillance is strongly established under CBI’s umbrella. CBI implements macrofinancial surveillance, more specifically macroprudential supervision of the banking sector, through the FSN with the support of the Financial Stability department of CBI. Specific disclosure is made on financial stability semi-annually by CBI18. In performing its role of promoting financial stability and a sound and efficient financial system, including domestic and cross-border payment systems, CBI focuses on assessing risks facing systemically important financial institutions, identifying macro-financial imbalances, and securing safe and sound operation of payment and securities settlement systems. CBI regularly analyses risks and threats to the stability of the Icelandic financial system in order to detect changes and vulnerabilities that could lead to a crisis. CBI also carries out macro prudential stress tests to assess resilience against adverse macroeconomic scenarios involving key risk factors. The FSN is also entrusted with deciding which supervised entities, infrastructure elements, and financial markets shall be considered systemically important.
72. CBI uses macroprudential tools applicable to the banking sector, such as the countercyclical capital buffer (CCyB, currently at 2 percent), or borrower-based measures like the loan-to-value (LTV, currently at 80 percent or 85 percent) ratio, and the debt-service-to-income (DSTI, currently at 40 percent) ratio. Given that major banks are classified as D-SIBs, they are also closely monitored from a financial stability perspective. Notably, major banks’ liquidity and funding risks are therefore included in the scope of both financial stability and FMENs and departments within CBI, which cooperate to leverage on their respective expertise and outcomes.
73. Mechanisms for effective cooperation and coordination of relevant authorities involved in banking supervision are in place, though not being utilized at this time given very limited cross-border banking in Iceland. Since CBI has legal supervisory powers on the financial sector, this institutional set-up intrinsically facilitates cooperation among relevant authorities. At the domestic level there is a formal cooperation agreement on AML/CFT, and continuous informal cooperation with the MoFEA. At an international level, cooperation needs for banks are quite low, since there is no foreign bank operating in Iceland through a branch nor a subsidiary, and likewise Icelandic banks don’t operate abroad through foreign branches, but only recently one specialized subsidiary in the UK. Nevertheless, CBI has signed MoUs with foreign banking supervision authorities, mostly multilateral arrangements for information sharing on regulation and best practices, not for consolidated supervision of banking groups, which is not needed at this time.
74. CBI is gradually developing external communication and outcomes of financial stability analyzes, risks, and policies in the English language. CBI’s website has been recently enriched with English materials that are more convenient for non-Icelandic-speaking stakeholders outside the country. CBI has developed transparency by disclosing useful information on financial stability and financial supervision, including macroprudential analyses, risk assessment of the banking sector, and multi-year supervisory strategy19. Upgrading official disclosure in English of legislation and rules pertaining to banking supervision is under progress.
75. Iceland is economic environment has several factors of interest that require close attention, given the relatively small size of the country. Relevant factors20 include: (i) a steady increase of housing and real estate valuations, which could create a bubble at some point, and possibly impact the mortgage loan market and asset quality of banks and pension funds, should any adverse shock occur; (ii) the growing systemic importance of pension funds into the global Icelandic financial system, that may require increased surveillance to avoid any unsound governance or inadequate risk management that might undermine the financial soundness of pension funds; (iii) deepening inter-linkages between pension funds and the banking sector in many regards (capital, funding, housing loans). On a more qualitative ground, given the unique geographic and natural specificity of Iceland, as well as its EEA membership, the financial system needs to ensure strong operational resilience against operational risk, including ICT risk (cybersecurity being part of it) and business continuity planning, as well as bank outsourcing of essential support functions to external service providers, which risks CBI is aware of. In addition, CBI has highlighted other factors that could affect the banking sector, among which: (i) loans to non-financial corporations (NFCs), with higher interest rates possibly impacting NFCs’ debt servicing capacity; (ii) liquidity and funding risk, because worsening world economic outlook and increased uncertainty in financial markets may increase the likelihood of an adverse shock that might negatively affect the Icelandic banks’ access to foreign credit, and put stress on the banks’ liquidity position, though banks’ liquidity position is strong for now.
C. Well-Developed Public Infrastructure
76. Iceland has a highly advanced economy with strong public institutions and a well-developed legal framework that includes the enforcement of business laws and fair resolution of disputes. No issue relating to the judicial system and enforcement framework has been raised during the BCP assessment mission, from a banking supervision perspective.
77. Accounting, auditing, and legal professions are organized. Iceland has implemented International Financial Reporting Standards (IFRS), with the largest banks being IFRS9 compliant, including complying with financial disclosure requirements, while savings banks may use national Generally Accepted Accounting Principles (GAAP) under Act No. 3/2006 on Annual Accounts and Rules No. 834/2003 on the Annual Accounts of Credit Institutions. Banks’ financial statements are reviewed and certified by external auditors, most of whom are affiliated with global accounting and audit firms. The audit profession is regulated in accordance to Act No. 94/2019 on auditors and auditing. Auditors must comply with professional standards, such as International Standards on Auditing (ISA).
78. Reliable judiciary is not an issue in Iceland. The country has a strong legal culture and high education. BCP assessors have not met with the Ministry of Justice nor representatives of the judicial system. CBI has not shared any issue regarding judiciary from a banking supervision perspective.
79. Iceland has efficient payments, clearings, and settlement systems. Iceland has become a cashless country, with the use of cash (banknotes and coins) getting less popular, as most payments are being processed electronically. CBI is the authority responsible for oversight of payment and settlement systems. Banks and savings banks operate their own systems for payment intermediation, which can be referred to as intrabank systems. CBI operates the interbank system, which processes and settles instructions for payments between financial institutions. CBI’s interbank payment system is an independent system owned by CBI. It is operated on the basis of Act No. 90/1999 on the Security of Transfer Orders in Payment Systems and Securities Settlement Systems and is subject to Rules No. 1030/2020 on CBI of Iceland Interbank Payment System. In addition, Nasdaq operates the Nasdaq CSD SE securities settlement system, in which transactions are settled via the interbank system. Iceland’s payment intermediation systems are interconnected in many ways, and contagion risk therefore exists. Detailed information on financial market infrastructure frameworks and systems is disclosed by CBI in the November 2022 FSR (pages 41-53). Contingency plans are in place, and cybersecurity is a top priority. Iceland has not developed any Central Bank Digital Currency (CBDC).
D. Clear Framework for Crisis Management, Recovery, and Resolution21
80. The role and mandate of CBI has been clarified with the creation of the new Resolution Authority within CBI. With the enactment of Act No. 70/2020 on Resolution of Credit Institutions and Investment Firms (the Resolution Act), CBI has been entrusted with the powers of resolution. In 2020, the Resolution Authority was created as a separate entity embedded within CBI. The Resolution Authority reports to the Governor of the CBI. The Resolution Authority sits on the FMEN, has developed resolution plans and provided comments on recovery plans for the D-SIBs. Further, the current draft of the Crisis Management Handbook ends at the moment of the failure of the bank and therefore further work is needed on how to manage the resolution of a bank, which will not only improve CBI’s operational effectiveness during a crisis, but enhance cooperation and coordination mechanisms amongst the Icelandic regulatory agencies.
E. Appropriate Level of Systemic Protection (Public Safety Net)22
81. As of 30 June 2022, of all bank deposits in the Icelandic system approximately 46 percent are insured by the Icelandic Depositors’ and Investors’ Guarantee Fund (TVF). There was a total of ISK 2,467 billion in deposits, of which ISK 1,139 billion (or approximately 46 percent of all deposits) was insured as of 30 June 2022. TVF is a private non-profit institution operating pursuant to Act 98/1999 on Deposit Guarantees and Investor Compensation Scheme, with subsequent amendments23 and subject to supervision by CBI. The main task of the TVF is to reimburse covered deposits in a bank bankruptcy (pay-box function).
82. Mechanisms are in place to meet banks’ temporary short-term liquidity needs, when necessary. CBI’s eligibility requirements for emergency liquidity assistance (ELA) extend to domestic financial undertakings, including banks, that are solvent (in accordance with the predefined criterion), be temporarily illiquid, be unable to meet their liquidity needs from an alternative source, have sufficient collateral for ELA according to a predefined minimum requirements standards, and present a recapitalization program that CBI considers to be sufficient/acceptable. For example, during the COVID-19 pandemic, CBI provided ELA and relaxed rules on collateral eligibility to support banks.
F. Effective Market Discipline
83. Rules on corporate governance, transparency, and audited financial disclosure are applicable to the banking sector. Icelandic law, supplemented by EU rules and EBA guidelines, clearly state regulatory requirements on banks’ governance framework, as well as transparency and financial disclosure. CBI refers to highest standards of bank governance, and regularly assesses the adequacy of governance set-up and practices among banks, though not frequently for savings banks. Banks’ financial statements are disclosed after they have passed certification from independent external auditors and are available to the public. Both CBI and major banks disclose financial information on their websites. CBI ensures that rules on transparency of bank ownership are adhered to, notably disclosure of information on beneficial owners of banks’ shareholdings of 1 percent or greater. Licensing powers are attributed to CBI for banks, which enables close scrutiny of banks’ capital shareholding structure, in view of identifying banks’ ultimate beneficial ownership (UBOs) properly.
84. Appropriate regulation is in place for the hiring and removal of senior management and board members of banks, as well as the protection of shareholders’ rights. CBI is in charge of the examination of applications submitted by all new banks’ senior managers and board members, using fit and proper criteria aligned with latest EU rules and EBA guidelines that are incorporated in the Icelandic legislation. Applicants are subject to interviews at CBI to ensure they have appropriate expertise and don’t face any compliance issue such as conflict of interest. Monitoring potential conflicts of interest, as well as identification of connected and related parties, looks quite essential in Iceland, given that the small size of the country and limited cross-border banking may result in possible interconnectedness of a limited number of influent persons.
85. CBI supervises business conduct of the banking sector to strengthen consumer protection and improve market conduct. CBI performs checks to ensure that information provided to consumers is correct and honest, that advisory services are provided in customers’ interests, that pricing is transparent, and that marketing materials and sales practices are neither misleading nor deceptive. In addition, the Complaints Committee of Transactions with Financial Firms, which does not operate under the auspices of CBI, deals with disputes between consumers and credit institutions, securities firms, or the subsidiaries of such financial firms. The Committee operates in accordance with an agreement between the MoFEA, the Financial Services Association, and the Consumers’ Association of Iceland since December 202124. Besides, The Complaints Board for Goods and Services is an independent official institution which settles disputes between consumers and sellers on most types of contracts regarding purchase of goods or services. The Boards’ purpose is to ensure that consumers have access to effective and professional procedures for resolving disputes outside of courts. The BCP assessment has not assessed the availability and adequacy of market and consumer information regarding the banking sector, which topics are not within the scope of BCPs. Also, the Consumer Agency25 is generally in charge of overseeing consumer protection, including in financial services.
86. Disclosure of government’s influence in banks is material for Iceland. As mentioned, 2 out of the 3 major banks have significant State ownership, and the recent sale of a large State shareholding in Islandsbanki in 2022 has raised public concern regarding the transparency of the privatization process. CBI was not initially involved in this case, as the increase of controversial qualifying holdings in the bank’s capital share stood below the legal thresholds that would require a formal approval by CBI. Nevertheless, CBI supervises state-owned banks following applicable regulation and regular supervisory practice.
87. Tools for the exercise of market discipline refer to the EU rules and EBA guidelines. International financial disclosure requirements (Pillar 3 of the Basel framework) have been successfully implemented in Iceland.
88. There is an effective framework for mergers, takeovers, and acquisitions of equity interests, possibility of foreign entry into the markets and foreign-financed takeovers. CBI approves major acquisitions in the banking sector, adequately covering both domestic or crossborder acquisitions. Iceland has not issued any legal obstacles to the foreign acquisition of domestic banks.
Detailed Principle-by-Principle Assessment
Supervisory Powers, Responsibilities, and Functions |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 1 |
Responsibilities, Objectives, and Powers An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.26 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.27 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The responsibilities and objectives of each of the authorities involved in banking supervision28 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI of Iceland (CBI) is the primary banking supervisory authority in Iceland. CBI is an independent institution owned by the State and operating under the auspices of the Prime Minister. Further, two of the three areas of responsibility of the CBI, financial supervision and financial stability are administrative matters of the MoFEA according to the presidential decree. Act No. 92/2019 on CBI of Iceland (Act No. 92/2019) Article 2 states that CBI shall promote price stability, financial stability and sound and secure financial activities. CBI shall also undertake such tasks as are consistent with its role as a Central Bank, such as maintaining international reserves and promoting a safe, effective financial system, including domestic and cross-border payment intermediation. The Financial Supervisory Authority (previously known as the FME) was merged with CBI beginning 2020, now referred to as “The Financial Supervisory Authority of CBI of Iceland” (CBI/FSA) wherein CBI administers all functions previously entrusted to the FME by law and Governmental directive. CBI/FSA is an integrated supervisor with both a prudential and a regulatory role overseeing supervisory activities, including banking. CBI/FSA ensures that the activities of supervised entities are in compliance with the laws, regulations, rules, or company statutes governing such activities, including banking. The application of CBI’s policy instruments and powers are in the hands of three committees: Monetary Policy Committee, FSN and FMEN. The Central Office of CBI oversees all activities of the bank and support the functioning of the three main committees. See more details on the two Committees pertinent to banking in CP2 EC1. Article 2(4) of the Act No. 92/2019 states that CBI shall undertake those tasks that are entrusted by law and Governmental directives to the FSA, and the FSA shall be part of CBI. The Bank shall monitor supervised entities to ensure that their activities are in compliance with the law and with Governmental directives, and that they are in other respects consistent with sound and appropriate business practice; the Act No. 87/1998 on the Official Supervision of Financial Activities (Act No. 87/1998). Description of the Resolution Authority With the adoption of Act no. 70/2020 on Resolution of Credit Institutions and Investment Firms (the Resolution Act), the Resolution Authority within CBI was entrusted with powers of resolution. This provides the Governor/CBI with the authorization to take decisions on resolution procedures and apply resolution measures in the case of credit institutions and investment firms that are failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so). According to Article 4 of the Act, CBI’s Resolution Authority shall be separate from other activities within the Bank’s organizational structure. CBI’s Resolution Authority formally commenced operation in November 2020, and it has issued rules on the practice of the Resolution Authority no. 1733/2021 in accordance with Article 4 of the Resolution Act. The rules outline the requirements for the separation of the Resolution Authority from the other activities of CBI and the decision-making regarding resolution. According to the first paragraph of the rules the office of the Resolution Authority reports directly to the Governor. Role of the Ministry of Finance and Economic Affairs (MoFEA) The MoFEA administers matters relating to financial stability and financial markets. It has regulatory but no direct supervisory powers with regard to the supervision of banks. The MoFEA oversees the enacting of the banking legislative process, based on recommendations from CBI/FSA where applicable. In addition, the Prime Minister appoints members to the FMEN and the FSN, of which has government representatives on each of the Committees (see CP2 EC1 for more detail). The MoFEA appoints the external members of the FMEN and FSN. The Prime Minister appoints the DGs of Financial Stability and Financial Supervision based on nominations from the MoFEA (DGs are members of the FMEN and FSN). For the FMEN the Prime Minister chooses which official to appoint from the MoFEA to the FMEN (this is not mandated by law). Moreover, as prescribed in the CBI Act, the MoFEA representative on the FSN is only an observer. The MoFEA implements regulations regarding various matters, for example, among other things:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC 2 |
The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has separate objectives, but they do not conflict with its primary banking supervisory role. These separate objectives are: to promote price stability, financial stability and sound and secure financial activities. CBI shall also undertake such tasks as are consistent with its role as a Central Bank, such as maintaining international reserves and promoting a safe, effective financial system, including domestic and cross-border payment intermediation. CBI/FSA, as an integrated supervisor, is also responsible for conduct of business supervision, insurance companies, other credit undertakings and payment services entities. The relevant sections of Article 1(1) and (2) of Act 87/1998 states that the aim of this Act is that regulated entities act in accordance with laws and rules and that the activities are in accordance with sound and proper business practices...and that the aim of the supervision of financial activities is to promote a sound and safe financial market and to reduce the likelihood that the activities of regulated entities will lead to damage to the public. Article 8 of the same Act specifies that the FSA “shall monitor the compliance of the activities of the regulated entities with laws, regulations, rules or resolutions concerning such activities, and their consistency in other respects with sound and proper business practices.” Article 1 of Act 161/2002 establishes that the purpose of the law is to ensure that financial undertakings are operated in a sound and normal manner in the interests of customers, shareholders, guarantee capital owners and the entire economy. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile29 and systemic importance.30 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As part of SREP, CBI/FSA regularly assesses D-SIB’s total capital adequacy based on the ICAAP submitted to CBI. In practice, CBI has raised prudential requirements on a bank for individual banks and banking groups when a risk is assessed throughout the supervisory cycle. Further, CBI/FSA uses the provisions of Article 107 (a) of Act 161/2002 which establishes that the supervisor shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it. The FSA is authorized to prescribe: 1) a higher total capital ratio, 2) better internal processes, 3) that a financial undertaking present a special plan on how the undertaking will fulfil the requirements and set deadlines for improvements, 4) write-down of assets, 5) restrictions or limits to activities, 6) reduction of the risk, 7) limit bonuses, 8) use of net profit to strengthen the own funds, 9) limit or prohibit dividend, 10) impose special liquidity requirements, 11) increase data submission and 12) special disclosure to the market. The FSA has imposed Pillar 2 add-ons according to results of Supervisory Review and Evaluation process (SREP) and the new individual capital adequacy ratio (CAR) is then considered the regulatory minimum for that bank. The CBI has effectively and actively used the Article to impose Pillar 2 requirements to banks according to their risk profile and systemic importance. Assessors were able to verify evidence of this type of action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Acts No. 87/1998 and No. 161/2002 have been amended several times, mostly to reflect EU legislation and after 2008 to allow for crisis-related measures. As a member of the European Economic Area (EEA), Iceland has the obligation to transpose into national legislation the EU Directives and Regulation regarding prudential requirements for banks that have been incorporated into the EEA Agreement. Extensive changes were also made to Act No. 161/2002 due to the merger of CBI and the FSA and finalized implementation of the CRD IV package (CRD IV, CRD V and CRR I and CRR II). Assessors recommend that CBI/FSA implement in prudential guidance in the material risk areas to ensure that banks know and understand all the recently transposed EU legislation and that the guidance is tailored to the Icelandic jurisdiction. It is noted that CBI participates in the working groups responsible for drafting legislation, but it does not have the power to initiate and propose legislation regarding banking supervision, that power lies with the MoFEA. CBI can issue rules (called “rules”) when explicitly authorized to do so by legislation, and on a specific topic (Article 78(a-i) of Act 161/2002). CBI is generally authorized to issue and publish guidelines on the activities of regulated entities, if their substance concerns a group of regulated entities, according to Article 8 (2) of Act 87/1998. These are called “Guidelines,” and they generally reflect CBI/FSA’s interpretation of laws and regulations and are not legally binding. All changes to or introduction of legislation or guidelines is subject to public consultation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor has the power to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
A) CBI has full access to banks and banking group board, management, staff and records in order to review compliance with internal and external rules. According to Paragraph one of Article 9 of Act No. 87/1998 on Act on Official Supervision of Financial Activities supervised entities are required to grant CBI access to all their accounts, minutes, documents and other material in their possession regarding their activities, which CBI considers necessary. According to Paragraph three CBI can in connection with its supervision and investigations under the provisions of special legislation e.g., Act No. 161/2002 on financial undertaking, require natural and legal persons to supply the FSA with any information and material the Authority considers necessary. In this context it is of no relevance whether the information concerns the party to which the request is directed or transactions with other parties on which the party is able to supply information which concerns the investigation and supervision of the FSA. In addition, CBI has extensive powers to request information based on Article 107 of Act no. 161/2002. FSA can impose a sanction, according to Article 11 of Act No. 87/1198, if obliged entity doesn’t deliver requested data. B) CBI can review the overall activities of a banking group, both domestic and crossborder, cf. Article 107 of Act No.161/2002. If the activities are cross-border CBI would contact relevant authorities for cooperation. C) There are no foreign banks incorporated in Iceland. If a foreign bank that has headquarters outside the EEA CBI can grant the bank special authorization to incorporate in Iceland, cf. requirements stated in Article 33 of Act. 161/2002. The process for passport notification for banks within the EEA is a specific dialogue between the home and host supervisors according to Articles in the Banking Directive (CRD IV). CBI has extensive powers to supervise foreign bank incorporated in Iceland according to Article 34 of Act. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
A) According to Article 10 of Act No. 87/1998 CBI can take action if a supervised entity is not complying with law or other rules governing their activities as well as require corrective actions. According to Paragraph one and two of Article 107 a of Act No. 161/2002 CBI can insist that supervised entity takes corrective actions if it does not comply, or it is likely that the bank will not comply with Act No. 161/2002 or regulations based on the Act. The timely corrective actions, but limited to, that CBI can:
Furthermore, according to Article 107 (c) of Act No. 161/2002 CBI can use early intervention measures if the supervised entity is not complying with law and rules or it is likely that the entity will not comply with law and rules, including CRR. The early intervention measures, but not limited to, stipulate that CBI can:
Finally, Article 107 (g) and (h) state that when supervised entities operate cross border within the EEA the supervisory authorities shall cooperate in their supervisory measures. B) CBI can impose a range of sanctions e.g.:
C) Article 9 of Act No. 161/2002 on financial undertakings indicates that CBI can revoke a banking license. D) According to Article 107 a in Act No. 161/2002 the FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it, or if data or information in its possession, the FSA considers it likely that a financial undertaking will not be able to comply with the provisions of this Act within the next 12 months. According to Article 107 c in Act No. 161/2002 The FSA can apply early interventions against a credit institution or investment firm with guarantee capital. In the circumstances referred to in point (a) or (b) of the first paragraph of Article 107 c, a credit institution or investment firm is obliged to provide the Financial Supervisory Authority with all the information deemed necessary to be able to update the resolution plan and assess the assets and liabilities of the relevant undertaking and its possible resolution procedure according to the Act on Resolution of Credit Institutions and Investment Firms. The resolution authority shall have access to that information. The FSA shall immediately inform the resolution authority of a credit institution or investment firm if the circumstances are such that an early intervention is permitted pursuant to the first paragraph. According to Article 34 in Act No. 70/2020 on Resolution of Credit Institutions and Investment Firms the FSA decides, after consultation with the resolution authority, whether an undertaking or entity pursuant to points (b) to (d) of the first paragraph of Article 2 is failing or likely to fail and the relevant parties shall be notified of the result without delay. According to Article 34 of the same Act The FMEN decides upon receipt of a notification of a failing bank whether it is necessary to take resolution actions against it in order to achieve the objectives of Act No. 70/2020. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group according to Paragraph 2 in Article 107 in Act No. 161/2002. CBI/FSA supervises the activities of financial holding companies, mixed holding companies and mixed financial holding companies that are established or operate in Iceland. The supervision of the FSA as a supervisory body on a consolidated basis covers the activities of financial holding companies, mixed holding companies and mixed financial holding companies, the parent company of such companies and their subsidiaries, when they are located in another country, and the supervision can therefore be conducted in cooperation and consultation [with the competent authorities in the relevant Member State in accordance with Section C in the chapter. According to paragraph 4 in Article 107 in Act 161/2002 the FSA may demand any sort of data or information from [the financial holding companies, mixed holding companies and subsidiaries of such companies] provided the FSA deems such information to be necessary for its supervision of financial undertakings which are subsidiaries of these holding companies. Article 107(c) outlines early interventions by the Financial Supervisory Authority. Article 107 (g) states the same for with respect to a parent company. Article 109 outlines the Prudential requirements on a consolidated basis. The provisions of Chapters VII, IX and IX A of the Act shall apply to groups where the parent company is a financial undertaking, mixed financial holding company or financial holding company. The parent company shall be responsible for implementation of this provision within the group. The provisions of Article 52 and 52(a) on the eligibility requirements of board members and managing directors and other duties of board members and provisions Chapter VII Section C on remuneration also apply to financial holding companies. According to paragraph 4 of the Article the Financial Supervisory Authority may decide that the provisions of the first paragraph of this Article and [the ninth and tenth paragraphs of Art.97]3) shall also apply in other instances involving a financial undertaking which alone or jointly with another party has such ownership links to an undertaking that it is deemed necessary to apply these provisions. According to paragraph 5 the FSA may decide that an undertaking shall be considered part of a consolidated financial undertaking when the financial undertaking has a decisive influence on the company. In addition, FSA also assesses the suitability of qualified holders, both when they become qualified holders and also on an ongoing basis, cf. Article 49 of the Act. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 1 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI is the primary regulator of the banks, which came into effect when it merged with the FSA beginning of 2020. Although CBI has separate objectives (e.g., to promote price stability, financial stability and sound and secure financial activities), they do not conflict with its primary banking supervisory role. Iceland has a suitable legal framework for banking supervision wherein the supervisory authority has the necessary powers to conduct ongoing supervision, including the use of corrective actions on a timely basis. The EU regulatory framework for banks has been transposed into law over several years (CRDIV package (with CRDV and CRR II amendments completed last year); however, CBI has not issued guidelines to banks in the key risks that would provide clarity of CBI’s expectations to the banking industry and to ensure the EU rules are tailored to the Icelandic environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 2 |
Independence, accountability, resourcing, and legal protection for supervisors The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
There are several factors discussed below that speak to CBI’s operational independence, accountability and governance as a supervisor of banks. CBI’s independence may be compromised with government (MoFEA) representation sitting on the FMEN as this Committee makes decisions on micro prudential banking supervisory matters. Further, there is an issue with both accountabilities, but also with operational effectiveness (see EC4) given the lack of a formal legal delegation framework in place from the Governor to others. Please see assessors’ comments at the end of EC4. CBI is an independent institution owned by the State and operates under the auspices of the Prime Minister, cf. Art. (1) of Act no. 92/2019 on the Central Bank of Iceland (hereafter “CBI Act”). The Governor of the Central Bank directs and is responsible for the Bank’s operations and is authorized to take decisions on all matters not entrusted to others by law according to Art. 3 of CBI Act. Article 8 of CBI Act describes the role of CBI’s Supervisory Board. The Supervisory Board monitors the Bank’s compliance with the statutory provisions applying to its activities. Note that the monitoring by the Supervisory board of CBI does not include case handling or decisions on specific banking supervisory matters. One Deputy Governor (DG) oversees matters relating to monetary policy, another oversees matters relating to financial stability, and the third oversees matters relating to financial supervision. The FMEN takes decisions entrusted to the FSA by law or Governmental directives. The Committee may assign to the DG for Financial Supervision its authority to take non-major decisions, cf. A 15(1) of CBI Act. Article 15(2) of CBI Act states that the FMEN shall comprise the DG for Financial Supervision, the DG for Financial Stability, and three experts in financial market affairs who shall be appointed by the Minister responsible for the financial market, for a term of five years. The composition of the FMEN shall be such that the Committee collectively possesses sufficient expertise, qualifications, and experience to carry out the tasks entrusted to it. According to Article 4 of CBI Act, the Prime Minister appoints the Governor for a term of five years. The three Deputy Governors are also appointed by the Prime Minister (nominated by MoFEA) for a term of five years. For further information on the appointment of the Governor, Deputy Governors, and the members of the Financial Supervision Committees, we refer to CP2-EC2. Representation on the FMEN: The composition of the FMEN shall be such that the Committee collectively possesses sufficient expertise, qualifications, and experience to carry out the tasks entrusted to it, cf. Article 15(2) of CBI Act states that the Minister may only appoint the same person to the FMEN twice. The DG for Financial Supervision shall chair the FMEN, and the DG for Financial Stability shall be vice-chair. When decisions are taken on the adoption of rules of procedure pursuant to Article (16)(2) and on entrusting the DG for Financial Supervision with taking non-major decisions and decisions concerning systemically important financial institutions’ equity, liquidity, and funding; the Governor shall take a seat on the FMEN as its Chairman, and the DG for Financial Supervision shall be vicechair. FMEN members appointed by the Minister shall appear before the Parliamentary committee of the Speaker’s choosing before the appointment takes effect, or as soon as possible. They shall be legally competent to manage their own affairs and shall have no record of deprivation of control of their estate. They must have a good reputation and may not, in connection with business operations, have been convicted of a punishable offence under the General Penal Code; acts of law on public limited companies, private limited companies, accounting, financial statements, or bankruptcy; or other special legislation applying to regulated entities. Furthermore, they may not undertake work outside the Bank that could cast doubt on their impartiality. Should a dispute arise concerning the application of this provision, the Minister shall decide the issue. The Minister may, in a Regulation, set more detailed provisions on the qualifications of FMEN members, cf. A 15(3) of CBI Act. The Minister has not issued such a Regulation. Currently the FMEN has a MoFEA representative on the Committee (DG, Department of Financial Services).. The Governor and DGs may not sit on the board of directors of an institution or commercial enterprise outside the Bank, nor otherwise participate in commercial operations except as required by law or in the case of an institution or commercial enterprise in which the Bank is involved. Should a dispute arise concerning the application of this provision, the Minister shall decide the issue. Employees of CBI of Iceland may not serve as executives, employees, auditors, attorneys, or actuaries of regulated entities. Provisions on Central Bank employees’ participation in the boards of directors of institutions and commercial enterprises shall be laid down in rules on the Bank’s activities set by the Governor and DGs. The Minister shall set rules on business transactions conducted with supervised entities by the Governor; DGs; external members of the Monetary Policy Committee, FSN, and FMEN; and Bank employees. These rules shall, among other things, provide for restrictions on their authorization to undertake financial obligations towards regulated entities or to own holdings in them, cf. Article. 5(4-6) of CBI Act. The FMEN shall meet ten times a year on average. According to the Committee’s Rules of Procedure, Art. 3.4., when decisions are taken in major matters pursuant to Articles 5.1 and 5.2 of the Rules of Procedure, a memorandum describing the circumstances of the case, the case handling, and a reasoned proposal for a decision shall be made available, together with relevant documentation. The secretary of the FMEN prepares the agenda for each meeting, upon prior consultation with the DG for Financial Supervision or, in those instances when the Governor chairs the Committee, with the Governor. In general, the agenda and other materials necessary for the meeting shall be sent to Committee members or made accessible to them at least five days before the meeting. Decisions by the FMEN shall be taken by a simple majority of votes; in the case of a tie, the chair shall cast the deciding vote. A record of minutes shall be maintained, containing all that transpires at meetings of the FMEN, and shall be signed by those in attendance. CBI has no input into the matter of who is appointed as an external expert on the Committee. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The process and minimum term of appointment for the Governor and DGs is clearly outlined in Article 4 of Act no. 92/2019 as follows (please note “Minister” refers to the Prime Minister):
According to work processes of CBI, an announcement is published on CBI’s website when Governors or DGs are appointed, or their appointed time is over. The same applies when managers are recruited, or they do resign. Process for the appointment of a member of the Supervisory Board is as follows: According to Article 6 of the CBI Act and Article 1.1 of the Rules of Procedure pertaining to the CBI Supervisory Board state that: “The Supervisory Board is elected following Parliamentary elections. The Board comprises seven representatives and an equal number of alternates who are elected by proportional vote in Parliament. It is prohibited to elect board members or employees of supervised entities, or owners of qualifying holdings in supervised entities, to sit on the Supervisory Board. The same applies to members of Parliament, alternate members of Parliament, and Cabinet ministers. Supervisory Board members shall possess sound knowledge of administration and of the statutory and regulatory instruments that apply to the Central Bank. The aim shall be to ensure that Supervisory Board members have broadbased knowledge of the Icelandic economy, the financial market, management, and commercial operations. The mandate of the Supervisory Board remains in place until a new Board is elected. If a principal member of the Supervisory Board vacates the position, an alternate shall assume this seat until Parliament has elected a new principal member for the remainder of the term of the Supervisory Board.” The process and reasons for appointment of both the governing head (e.g., the Governor of CBI) and members of the governing body (e.g., the Supervisory Board) is clear in Act 92/2019 (as indicated above). However, the process and reasons for dismissal for the Governor or a member of the Supervisory Board is not clear in this same legislation. Other Icelandic legislation from an administrative perspective is utilized, if needed, as follows:
Assessors note that CBI or the Prime Minister would not necessarily publicly disclose the reasons for removal of the head of the banking supervisor. Although the alternative legislation (as listed above) does outline the person responsible for dismissal of a government employee, the process and reasons for dismissal of both the Governor and supervisory board members are not explicitly outlined in Act 92/2019. Assessors therefore recommend that Act 92/2019 be amended to ensure the transparency of the process and reasons for dismissal for both the Governor and members of the Supervisory Board. It is important for the public to made aware, on a timely basis, if the Governor and or member of the supervisory board has been removed from office. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.31 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
There is an annual Financial Supervision report published with the following purpose:
In publishing this report, CBI also attempts to ensure an appropriate level of transparency about FSA Iceland’s work and priorities and to foster informed discourse about the financial system. The last Report is available here: Financial supervision_2022__.pdf (cb.is) CBI’s accountability is demonstrated in its extensive publishing activities and reports, the statements and minutes of meetings of standing committees and regular communications with parliamentary committees, CBI’s Supervisory Board, ministers, supervisory institutions, the media and others whom CBI’s matters concern. CBI strives to be transparent, credible and responsible in its relations with all stakeholders. For instance, the decisions of the FSA/CBI maybe made public as provided for by law (Article 9(a) of Act No. 87/1998 for example SREP results), together with explanations of their assumptions and assessment of the situation. Decisions of the FMEN are published as provided for by law and CBI’s policy on the publication of case results. The FSN and FMEN submit a report on their work to Parliament (Althingi) once a year as provided for by law. Their reports are discussed in the parliamentary committee decided on by the Speaker of the parliament. CBI also interacts with and has obligations towards foreign supervisory bodies, particularly in connection with EEA internal market co-operation, in which Iceland participates. Most significant among them are the European supervisory bodies in the financial market. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Central Bank of Iceland — organisational chart
Please see the organization structure of CBI above32. There are several factors that could impact CBI’s internal governance and supervisory decision making processes pertaining to banking supervision and regulation. For example, the role of the FMEN in CBI/FSA’s decision making processes for the prudential supervision of banks and whether or not there is a need to deal with perceived or real conflicts of interest with government representation on FMEN and last, to ensure ongoing clarity of roles and responsibilities with CBI, a formal delegation of authority should be considered to ensure greater operational effectiveness. Article 3 of the Act No. 92/2019 states that the Governor of CBI directs and is responsible for the Bank’s operations and is authorized to take decisions on all matters not entrusted to others by law. Furthermore, decisions entrusted to the FSA by law or Governmental directives shall be under the auspices of the FMEN (Article 15). The Rules of Procedure of the FMEN are published on CBI’s website33, govern the decision making process. There are weekly meetings with the Governor of CBI, the DG of Financial Supervision as well as the directors of the supervisory divisions and the director of the General Secretariat, where matters of supervision are discussed, and decisions taken regarding the procedure. Following that (e.g., both the DG of Financial Supervision and the General Secretariat sign off on all material prior to be provided to the FMEN) the case is placed before the FMEN for a final decision, if it is a decision that is to be taken by the Committee. See organizational chart about for post-merger structure of CBI. Please see EC2 for greater detail on the operational set up of the FMEN. As previously stated, The FMEN takes decisions entrusted to CBI/FSA by law or Governmental directives. The Committee, if deemed appropriate, may assign to the DG for Financial Supervision its authority to take non-major decisions. The FMEN has adopted Rules of Procedure which are published on the FSA website, and they lay out which decisions are to be taken by the Committee. Decisions of the FMEN vs. the DG for Financial Supervision. The FMEN’s Rules of Procedure outlines what decisions the Committee can/will take. Regarding all other decisions, the authority to take decisions has been assigned to the DG for Financial Supervision. CBI/FSA has adopted Rules of Signature which accompany its Rules of Procedures that outline what decisions have been assigned to the Directors by the DG for the implementation of financial supervision of banks. The following are examples of decisions that the DG signs:
The Directors, each in their respective areas of responsibility, sign, apart from the abovementioned decisions, the following decisions:
In the rules there is also an article on what the Heads of units may sign, however there is lacking a formal delegation of authority with respect to which levels within the CBI may approve certain decisions, beyond the Governor’s authority and that decisions that are assigned to the FMEN with respect to banking supervision. This current structure is up for discussion/potential change (see draft bill of legislation below). Draft Bill of Legislation The Prime Minister’s office put forth a draft bill of legislation on the “on-line public consultation portal” 34for consideration regarding the amendments on CBI Act No. 92/219 regarding FMEN. The draft bill of legislation proposes to make the following changes:
Reasons provided by the Prime Minister’s office indicated that the assessment committee pointed out that CBI itself should be taking decisions in the field of financial supervision in a manner similar to other authorities, leaving FMEN to deal with the remaining tasks of an administrative nature pertaining to financial supervision, such as decisions that would principally include the application of administrative sanctions and coercive measures, such as the application of per diem fines to press for improvements and the revocation of operating licenses and registering of violations and the FSN to deal with financial stability matters. Assessor’s Comments: Since the merger, CBI/FSA’s operational effectiveness and overall accountability framework is somewhat weak as it has yet to develop and implement a legal delegation of authority framework which would set out what powers, duties and functions for the administration of the various banking supervision legislation, regulations, guidelines, etc. have been or should be delegated by the head of the institution (e.g., in this case the Governor) and to whom (DG, Directors, FMEN, etc.). It is noted that FMEN’s “Rules of Procedures list out certain decisions that will be passed or delegated from the FMEN and to whom. It is critical that CBI put in place, its own internal delegation of authority, beyond its internal “signatory document”, to ensure operational effectiveness is clear as decisions pertaining to prudential supervision of banks should not be unnecessarily impeded nor the level of sign off be questioned legally, especially when issues and timely decisions need to be taken in case of an emergency situation or the prompt corrective measures being utilized (e.g., dealing with a problem bank). Further, as some members of the FMEN represent the MoFEA, and cases where their impartiality may be doubted are to be decided by the Minister, there is the potential of a real and/or perceived conflict of interest for the members that represent the MoFEA to be overseeing prudential decisions on the D-SIB, in particular when two of the D-SIBs are either state owned or have a substantial government interest in the bank. Although the MoFEA representatives have adequate qualifications to fulfill their roles, as well as appearing before a Parliamentary committee prior to appointment, having MoFEA representatives makes micro-prudential decisions from a bank “regulator” viewpoint with respect to banks lacks the necessary “independence” that a bank regulator is requ ired to have when making prudential and at times necessary decisions pertaining to safe and sound banking system. Assessors recommend that CBI, MoFEA and the Prime Minister ensure the independence of representatives to fulfill the respective roles on the FMEN. It is acknowledged that the Minister of Finance sits on the Financial Stability Council, which is appropriate and necessary, especially in dealing with banking sector wide/ financial stability issues. Assessors acknowledge that some of these suggested amendments would require legislative amendments to put in place. It is noted that the FMEN also currently oversees all decisions regarding all supervised entities inherited from the FME. This makes the FMEN quit laborious35 (e.g., decisions pertaining to the prudential regulation of banks is carried out by a committee of peers rather than simply the bank regulator) resulting in decisions regarding banking supervision taking longer than expected resulting in delayed communication with the banks on key issues (requirements banks need to address). Further, Basel Standards require the banking supervisor to demonstrate independence when making decisions that are free from real or perceived conflicts of interest. “The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision” (as stated in EC1 criteria). The current structure of the FMEN, CBI does not have the full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision as all micro prudential decisions are taken by a majority vote of the FMEN (a group of external representatives (three members) versus CBI as the bank regulator (two members or if the Governor joins three members). CBI, as the primary regulator of banks/banking groups, should have the full (e.g., “sole”) discretion to make micro-prudential supervisory decisions on a timely basis, without consulting a committee with external representatives, as this lacks the necessary independence if such decisions are to be taken by “vote” on the FMEN. Given the Draft Bill of Legislation has not passed Parliament, assessors comments are with respect to the current operational structure. However, if such an amendment is enacted, with the substantial shift of power, duties and responsibilities to the Governor, a formal delegation of power and decision making from the Governor to other individuals or to the Committee would be considered critical to put in place. This delegation of authorities should have been put in place beginning 2020 at the time of the merger with CBI and the former FME to ensure on-going clarity of roles and responsibilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Rules No. 303/2020 on Business Transactions conducted by the Governor, DGs, External Committee Members, and Employees of CBI with Supervised Entities provide appropriate measures to identify and prevent, or to address, conflicts of interest in connection with CBI employees’ business transactions with supervised entities. These rules are issued on the basis of A 5(6) of CBI Act. CBI also has a Code of Ethics that applies to all staff. The Code of Ethics of CBI of Iceland is based on the Bank’s core values and lays down in detail the ethical principles which its employees are to adopt and be guided by in their work. Article 4 of the Code of Ethics further lays down rules on conflicts of interests. Additionally, A 41 of CBI Act regards confidentiality requirements of CBI’s employees. The Article states that supervisory Board members; the Governor; Deputy Governors; members of the Monetary Policy Committee, FSN, and FMEN; and other employees of CBI of Iceland are obliged to observe confidentiality concerning the affairs of the Bank’s customers; transactions and operations of supervised entities, related parties, or others; and the affairs of the Bank itself; as well as other matters of which they may become aware in the course of their work and which should remain secret in accordance with law or the nature of the case, unless a judge rules that information must be disclosed in court or to law enforcement officers, or there is a legal obligation to provide the information. The same applies to experts, contractors, and others who work for or on behalf of the Bank. The obligation to observe confidentiality remains in effect after employment ceases. According to A 41 (2) of CBI Act, prohibits Supervisory Board members; the Governor; Deputy Governors; members of the Monetary Policy Committee, FSN, and FMEN; and other employees of CBI to use, confidential information that they acquire through their employment with the Bank, including using it for financial gain or to avoid financial loss in business transactions. A violation of CBI Act shall be punishable by fines or imprisonment for up to one year unless more severe penalties are provided for under other legislation. Attempted violations of this Act or participation in such violations shall be punishable according to the General Penal Code of Iceland, No. 19/1940. Finally, Act No. 70/1996 on Government Employees, states the appropriate procedures for a termination of employment and other disciplinary actions applicable when a government employee violates his duties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI’s funding mechanism for the portion of budget needed to fund banking supervision for the FSA, is overly complicated (suitable for when FME operated as a separate entity), dependent upon the MoFEA to submit request for Parliamentary approval (Part A -involves remitting bank supervisory fees to the Treasury), and differs substantially from the funding of CBI (Part C not subject to a fiscal authority or for example, CBI’s income and expenses are excluded from government revenue and expenditure.). This current funding mechanism could undermine CBI’s ability to adequate fund banking resources on a timely basis. A remedy (e.g., change the funding mechanism of banking supervision to Part C to align with CBI’s overall funding mechanism) is needed to ensure CBI, as the banking supervisory authority, has the necessary operational independence and autonomy to ensure it has adequate resourcing to deliver on its mandate as the banking supervisory authority. See comments by the Assessors at the end of this EC for additional information. Further background information includes: According to Art. 1-3 of Act No. 99/1999 on Payment of Cost for Official Supervision of Financial Activities and Resolution Authority, supervised entities and other parties subject to fees shall pay the cost for Official Supervision of Financial Activities in accordance with the provisions of the Act. CBI collects the supervision fee from the supervised entities. The supervision fee is defined as state revenue and is returned to the Treasury. The MoFEA shall, based on a fund appropriation in the budget, determine the allocation of funds for the operation of the FSA which amounts to at least the budget’s estimate of revenue from supervisory fees and payments for special measures under the Act. CBI shall, in its accounting, ensure the financial separation of the official supervision of financial activities from other activities of the Bank and revenues from financial supervision shall only be used to finance the official supervision of financial activities. The Act states also that CBI shall, no later than 1 February each year, submit a report to the MFEA on the estimated operational cost of the FSA for the next year. The report shall, furthermore, assess the development of the FSA’s operations over the next three years, having regard for the time which can be estimated to have been spent on the different classes of parties subject to Article 5. The report of CBI shall be accompanied by an opinion from the Consultative Committee of supervised entities concerning the estimated scope of the operations of the FSA for the coming year together with the reaction of the FMEN (the FMEN also discusses the report itself) on the opinion. If the conclusion of the report gives reason to change the percentage rate of the supervision fee, the MoFEA shall submit a bill there upon to the Althingi (Parliament). If the FSA appears likely to have an operating surplus or loss for the current year, when the report for the next year is prepared, it shall be taken into consideration in determining the supervision fee for the following year. CBI Act provides for the Bank’s independence in Article 1 of the Act. Act on Public Finances no. 123/2015 (point 3. Para. 1 Art. 50) that states that the activities of CBI shall be included in Part C of the State budget together with companies’ majority owned by the state. This classification in the State budget means that CBI is not subject to the state’s fiscal authority, e.g., the bank’s income and expenses are excluded from government revenue and expenditure. CBI/FSA, however, falls under Part A of the State budget where the supervision fee is defined as state revenue and the fee is returned to the Treasury and its disposal is subject to the Minister’s budget based on budget appropriations. CBI stated that it may not maintain its status as an independent entity in accordance with CBI Act given the Part A funding for the FSA. Further, CBI has also stated that its financial independence may have been reduced as CBI does not have the legal authority, according to Act No. 99/1999, to reserve funds for the operation of FSA functions, including banking, should there be a sudden need for an increase in banking supervisory resources occur (e.g., before the parliamentary budget cycle). In this regard it should be noted that CBI is not allowed to lend money to the “state” according to Article 26 of CBI Act and can therefore not assist its own operations of CBI/FSA run out of funding for supervision mid cycle. If a state entity, like the CBI, does exceed its spending caps defined by the Parliament to fund expenditures that are temporary, unforeseeable and unavoidable, the MoFEA has indicated that the Organic Budget Law does provide for different options for securing the necessary appropriation, such as: a) the Minister of MoFEA can authorize a transfer of necessary appropriations from the General Contingency Reserve or b) necessary appropriations can be authorized by Parliament in the Supplementary Budget. Further, it is possible that remaining deficit can be deducted from the following year’s budget appropriation. If necessary, the following year’s appropriation can be adjusted to cover any such deficit through the adjustment of the Supervision Fee charged to banks for the subsequent year. Assessors however are of the view that although there is an ability to adjust the “budget appropriation” mechanism and that this process has been in place for the past 20 years regarding the operation of the FSA, that it is important for the CBI to have the ability to fund/finance banking supervision resources in a manner that does not undermine its autonomy (e.g., self-sufficiency) or operational independence. This suggestion is related to the “funding” of banking supervision, not additional liquidity needs or the “printing of money” (as per Article 29 of the CBI Act). The current process to finance banking supervision is cumbersome and overly complicated and not unlike other Central Banks, who also have the responsibility of banking supervision, the funding of the resources for banking supervision should form part of the overall budget for the Central Bank (e.g., in this case Part C for CBI). This suggestion comes with the obvious accountabilities that CBI should have in reporting to parliament against its funding/resource objectives/responsibilities. (b) salary scales that allow it to attract and retain qualified staff; CBI participates regularly in a market comparison for salaries. The findings show that specialists undertaking FSA tasks receive salaries that are comparable to the financial market. Managers of the FSA, however, receive comparably lower salaries than managers at the same level in the financial market. Article 5 (1-3) of Act No. 92/2019 states the Governor’s and the DG’s remuneration. The Governor’s salary shall be 1,936,202 ISK. per month and the DG’s salary shall be 1,742,581 ISK. per month. The salaries shall change each year on 1 July. Before 1 June, Statistics Iceland calculates and publishes the percentage change in Government employees’ average regular salary for the following calendar year. CBI adheres to an equal rights policy in accordance with the Act on Gender Equality, no. 150/2020, and the Act on Equal Treatment in the Labor Market, no. 86/2018. In March 2021, the Bank renewed its equal rights policy, which states, among other things, that employees shall be treated equally in terms of hiring and professional advancement. CBI’s equal pay policy was approved during the year 2021. According to the policy, all employees shall receive equal pay and enjoy equal terms of employment and rights for the same jobs or jobs of equal value, so that there is no gender-based pay gap within the Bank. The Bank’s equal pay certification was renewed in the autumn. For the second year in a row, an equal pay analysis showed that there was no unexplained wage gap between the sexes at the time. In addition, the Bank adheres to a special transportation policy that encourages employees to use eco-friendly, economical, and healthy modes of transport and supports them in that endeavor. At the end of 2021, a total of 86 transportation agreements between employees and the Bank were in effect.
CBI can hire outside experts to work on extraordinary projects, or to deal with special situations and has done so in various project in recent years. According to Article 9 (2) of Act no. 89/1998 the FSA may appoint an expert to investigate certain aspects of the activities or operations of a supervised entity, or to undertake other specific supervision of such an entity. The expert shall be appointed for a specified period of no longer than four weeks at a time. The expert shall be provided with working facilities on the premises of the supervised entity and given access to all requested accounts, minutes, documents and other material kept by the supervised entity. The expert shall be entitled to attend meetings of the Board of the supervised entity as an observer with the right to speak. The expert’s obligation of confidentiality shall be as provided for in Chapter IV of the Act. (d) a budget and program for the regular training of staff: CBI annually uses about 3.5 percent of salary and salary-related expenditure, for educational purposes. The Bank has issued a strategy on staff training. The training includes different methods for regular training such as in-house knowledge sharing, training opportunities both locally and abroad. Furthermore, the use of on-line training has increased. A career plan is discussed for each employee in an annual performance interview, however there is no structured general career path for supervisors. During the year 2021, the Bank’s senior officers received management training aimed at strengthening the management team and formulating the Bank’s vision and values in the wake of the merger between the Bank and the FSA in 2020. All supervisors have access to the BIS’s e-learning platform, FSI connect. New supervisors follow defined learning paths for bank risks, BCP, risk-based supervision etc., others use the platform and specific modules when needed and for revision. However, given the extensive roll-out of the EU legislation, financial supervisors as well as risk specialists should be afforded specialized training to ensure adequate transfer of knowledge. Regular performance reviews and feedback conversations aim to capture specific learning needs for each individual, based on their supervision and project plan. It can be challenging to find appropriate learning opportunities for such specific training, but conferences and events organized by EBA, Bank of England, BIS, ECB, Florence School of Banking and Finance etc. have been useful. During Covid-19, most events were also available on-line, allowing more supervisors to attend since on-line events are both cheaper and less time consuming than on-site ones. Each manager has an ample budget for employees training and makes decisions about what events or conferences supervisors attend according to their training needs and the FSA’s supervision plan.
CBI is equipped internally with hardware (servers, clients, and network infrastructure) for all daily operations of Financial Supervision and the budget is sufficient to maintain necessary databases and analysis tools for the supervision.
Most supervised entities are located in the capital area. The required travelling budget for on-site work in Iceland is therefore low. Cross-border cooperation for overseas operations of supervised entities is very limited. CBI participates in international meetings, especially within the EEA i.e., EBA, ESMA and EIOPA meetings. The travel budget covers the cost for all domestic and international cooperation and meetings. Assessor’s Comments: The function of banking supervision is complicated somewhat as it is spread out amongst three departments as follows (see table below). Assessors noted areas of key person risk (Op Risk (ICT/Cyber); Market Risk/IRRB) wherein additional risk expertise is needed. Further, although the Banking Department is approved for 23 FTEs, it was noted that only 18 are currently staffed. There was discussion of turnover regarding banking financial supervisors overseeing the DSIBs further to the merger of the FSA/CBI leaving the largest DBIS without a lead supervisor. CBI needs to assess whether overall banking structure as well as key risk areas are adequate to support its mandate.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisor’s review and implement measures to bridge any gaps in numbers and/or skill sets identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
As a part of the annual supervisory planning process, particularly when deciding on onsite and off-site inspections, directors allocate their resources based on the skillset of current employees. If a need for a specific skillset or extra resources emerges during the planning process action is taken to address the issue involving the human resources department and the Governor. As a part of the annual budget planning directors are asked to plan resources for the next 3-5 years. This resource planning is based on the medium-term supervisory strategy and priorities in addition to the regular on-going supervisory tasks. The largest part of the budget cost is staffing. Directors are involved in the budget planning. Budget planning is thus closely tied with changes in legislation and needed staff, based on risk assessment and supervisory priorities. If Directors believe they need more staff, they need to have a bilateral discussion with the Governor and send a memo to him and the Director of Human Resources. The Governor takes a decision on new hires. Further, HR and finance meet with every manager annually, to re-evaluate the resources needed (e.g., manpower, training budget and IT) to fulfil the supervisory planning. The HR manager and manager of operations then meets with the DG of Financial Supervision in October/November each year to go through and discuss the whole budget plan. The budget plan is then introduced to the Supervisory Board of CBI and accepted if there are no comments. The basic rule for the 3-5 years plan is to estimate 5 to7 percent budget increase. If annual meetings with managers reveal change in projects or plan, the plan is updated accordingly. Assessors recommend that the overall supervisory plan, should first be established to ensure that adequate coverage, especially for the DSIBs, of the material or key risks are covered/assessed on a multi-year risk-based cycle. Given that the supervisory function is spread out between three different departments within CBI, it is critical that the managers work together and present a joint request to the Governor and not necessarily on a bilateral basis. Then resource needs should be discussed and agreed. Added considerations such as how the supervision program should be tweaked/changed based on emerging risk issues is best discussion first with the three department managers together. Given the extensive roll-out of the EU legislation, financial supervisors as well as risk specialists should be afforded specialized training. In addition, the Supervisory Handbook needs to be updated to reflect these new and extensive set of guidelines. See EC 6 for a deeper discussion on key person risk issues, level of vacancies and turnover that has occurred since the merger of CBI/FSA. Assessors recommend a more holistic approach is needed by the managers as a group, working with the HR specialists, to ensure resourcing, skills development and overall supervisory planning is effective to deliver on the mandate of banking supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
In determining supervisory programmes and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
In line with the EBA SREP guidelines and CBI/FSA’s supervisory methodology for a high impact bank (categorized as a DSIB), and according to the Minimum Engagement Model, CBI/FSA, substantially more resources are allocated to the DSIBs rather than to the low or medium low impact banks (e.g., 4th Commercial bank and the 4 savings banks). For high impact banks (D-SIBs), CBI/FSA undertakes an annual SREP assessment, with a deep dive on ICAAP/ILAAP, Business Model Analysis (BMA) together with several on-site examinations covering various topics of concern. There are two financial supervisors assigned to each of the DSIBs and two financial supervisors who oversee 5 savings banks (one of these banks has an issued license but it is not operational yet). DSIB banks had approximately eight on-site examinations over the past 5 years; savings banks had one. The low to medium low impact banks are allocated less supervisory time and resources as the minimum engagement model does not call for the same depth of supervisory assessment (e.g., ICAAP/ILAAP carried out every two years) and are not afforded the same kind of attention or review based on the minimum engagement model that is in place. For example, CBI/FSA does not necessarily have to engage key control function representatives of the banks along the same frequency). Supervisory tasks based on the outcome of the risk assessment are scheduled to mitigate the risk identified using the most appropriate measures available (off-site or on-site inspections, follow-up meetings etc.) Note that banks with higher risk profiles are allocated additional resources when needed in accordance with CBI/FSA’s SREP methodology. See CP8 EC1 for more details on the overview of CBI/FSA’s SREP program. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
The legal protection for supervisors is not addressed in legislation. In Iceland, there is a well-established “rule of employers’ liability” based on case law by the Icelandic Supreme Court in the mid-1930s. The rule provides that an employer can be liable for damage caused by his employee’s negligent action in the course of the employment. Such strict liability for the employer means that his liability is independent from any culpa on his behalf. If the employee has acted outside his normal scope of conduct, the employer may not be liable for the employee’s actions. A contract for employment is a prerequisite for the application of the employers’ liability rule and that the employee is acting under the actual instruction, supervision and control of the employer. According to Article 23 of the Tort Act, an employer’s claim for recourse for damages paid as a result of the employee’s negligent conduct is limited to what is considered reasonable, taking account of the employee’s position and degree of negligence, based upon the circumstances of the case. The same rule applies for claims against an employee for loss caused by him in the course of his employment. Further, an employee may benefit from the general rule of reduction or exemption from liability in cases where it is deemed reasonable depending on the circumstances, taking account of the interests of the claimant. The rule of employer’s liability for the employees’ negligence can be applied to the public sector as well as the private sector. It covers liability for loss or damage caused by negligent conduct of employees of the state, municipalities and public institutions in the course of their employment. Assessors recommend that the legislation be changed to provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff need to have adequate protection against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 2 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Basel requires that “The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision”. The workings of the FMEN appear very laborious resulting in decisions regarding banking supervision taking longer than expected resulting in delayed communication with the banks on key issues (requirements banks need to address). With the current structure of the FMEN, CBI does not have the full discretion to take supervisory actions or decisions on banks and banking groups under its supervision on a timely basis and without the interference/vote of the FMEN. Further, as the FMEN has representatives from the MoFEA, there is the potential of a real and/or perceived conflict of interest for the members that represent the MoFEA to be overseeing prudential decisions on banks, in particular when three of the D-SIBs are either state owned or have a substantial government interest. Assessors recommend the independence of FMEN members should be ensured as there should be no government or industry interference that compromises the operational independence of the supervisor. Since the merger, CBI/FSA’s operational effectiveness and overall accountability framework is somewhat weak as it has yet to develop and implement a legal delegation of authority framework which would set out what powers, duties and functions for the administration of the various banking supervision legislation, regulations, guidelines, etc. have been or should be delegated by the head of the institution (e.g., in this case the Governor) and to whom (DG, Directors, FMEN, etc.). Therefore, it is critical that CBI put in place its own internal formal delegation of authority to ensure operational effectiveness is clear, as decisions pertaining to the prudential supervision of banks should not be unnecessarily impeded nor the level of sign off be questioned legally, especially when issues and timely decisions need to be taken in case of an emergency situation or the prompt corrective measures being utilized (e.g., dealing with a problem bank). The CBI Act needs to be amended to clearly indicate the process and reasons for dismissal of the Governor and/or a member of the supervisory Board as there is a lack of clarity/transparency in the alternative legislation for the dismissal of a government employee. Further, the Act should be amended to provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. Last, CBI’s current funding mechanism needs to be changed to ensure that it has an adequate ability to fund banking resources on a timely basis. CBI also needs to reassess its current banking staff complement to ensure that it is adequately staffed to effectively deliver on its mandate of banking supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 3 |
Cooperation and Collaboration Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.37 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The cooperation framework with domestic authorities responsible for the safety and soundness of banks has been made more simple to manage since January 1, 2020 when all tasks of the Financial Supervisory Authority (FSA - FME in Icelandic) were transferred to CBI of Iceland (CBI), by Act No. 92/2019 on CBI of Iceland (so-called CBI Act), article 47: https://www.cb.is/library/Skraarsafn---EN/Central-Bank/Central Bank Act 92 2019. The FSA is now embedded into CBI. Though the term “FSA” has been maintained in applicable legislation, the FSA does not legally exist as an official authority in charge of financial supervision anymore. Yet the term “FSA” continues to be used in practice. The CBI (referred to as “CBI/FSA” in this report) is now the prudential supervisor as well as the supervisor of conduct of business. Based on this institutional framework, internal cooperation and external cooperation are both relevant for CBI. 1°/ Internal cooperation The merging of the two authorities (CBI and FSA) was effective as of January 1, 2020. It has resulted in increased efficiency of financial supervision, resulting from better and more transparent flows of information, greater possibilities for analytical work, additional synergies, and a clearer division of power internally when it comes to making decisions regarding financial supervision. In all, integration of the FSA into CBI has enhanced internal cooperation on banking supervision. Internal cooperation within CBI is formally structured around the FSN (FSC) and the FMEN (FMEN). Act No. 92/2019 on CBI defines respective roles and responsibilities of the FSN (Chapter IV) and the FMEN (Chapter V). CBI departments supporting CBI committees (at the time of the mission, they were: Financial Stability Department, Banking Department, Compliance and Inspections Department) cooperate among themselves on a daily basis through regular supervisory processes. In addition, public rules of procedures are disclosed for each committee: (i) https://www.cb.is/library/Skraarsafn---EN/FinancialStability/FSC/FSC Rules of Procedures.pdf for the FSN; and (ii) https://www.cb.is/library/Skraarsafn---EN/Financial-Supervision-Committee/Rules Of Procedure FinancialSupervision Committee.pdf for the FMEN. Tasks of the FSN are specified in Act No. 92/2019 (article 13), while tasks of the FMEN are not specified as such in a dedicated article. Yet the mandate of the FMEN is made clear through articles 13 and 15. Article 13 mentions that: “The tasks of the FSN are to: a) Assess the current situation of and outlook for the financial system, systemic risk, and financial stability. b) Discuss and define the actions deemed necessary at any given time in order to affect the financial system so as to strengthen and preserve financial stability, and to this end, direct comments to the appropriate Governmental authorities when warranted. c) Approve Governmental directives and take the decisions entrusted to the Committee by law. d) Decide which supervised entities, infrastructure, and markets shall be considered systemically important and of a nature that their activities could affect financial stability.” Article 15 mentions that: “The FMEN shall take decisions entrusted to the Financial Supervisory Authority by law or Governmental directives.” In practice, the FSN has adopted an extensive scope of duties that goes beyond financial stability and covers topics pertaining to microprudential supervision that would intuitively fall into the scope of the FMEN, based on usual practices observed among foreign banking supervision authorities. The rationale of such extensive scope may be explained by the systemic importance of major banks. The main illustration of joint involvement of both FSN and FMEN is microprudential supervision of liquidity risk of the three domestic systemically important banks (D-SIBs):
Documentation and information provided during the mission have demonstrated a close monitoring of major banks’ liquidity and have not highlighted any evidence of poor internal cooperation nor significant gap resulting from such a segregation of duties within CBI regarding the supervision of liquidity risk. Yet, from an organizational working perspective, it would make sense that microprudential banking supervisors cover the whole range of risk domains and supervisory tasks, including liquidity risk (a major risk domain indeed), to have full control of the implementation of prudential regulations the supervision of which the FSA is legally in charge. 2°/ External cooperation At national level, CBI is an active member of the Financial Stability Council (FSC): https://www.government.is/topics/economic-affairs-and-public-finances/financial-stability-council/. The FSC assesses the effectiveness of macroprudential policy tools. Based on CBI staff’s propositions, the FSN of CBI has the power to decide macroprudential measures applicable to banks aimed at ensuring financial stability which may impact banking supervision. The FSN is competent for setting the countercyclical capital buffer (CCyB), limits on mortgage loans, and other policy measures including the bank liquidity coverage ratio in national currency (ISK) and foreign currencies, as well as bank funding ratios in foreign currencies. At national level, CBI is cooperating with the Ministry of Finance and Economic Affairs (MoFEA) on banking supervision matters.
A MoU on cooperation regarding actions against money laundering, terrorist financing, and proliferation financing of weapons of mass destruction has been signed between the Ministry for Foreign Affairs, the Iceland Revenue and Customs, and CBI of Iceland in 2020, under review in 2022. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
A structured cooperation framework is in place between CBI and foreign supervisory authorities both (i) on a bilateral basis, and (ii) for multilateral cooperation. CBI has the legal power to engage into bilateral and multilateral cooperation in banking supervision, notably for the purpose of consolidated supervision of banking groups, as stated by Act No. 87/1998 on Official Supervision of Financial Activities, articles 14 and following (https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%2087%201998%20on%20Official%20Supervision%20of%20Financial%20Activites.pdf), as well as by Act No. 161/2002 on Financial Undertakings (that is, the so-called banking law), inter alia articles 109 and following (https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%20161%202002%20on%20Financial%20Undertakings.pdf). International cooperation of CBI applies within the Euro Economic Area (EEA) which Iceland is a member of, and beyond the EEA. 1°/ Bilateral cooperation The need is quite low for bilateral cooperation between CBI and foreign banking supervision authorities for the purpose of consolidated supervision of banking groups, because (i) there are no foreign banks operating branches or subsidiaries in Iceland; and (ii) there is a very limited number of Icelandic banks with cross-border establishments (no bank branch is licensed abroad, and only one subsidiary of a non-major bank has recently been licensed in the United Kingdom). In the past, CBI had signed several of bilateral cooperation agreements with foreign banking supervision authorities, in the form of memoranda of understanding (MoUs), which purpose was mostly to facilitate information sharing on Icelandic banks’ shareholders that were incorporated as legal entities in foreign jurisdictions. These MoUs are still valid, though barely used in practice for banking supervision. The list of bilateral MoUs is not disclosed on CBI’s website (source: CBI):
Many jurisdictions of this list are international financial centers, or offshore financial centers, with which international cooperation may potentially be challenging for consolidated banking supervision, supervision of parent companies of regulated banks, or AML/CFT, given the intrinsic nature of these centers. CBI has not reported any issue regarding effective cooperation from such jurisdictions on requests asked by CBI (very low need, in practice). 2°/ Multilateral cooperation CBI is much more concretely engaged into multilateral cooperation with foreign authorities involved in banking supervision, especially Nordic countries, and EEA/EU countries and institutions. The list of multilateral MoUs is not disclosed on CBI’s website (source: CBI):
Regarding multilateral cooperation, interaction between CBI and foreign regulators mostly focuses on coordinated development of supervisory policies and regulations, and development of best supervisory practices in Iceland. CBI is an observer in the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA). CBI is also a member of a European Free Trade Association (EFTA) working group on financial services. In addition, CBI takes part in regular cooperation with regulators of Nordic countries on various issues concerning developments in financial activities and harmonization of supervision. Iceland has implemented EU CRD/CRR, and further amendments to them, relating to the taking up and pursuit of the business of credit institutions. The EU Directive lays down rules regarding information requests between competent authorities in member States. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Icelandic law ensures explicit protection of confidentiality of sensitive information foreign authorities are provided with by CBI for the purpose of banking supervision. According to Act No. 87/1998, article 14, CBI of Iceland may disclose information, which is to be treated confidentially in accordance with CBI Act, article 41, to supervisory authorities of other EEA Member States, provided that this constitutes an act of cooperation between those States involving supervision of the activities of parties subject to supervision, and furthermore that such an exchange of information is beneficial for conducting such supervision as prescribed by law. Such information can only be disclosed on the condition that it is subject to the obligation of secrecy in the State concerned. According to Act No. 87/1998, article 14, agreements may also be made with supervisory authorities in countries outside the EEA for the purpose of exchange of information, under the condition that the obligation to observe secrecy applies. Also, according to Act No. 87/1998, article 14, CBI may provide regulatory authorities of other EEA member States with confidential information as provided for in CBI Act, article 41, if such disclosure is part of cooperation between States in the supervision of activities of regulated entities and such disclosure is useful in permitting the conduct of the supervision prescribed by law. Such information may only be disclosed on the condition that it is subject to obligation of confidentiality in the State concerned. On July 1, 2022, a new article was added to Act No. 161/2002 regarding sharing of information and collaboration with other authorities. Article 109(aa) grants CBI permission to provide confidential information to other authorities within the EEA, granted that the receiving authority has equivalent confidentiality rules regarding such information. This new article allows for CBI to provide information (with the forementioned conditions) to institutions of the European Free Trading Area (EFTA) and other financial supervisory authorities within the EEA (EU, plus Iceland, Liechtenstein, and Norway), in charge of supervision of financial undertakings, security trading undertakings, and payment services undertakings. It also allows for information exchange with authorities dealing with monetary policies as well as AML/CFT authorities. Information subject to obligation of confidentiality in accordance with special legislation or other legislation shall be subject to similar obligation of confidentiality after being delivered to CBI. MoUs signed by CBI include a clause of protection of confidential information shared with foreign authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
In addition to developments under CP3 EC3, Icelandic law also ensures explicit protection of confidentiality of sensitive information received by CBI from foreign authorities for the purpose of banking supervision, according to Act No. 161/2002, Article 109(aa), Para 5. The obligation to observe secrecy according to CBI Act, article 41, applies to comparable information received by CBI from supervisory authorities of other EEA member States. MoUs signed by CBI include a clause of protection of confidential information received. CBI has not faced any situation in which disclosure of confidential information received from a foreign authority in application of cooperation arrangements was requested by an order of a national court or Parliament. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and findings re EC5 |
Cooperation with national authorities in charge of banking resolution has been facilitated by setting up an official resolution authority integrated within CBI in September 2020, using a similar institutional approach as for the Financial Supervisory Authority regarding banking supervision in January 2020 (except that decisions of the RA are made by the CBI Governor while major decisions of the FSA are made by the FMEN). The Resolution Authority has a specific legal framework, that is Act No. 70/2020: https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%2070%202020%20on%20Resolution%20of%20Credit%20Insitutions%20and%20Investment%20Firms.pdf. Leveraging on this integrated institutional framework, CBI legally and operationally ensures coordination between inner authorities in charge of banking supervision (the FSA) and banking resolution (the Resolution Authority). During the first two years of operation of the Resolution Authority, CBI banking supervisors have supported the Resolution Authority in order to complete resolution plans for banks. The Resolution Authority is provided with information on SREP outcomes and Pillar 2 decisions directly from the Financial Supervision department, which the Resolution Authority uses for making MREL decisions. Both authorities use integrated channels in order to collect data from banks. Processes are in place for this support. Moreover, both the FSA and the Resolution Authority are developing integrated operational guidance serving as a manual for how CBI will deal with the deteriorating financial situation of a bank unto its failure (under progress). In Iceland, neither the Resolution Authority nor the FSA undertakes recovery planning. Banks make their own recovery plans. However, both the Resolution Authority and the FSA review these plans in order to assess resolvability, to prepare resolution plans (Resolution Authority), and to assess timely intervention (FSA). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 3 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Cooperation and collaboration are not critical for Iceland, given that the banking system is largely domestic-oriented, and cross-border banking activities through entities are very limited in both ways. Even so, cooperation arrangements have been developed by CBI of Iceland for banking supervision. CBI has signed bilateral MoUs, which are not much used in practice, because there is no need. CBI is quite more engaged into multilateral cooperation; notably with Nordic countries, to share global information and best practices. At domestic level, CBI is part of a national cooperation arrangement for AML/CFT, and it maintains continuous interaction with the Ministry of Finance and Economic Affairs (MoFEA) informally. Confidentiality of information shared through cooperation arrangements is ensured. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 4 |
Permissible activities The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The term “bank” is clearly defined in laws or regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The term “credit institution” is defined in Act No. 161/2002 on Financial Undertakings, article 1(b) item 2 (glossary), as “an undertaking that operates by accepting deposits or other repayable funds from the public and provides loans for its own account”. The term “credit institution” is used in the Icelandic law referring to the EU framework (CRD) which uses this definition of “credit institution” that is broader than “bank”. Thus, the term “bank” is not explicitly defined in the glossary of the law. Yet that does not create any ambiguity, because a definition of a “bank” may indirectly result from Act No. 161/2002, article 12: “Only credit institutions may use in their firm name or as clarification of their activities the words “credit institution”, “bank”, “commercial bank”, “investment bank”, “savings bank” and “credit undertaking” either alone or linked to other words, in accordance with their operating license.” In addition, article 4 specifies the various kinds of financial undertakings that are included in the legal definition of “credit institution”: “A credit institution can obtain an operating license as a commercial bank, savings bank or credit undertaking.” Therefore, banks are a category of credit institutions, including two sub-categories: commercial banks (to which major banks belong), and savings banks. Ideally, the law should explicitly and directly define the term “bank”, as well as “commercial bank” and “savings bank”, for example in article 1(b) on definitions. But it is clear in the law that banks are credit institutions which are regulated and supervised as such by CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The definition of permissible activities of credit institutions (among which “banks”, as derived from CP4 EC1) is mentioned in Act No. 161/2002, article 3 on activities subject to operating licenses, and Chapter IV on authorized activities. The Icelandic definition of permissible activities refers to the EU framework (CRD). Article 3 states that: “Only legal entities that are licensed as credit institutions may operate by collecting deposits or other repayable funds from the public.” Chapter IV (mostly article 20) mainly states that: “The activities of commercial banks and savings banks may include the following: 1. Acceptance of deposits and other repayable funds from the public. 2. Lending activities, including: a. consumer credit, b. mortgages, c. factoring and purchase of debt instruments and d. commercial credit. 3. Financial leasing. 4. The provision of payment services as provided for in the Act on Payment Services. 5. Issuing and administering payment documents such as travelers’ cheques and bills of exchange. 6. Providing guarantees and commitments. 7. Trading for own account or for the accounts of customers in: a. money market instruments (cheques, bills, other comparable payment instruments etc.), b. foreign exchange, c. standard forward contracts and swaps (options), d. exchange rate and interest rate instruments and e. securities. 8. Participation in securities issues and provision of services related to such issues. 9. Providing advice to undertakings on financial organization, strategy and related issues, and advice as well as services related to mergers and acquisitions. 10. Money brokering. 11. Asset management and advisory. 12. Custody and administration of securities. 13. Credit reference (credit rating) services. 14. Rental of safety deposit boxes. 15. Issue of electronic money.” Consequently, the definition of permissible activities for banks in Iceland is quite large, referring to the EU extensive approach of bank licensing, including financial activities that may be left out of the scope of licensing in some non-EU jurisdictions, for instance factoring, consumer credit, or financial leasing. Such extensive approach of permitted activities is consistent with the universal banking model of major banks in Iceland, which enables large coverage of banking regulation and supervision by CBI. It should be noted that prior approval of CBI is requested for each single activity listed in above-mentioned article 20, in case an existing bank would envisage extending the scope of activities beyond the existing list of activities for which a license has been granted by CBI. Such activity-by-activity approach of licensing enables CBI to have close scrutiny of development strategies of banks extending beyond their usual business model into new kinds of financial services. In addition, the definition of other services and ancillary activities that are permitted to credit institutions (among which “banks”) is developed in Act No. 161/2002, article 21. Ancillary activities are permitted to banks, provided that they are a normal extension of their financial services, subject to prior approval of CBI. There is no list of ancillary activities, approval being examined on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
The use of the term “bank” is restricted in Act No. 161/2002, article 12: “Only credit institutions may use in their firm name or as clarification of their activities the words “credit institution”, “bank”, “commercial bank”, “investment bank”, “savings bank” and “credit undertaking” either alone or linked to other words, in accordance with their operating license.” |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.38 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Act No. 161/2002 on Financial Undertakings indirectly states that only banks (commercial banks, and savings banks) can collect deposits:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Act No. 161/2002, article 8, states that: “The Financial Supervisory Authority shall keep a register of credit institutions and their branches, including all the principal details of the undertakings concerned.” CBI discloses and updates a nominative list of licensed banks on its official website: https://en.fme.is/supervision/supervised-entities/. Regulated financial institutions, including banks, are dispatched by categories. Last update before the BCP assessment mission was done on October 24, 2022. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 4 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The Icelandic legal and regulatory framework is aligned with the extensive EU definition of the scope of permitted activities, covering a large range of banking and payment services. The legal definition of banks is included into the broader category of credit institutions, derived from EU rules. There are two categories of banks in Iceland: commercial banks, and savings banks. Only banks may collect deposits. Such large scope of regulation and supervision provides CBI with strong legal capacity to effectively control banks, and credit institutions more globally. This approach is relevant for Iceland, since major banks have adopted a so-called universal banking business model, requiring close supervisory scrutiny from CBI No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 5 |
Licensing Criteria The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)39 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition-(including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI, acting in its official capacity as the Financial Supervisory Authority (FSA, FME in Icelandic), has the legal power to review applications for a license as a credit institution (therefore, as a bank), and to issue banking licenses (as a commercial bank, or a savings bank). CBI’s legal mandate for licensing banks is laid down in Act No. 161/2002 on Financial Undertakings, Chapter II, articles 2 and following. CBI can impose prudential conditions or limitations on a newly licensed bank. Article 10(a) states that: “The Financial Supervisory Authority may restrict the activities of individual establishments [credit institutions] if it sees specific reason to do so.” This Article 10(a) has general application beyond the licensing stage. CBI applies EBA Guidelines EBA/GL/2021/12 on a common assessment methodology for granting authorization as a credit institution under Article 8(5) of EU Directive 2013/36/EU: When evaluating the application of a new bank, CBI makes a rigorous analysis of the business plan, focusing on the applicant’s business model, strategy, and risk profile, to form a view on the viability and sustainability of the applicant bank’s business model. Applicants are aware that EBA guidelines apply for that purpose. Documentation requests and questionnaire for interviews have been disclosed. Internal procedures have been specified for supervisors in charge of examination of licensing applications. The applicant’s risk profile will impact capital requirements and other prudential conditions set by CBI if the license is granted. Furthermore, the planned activities of the bank can impact the requirements decided by CBI. For example, there are stricter requirements concerning conflict of interest if the bank intends to provide investment services. All major decisions on licensing, such as granting an operating license for a bank, rejecting an application for an operating license or registration, rejecting an authorization to acquire a qualifying holding, and adverse decisions regarding fitness and propriety of board members and senior management, are taken by the Financial Supervisory Committee of CBI. Preparation of decisions on licensing involves all related CBI departments, including legal experts and banking supervisors, to ensure efficient synergies leading to a complete, thorough, and reliable assessment of applications. While CBI Compliance and Inspections department oversees the licensing process, banking supervisors from the Banking department (which manages off-site supervision of credit institutions and investment firms) oversee the financial examination of the application (for instance, business plan analysis, financial information on shareholders with a qualifying holding), and risk specialists from the Banking department oversee relevant risk domains. Input is also gained from the Financial Stability department. Concretely, since the post-crisis restructuration of the banking sector, the licensing activity has been very limited for banks. CBI has only received two applications for a license as a credit institution, including one application for a license as a savings bank. CBI accepted both applications after thorough review and extensive dialogue with the applicant and within CBI. In both cases, the application came from a domestic entity. During the same period, CBI has not revoked or withdrawn any license of a credit institution. CBI mentions that it has not faced any special issue regarding applications for a license as a credit institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has legal powers to set criteria for licensing banks. Information requirements relating to applications for a banking license are set out in Act No. 161/2002, article 5. The list of items defined in the law is concise, yet the FSA has legal power to request “other relevant information”. Article 5 states that (the following excerpt is streamlined): “An application for an operating license must be made in writing and shall be accompanied by: 1. Information on the type of operating license applied for, on activities subject to authorization, and other proposed activities. 2. The company’s Articles of Association. 3. Information on the structure of the organization, including information, inter alia, on how the proposed activities are to be pursued. 4. Information on the internal organization of the undertaking, including rules on supervision and work procedures. 5. A business plan and budget, indicating inter alia the expected growth and composition of own funds. 6. Information on founders, shareholders or guarantee capital owners, who directly or indirectly control qualifying holdings and the proportional holdings of all parties. If no one has a qualifying holding, information on the 20 largest shareholders or guarantee capital owners must be provided. 7. Information on the board of directors, managing director and other managers. 8. Auditor’s confirmation that share capital or guarantee capital has been paid up. 9. Information about the group to which the company belongs, including parent companies, financial holding companies and mixed financial holding companies in the group. 10. Information on close links between the undertaking and individuals or legal entities. 11. Other relevant information as determined by the Financial Supervisory Authority.” Therefore, the examination process of applications for a banking license covers not only data, but also the set-up of governance, internal control, and risk management frameworks, in view of ensuring that newly licensed banks may be run properly as of day one. Regarding the methodology used for assessing applications, CBI has disclosed on its website an extensive checklist of information and documentation that must be submitted with the application. This document (updated in August 2022) is only available in Icelandic: https://www.fme.is/media/eydublod/Starfsleyfi-fjarmalafyrirtaekis agust-2022.pdf. According to Act No. 161/2002, article 7, CBI has the power to reject applications that do not meet standards, “including the risk control system and the eligibility of board members, managing directors and owners of qualifying holdings, in the opinion of the Financial Supervisory Authority.” CBI has mentioned that it has used this power as a preventive action power in order to push applicants to reconsider proposed arrangements that were not deemed satisfactory after preliminary examination of the application. CBI can revoke a banking license afterwards, if it was based on false information, according to Act No. 161/2002, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The criteria for issuing licenses are consistent with those applied in ongoing supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has introduced risk-based criteria for collecting information and documentation supporting applications for a banking license, as it is mentioned in the above-mentioned legal provisions and check-list (see references under CP5 EC2). The risk-based approach for examination of licensing applications, and the issuance of banking licenses are not explicitly mentioned in the banking law or CBI application regulations, though it is advocated in above-mentioned EBA guidelines that are enforced in Iceland. It came out of BCP assessment meetings that CBI does implement a risk-based and comprehensive approach of licensing in that regard. The licensing activity for new banks has been very limited for many years in Iceland. For illustration and a high-level review of the licensing process, CBI shared with BCP assessors two application cases relating to a savings bank and a credit undertaking. Summary documentation shared by CBI highlights that thorough examination is implemented, covering a broad range of risk-related topics, including on governance, compliance, internal control, and risk management frameworks. To ensure that applicants will be able to meet prudential requirements from day one, banking supervisors as well as risk specialists of the Banking department are involved in the assessment of application, in addition to legal experts within the same department. Thus, banking supervisors are aware of the necessity to implement a risk-based approach of licensing, considering all relevant quantitative and qualitative aspects of risk management frameworks set up by applicants, beyond just checking formal legal compliance of applications. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.40 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
At the licensing stage, CBI has legal power to ensure that the proposed ownership structure of a bank would not undermine effective consolidated supervision and corrective action. Act No. 161/2002, article 7 paragraph 3, states that: “An operating license shall not be granted if close links between an applicant and individuals or legal entities obstruct supervision of the undertaking by the Financial Supervisory Authority. The same applies if laws or regulations of a state outside the European Economic Area which apply to such connected parties or problems related to their implementation hinder supervision.” Legal provisions are less explicit on the legal power granted to CBI, at the licensing stage, to ensure that the proposed legal, managerial, and operational structures of a bank would not undermine effective consolidated supervision and corrective action. In that regard, CBI refers to EBA guidelines that are legally inserted into Act No. 161/2002. The licensing approach followed by CBI clearly covers the assessment of appropriateness of legal, managerial, and operational structures of the applicant bank. There are no legal restrictions on characteristics of ownership of banks. CBI has not defined any specific strategy for licensing that may restrict the typology of bank ownership structures in addition to the regular EU/EBA framework. Non-banks, including natural persons, are allowed to control banks if they fulfill assessment criteria for owning qualifying holdings, including financial soundness and capacity to provide banks with financial support. CBI asks for a declaration by the home supervisor stating that there are no obstacles to, or limitations on, disclosure to CBI of the information necessary for supervision of the target undertaking. If the assessment reveals that there are grounds to believe that the ownership will impede adequate supervision of the regulated bank, the prospective acquirer will not meet the prudential assessment criteria (Act No. 161/2002, article 42). CBI has used this legal power to oblige credit institutions (not banks, because no application has been received from banks) to upgrade their proposed ownership structure towards less complexity. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the assessment of eligibility and suitability of banks’ major shareholders at the licensing stage, CBI has legal power laid out in Act No. 161/2002, Chapter VI on holdings and treatment of holdings. Eligibility criteria are set out in article 42(a) on eligibility assessment in a general way, including, among others, the owner’s financial soundness (point 3), and how ownership might impact the credit institution’s ability to comply and continue to comply with prudential requirements (point 4). Act No. 161/2002 does not explicitly mention “transparency of the ownership structure” as a legal requirement for licensing, among above-mentioned eligibility criteria. Yet CBI refers to EBA guidelines in that regard. Other legal provisions give power to CBI to assess the eligibility of beneficial owners of a qualified holding in a bank, for instance article 49(a) on beneficial owners. CBI has not issued specific regulatory requirements on the ownership structure in view of ensuring transparency, because it found no need to do so, considering applicable EBA guidelines on this topic. No further national criteria have been specified regarding shareholders’ jurisdictions or legal structures. CBI assesses transparency of banks’ ownership structure, at the licensing stage and at any occurrence of a change of ownership, on a case-by-case basis. The suitability assessment of owners of qualifying holdings is headed by supervisors of the Compliance and Inspections department. Financial evaluation of shareholders is carried out by banking supervisors. CBI’s AML/CFT team within this department conducts an AML/CFT analysis and verifies the source of funds used for acquiring significant banks’ shareholdings (as well as minimum capital), with input from the Financial Stability department. The legal definition of an ultimate beneficial owner (UBO) is included in Act No. 140/2018 on measures against Money Laundering and Terrorist Financing, article 3, referred to in Act No 161/2002, article 1 (b), as one or more natural persons who ultimately own or control the customer, legal entity, or natural person on whose behalf a transaction or activity is being conducted or carried out. A beneficial owner is, in the case of a legal person, the natural person who in fact owns or controls the legal person through the direct or indirect ownership of a share of more than 25 percent in the legal person, or controls more than 25 percent of the voting rights, or is regarded as having control of the legal person in another manner. Applicants for a banking license are required to disclose the full list of their shareholders. Further to this, all owners of a qualifying holding (10 percent, or more, of equity, or voting rights) are subject to additional disclosure requirements. CBI has issued guidelines on information requirements: https://www.fme.is/media/eydublod/SI5.1.20 Information-disclosure-for-notification-of-a-qualifying-holding.pdf. Among the extensive list of questions within CBI questionnaire are questions pertaining to the ultimate economic beneficiaries of the transaction and whether the proposed acquirer has eventually entered into derivatives contracts using shares issued by the targeted undertaking as underlying assets (see questions 5.11-5.12). Indirect ownership situations are evaluated using the two-steps approach recommended in EBA Joint Guidelines JC/GL/2016/01 on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector: https://www.esma.europa.eu/system/files force/library/jc gl2016 01 joint guidelines on prudential assessment of acquisitions and increases of qualifying holdings - final.pdf?download = 1. The first step (“control-criterion”) envisages the application of the notion of control. Accordingly, all natural or legal persons (i) who acquires, directly or indirectly, control over an existing holder of a qualifying holding in a target undertaking, or (ii) who, directly or indirectly, controls the proposed direct acquirer of a qualifying holding in a target undertaking, should be considered as indirect acquirers of a qualifying holding. The second step (“multiplication criterium”) applies where the application of the control criterion does not determine that a qualifying holding was acquired indirectly. According to Act No. 161/2002, article 49(a), if there is any doubt in the opinion of CBI, about who is or will be the beneficial owner of a qualifying holding, CBI shall notify the party who sent the notification, or the financial undertaking itself if the former cannot be reached, that CBI does not consider the party in question eligible to exercise the holding. Regarding CBI’s control of source of funds to be used as banks’ capital, explicit questions are asked by CBI in the above-mentioned questionnaire (Section 7). As a bare minimum, CBI asks for a description of the source of the financing and documentation, in view of verifying that no money laundering is being attempted through the proposed acquisition (for example, a copy of a wire or bank transfer from a bank account in the name of the proposed acquirer to the seller, or a signed letter from a public accountant detailing the source of the financing). CBI’s AML/CFT team evaluates the submittals and verifies if further documentation is needed. CBI reports that it has not faced any issue regarding the source of funds used as capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
A minimum initial capital amount is stipulated for all banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
The legal minimum capital amount required for banks is specified in Act No. 161/2002, article 14: the minimum initial capital shall not be lower than the equivalent in ISK of EUR 5 million for credit institutions, including banks, except EUR 1 million for savings banks (only if savings banks do not operate cross-border activities and do not engage in activities on securities and asset management). In each case, the minimum capital requirement shall not be less than 8 percent of the projected risk base. In both cases, the initial disbursement shall be in the form of cash, premium account, retained earnings, or reserve fund. Prior to licensing, an external auditor shall issue a formal confirmation that the initial share capital has been paid in full up to the minimum capital requirement (article 5). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.41 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Regarding the licensing rules of banks’ board members and senior management, CBI is provided with legal powers by Act No. 161/2002, Chapter VII on board of directors, corporate governance, and employees, in particular article 52 which sets eligibility requirements, such as skills and experience, good reputation including the absence of criminal record. A legal requirement for the credit institution’s board to have a collective adequate knowledge and experience also is set out in article 52. To implement the licensing process of board members and senior management in line with EBA guidelines, CBI has developed a questionnaire for interviewing candidates to managing director positions. This review is carried out by the Compliance and Inspections department and based on information submitted on behalf of the CEO and each board member. The CEO and all board members have to pass an oral examination, headed by this department. Details on the evaluation of the suitability of proposed board members and senior management are specified in CBI rules No. 150/2017 on the implementation of the qualification assessment of managing directors and directors of financial companies (in Icelandic only): https://www.stjornartidindi.is/PdfVersions.aspx?recordId=cb215e5a-7ee4-4ea4-8613-5549793ab127. Credit institutions must notify CBI as soon as possible, preferably beforehand, about appointments of a new CEO and new board members. The CEO and board members must submit information according to CBI questionnaire within four weeks. This questionnaire is currently being updated (November 2022). The questionnaire is reviewed, and additional information is collected if needed. For CEOs and board members of significant banks, and if there is any doubt about the fitness of a board member of any other kind of credit institution, an oral assessment is held by CBI, using a questionnaire. This questionnaire is also being updated. The oral assessment takes around 3-4 hours and covers the main points that CBI deems relevant for CEO’s and board members of credit institutions. The fit and proper process is the same for all credit institutions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.42 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI is aware that the licensing process should go beyond formal legal compliance checks and review of estimated performance data, but also incorporate a risk-based qualitative assessment of banks’ capacity to operate sound risk policies and management. CBI ensures that all important aspects of applications for a bank license which may be risk sensitive are reviewed by CBI’s risk specialists, notably: (i) a draft organization chart; (ii) governance, internal control, and risk management frameworks; (iii) ethics, compliance, and financial integrity frameworks, including AML/CFT; (iv) operational risk management, including ICT systems and security, business continuity planning, and outsourcing; (v) environmental, social, and governance (ESG) policies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI follows EBA guidelines on the authorization of credit institutions regarding financial analysis of banks’ business strategy and estimated financial projections. CBI reviews the proposed banks’ business plans, tentative financial statements (balance sheet, profit & loss), estimated prudential ratios, as well as the financial soundness of major shareholders, including natural persons if need be. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
CBI has legal power to request a no-objection statement from the home supervisory authority of any bank that would establish a branch in Iceland. As an EEA member country, Iceland also implements the EU passporting rules applicable to EEA countries. Domestic banks that wish to open a cross-border branch within the European Economic Area may do so with a so-called “passport notification” to CBI, according to Act No. 161/2002, article 36. The information in the passport notification shall follow applicable EU regulation (EU) 926/2014 and (EU) 1151/2014. CBI will pass the notification on to the competent authority in the host country. If the branch is deemed a systemically important branch, further information shall be sent to the host country. No Icelandic bank has opened any branch abroad within the European Economic Area. CBI can authorize domestic banks to open a branch in a country that is not a member of the European Economic Area, according to Act No. 161/2002, article 38, which lists information that CBI needs to be provided with before such authorization. So far, no Icelandic bank has opened any branch abroad outside of the European Economic Area. Foreign banks within the European Economic Area can be authorized to open a branch in Iceland according to Act No. 161/2002, article 31 of after a “passport notification” has been received from the home member State. The information provided in the “passport notification” follows above-mentioned EU implemented regulation. If the branch is deemed a systemically important branch, further information shall be sent by the home country according to Article 31(a). Supervisory powers of CBI are laid down in article 34. No EEA foreign bank has opened any branch in Iceland so far. Foreign banks that are domiciled outside of the European Economic Area can be authorized to open a branch in Iceland according to Act No. 161/2002, article 33, which lists detailed information that CBI needs to be provided with. No Non-EEA foreign bank has opened any branch in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
CBI plans to supervise newly licensed banks through regular supervisory process to ensure that legal and regulatory requirements are met according to specific licensing conditions, if any. Supervisory visits are envisaged in that regard (mostly applied for nonbank financial institutions, because no new bank has been opened in Iceland for years). CBI decides on a case-by-case basis whether to implement more stringent prudential requirements for new credit institutions. The determining factors may include the new bank’s business plan (CBI might want to monitor if the plan is working as planned, for instance by asking for monthly management accounts), as well as special risks that the business model might entail. There are no concessions granted for new banks, which must fulfill all normal capital and AML/CFT requirements from day one. CBI reports that it has not faced any material issue regarding new credit institutions shortly after they have been licensed. In practice, given that only one new savings bank has been licensed recently, there is no need to implement such specific monitoring frequently. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 5 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The licensing activity has been very limited for banks in Iceland for many years. Yet licensing requirements and processing are well structured. Based on a solid framework on licensing applications, supported by detailed requirements, comprehensive licensing criteria, and a risk-based assessment methodology, CBI may implement a thorough examination of application requests from entities for a banking license, as well as from natural persons for their appointment as members of the board of directors or senior management. CBI has adequate power to require adjustments of proposed plans, if need be, or to reject applications. Minimum capital requirements look rather low (the equivalent in ISK of EUR 5 million for banks), yet prudential capital adequacy requirements are much higher. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 6 |
Transfer of Significant Ownership The supervisor43 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The definition of a “qualifying holding” is laid down in Act No. 161/2002, article 40 paragraph 2: “A qualifying holding shall mean a direct or indirect holding in a credit institution which represents 10 percent or more of its equity, guarantee capital or voting rights or enables the exercise of a significant influence on the management of the credit institution concerned.” Quantitative thresholds of qualifying holdings are set up at 10 percent of equity, guarantee capital, or voting rights, 20 percent, 30 percent, and 50 percent. Direct or indirect ownership is considered in the law, as well as joint ownership of a group of connected parties. Therefore, persons or entities that act in concert to acquire a direct or an indirect qualifying holding are also covered by the legal requirement to notify CBI and are also subject to eligibility assessment. The qualitative criteria relating to the “significant influence on the management” of the bank, set in article 40, may provide CBI with more flexibility than the mechanistic application of quantitative thresholds to assess the effective control that a shareholder may have on the bank, even if the related capital share stands below the legal 10 percent threshold. This legal change has addressed the finding identified in the 2014 ROSC for CP6. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
All authorizations concerning any modification of license applications of regulated banks requires prior approval from CBI. All changes of direct or indirect ownership of qualifying holdings (10 percent or more) must be notified in advance to CBI, which has time to assess proposed changes before deciding whether new shareholders are suitable, and to object if legal criteria are not met, according to Act No. 161/2002, Chapter VI, articles 40 to 49(a), EBA Joint Guidelines for the prudential assessment of acquisitions of qualifying holdings, as well as Guidelines on Information requirements. A merger between financial undertakings is subject to prior approval of CBI (article 106). CBI has recently updated its internal process in such a way that owners of qualifying holdings will have to complete an annual questionnaire that contains questions on the beneficial ownership of their qualifying holdings. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has legal power to reject changes of significant ownership, as stated by Act No. 161/2002, Chapter VI on holdings and treatment of holdings. Assessment process and criteria are developed in article 42(a). Provisions on eligibility assessment, including CBI’s power to reject a proposed acquisition (because it is not eligible, or notification has not been sent to CBI), are developed in articles 43 and 46. Provisions on CBI’s power to amend a previous decision are developed in article 49 on disclosure obligations and ongoing evaluation of the eligibility of owners of qualifying holdings. The CBI has the power to cancel voting rights of a new shareholder assessed as non-eligible, and to request this shareholder to sell the related bank shareholding (Article 46). In addition, the CBI may revoke a banking license if the application is based on incorrect information (Article 9). Clarification was requested during the mission about the legal deadline relating to approval delivery. Act No. 161/2002, article 42, mentions that: “Should the conclusion of the Financial Supervisory Authority not be available within the evaluation period as provided for in the third paragraph [60 days], it may be concluded that the Financial Supervisory Authority does not object to the plans of the party intending to acquire or increase a qualifying holding in the credit institution in question.” Such legal provision might be understood as obliging CBI to accept implicit approval of transfer of significant ownership, which might put CBI at risk. Though implicit approval of any licensing request should be considered as not appropriate, whatever the underlying reason, CBI explained to BCP assessors that in any case the deadline shall start when CBI has decided that the application for transfer of significant ownership has successfully met information and documentation requirements, so that supervisors would not be forced to decide implicitly without getting proper information and documentation. In the last five years, CBI/FSA has not identified any need to require a change of control of a bank that was made without a notification or approval. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Act No. 161/2002, article 19, states that banks must disclose a list of every shareholder owning 1 percent or more of their share capital or guarantee capital on their website. This list must be continuously updated, all changes in ownership being reflected within four days. Further, for shareholders who are legal entities, banks must also disclose a list of their beneficial owners. In addition, article 48 states that banks admitted to trading on a regulated market must submit a yearly report to CBI detailing owners of qualifying holdings of their capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Act No. 161/2002, article 45, addresses the issue of any failure of regulated banks to notify CBI of any change of qualifying holding. In that case, voting rights exceeding the threshold for a qualifying holding are canceled. In addition, article 46 states that, if CBI finds an ineligible owner owning a qualifying holding, voting rights exceeding the threshold for a qualifying holding are canceled, and the related owner must sell shares exceeding the same threshold within two months, or within another timeframe as decided by CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Act No. 161/2002, article 8, obliges banks to notify CBI of any information that may affect whether the institution fulfills licensing requirements. This is a generic provision that does not explicitly mention the suitability of shareholders. Regarding shareholders, Chapter VI on holdings and treatment of holdings is not clear about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Consequently, it is recommended that Act No. 161/2002 be amended to explicitly require banks to notify CBI as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Such additional legal provision could possibly be extended to significant, but non-major, shareholders, even to tentative shareholders (at least major tentative shareholders, also non-major tentative shareholders too, if useful), so that CBI be involved in early examination of the suitability of existing or new shareholders which may adversely impact banks. CBI would then have large legal powers of preventive or corrective action against non-suitable shareholders, which may be useful powers considering recent issues raised by the privatization of a major bank. In that regard, according to the government’s website at the time of the BCP assessment mission, the MoFEA was planning to present a bill for debate in Parliament in November 2022 [postponed to February 2023 after the mission] which purpose is changing the sale proceedings of government equity stakes (in Icelandic only): https://www.stjornarradid.is/rikisstjorn/thingmalaskra/. No detailed information was available at the time of the mission in addition to the short following statement (translated from the above-mentioned source): “(16) Draft law on the treatment of the state’s holdings in companies. The bill aims to strengthen the handling of the state’s holdings in companies through a changed arrangement, where increased emphasis will be placed on transparency, equality, democratic involvement of parliament and the provision of information to the public”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 6 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Regulation of transfer of significant ownership has been upgraded to provide CBI with adequate authorization powers of significant changes of banks’ shareholdings. Yet Act No. 161/2002 is not clear enough about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Though Act No. 161/2002, article 8, obliges banks to notify CBI of any information that may affect whether the institution fulfills licensing requirements, this article does not explicitly mention the suitability of shareholders. In addition, Chapter VI on holdings and treatment of holdings is not clear about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. It is recommended that Act No. 161/2002 be amended to explicitly require banks to notify CBI as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Such additional legal provision could possibly be extended to significant, but non-major, shareholders, even to tentative shareholders (at least major tentative shareholders, also non-major tentative shareholders too, if useful), so that CBI be involved in early examination of the suitability of existing or new shareholders which may adversely impact banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 7 |
Major Acquisitions The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations clearly define:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The applicable legal framework has not laid down explicit provisions relating to “major acquisitions” envisaged by regulated banks, that is quantitative limitations, as well as qualitative risk management rules. Making such provisions explicit in the law would simply clarify the regulation framework on this topic. Yet the existing legal and regulatory framework may compensate this formal gap. Existing laws and regulations are restrictive regarding conditions applicable to banks on major acquisitions. The related legal framework mostly focuses on 4 topics: (i) ancillary activities; (ii) qualifying holdings in banks’ capital; (iii) mergers of regulated banks; and (iv) limits on large exposures. Banks cannot decide major acquisitions out of the scope of the above-mentioned list of 4 topics. On major acquisitions, CBI refers to Act No. 161/2002, article 21 on other services and ancillary activities, and article 22 on temporary activities and takeover of asset. CBI has published guidelines regarding side activities and temporary activities of credit institutions (in Icelandic only) specifying the conditions for each category of investments: https://www.fme.is/thjonustugatt/hlidar-og-timabundin-starfsemi/. 1°/ Ancillary Activities Banks must notify CBI before pursuing ancillary activities. Article 21 states that banks can pursue ancillary activities provided they are a “normal extension” of their financial services, for example ownership of a company that buys claims from third parties, or any other kind of subsidiary established by the bank. In practice, as established per CBI’s guidelines, banks need only notify if they have an equity interest equal to, or more than 20 percent in another entity. Banks have to notify CBI of the pursuit of ancillary activities even if they have an equity stake lower than 20 percent if they nominate a board member of the entity. If CBI raises no objection to proposed ancillary activities within one month of receiving satisfactory notification, this shall be interpreted as authorization for commencing such activities. 2°/ Mergers A merger of a bank with another financial undertaking is only permitted with the consent of CBI (Act No. 161/2002, article 106). 3°/ Equity interest arising from the work-out of problem exposures Banks may only pursue activities other that permitted activities listed in Act No. 161/2002 on a temporary basis and for the purpose of completing transactions or restructuring clients’ operations. Banks can therefore acquire equity stakes in entities in the course of working out problem exposures. CBI needs to be notified, with supporting reasoning given for equity stakes. As a general rule, banks must dispose of such equity stakes within 12 months. CBI can prolong this timeframe, for instance in case of illiquid assets. 4°/ Limits on acquisitions stemming from rules on large exposures A bank’s aggregate exposure to non-consolidated subsidiaries and other related parties may not exceed the limits set by rules on large exposures, according to EU regulation CRR (article 395) which is implemented into Icelandic Law by Act No.161/2002, article 1(c). 5°/ Absolute limits on qualifying holdings to banks’ capital Referring to CRR, articles 89-91, CBI imposes two limits on banks’ qualifying holdings in non-financial companies: (i) banks may not own qualifying holdings in individual financial or non-financial undertakings amounting to more than 15 percent of their (banks) capital base; and (ii) banks’ total qualifying holdings in non-financial undertakings may not amount to over 60 percent of banks’ capital base. Legal criteria on major acquisitions have been enhanced as a consequence of the modification of Act No. 161/2002 on qualifying holdings (see CP6 EC6). At present, the legal approach on regulating major acquisitions relies on quantitative thresholds applicable to qualifying holdings, as well as qualitative criteria on effective control that may exist below legal thresholds. In that sense, the finding highlighted in the 2014 ROSC on CP7 has been addressed, regarding major acquisitions of banks in other financial institutions. Based on this legal framework, CBI has the capacity to examine major acquisitions envisaged by banks, and assess banks’ capacity to complete related transactions, from a risk-based perspective. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws or regulations provide criteria by which to judge individual proposals |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, supplemented by EBA’s and CBI’s guidelines, set out rules used by CBI when approving banks’ proposed investments:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.44 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has a broad general legal power to restrict activities of a bank, according to Act No. 161/2002, article 10(a): “The Financial Supervisory Authority may restrict the activities of individual establishments if it sees specific reason to do so.” CBI is further empowered to set conditions for the continued operations of individual operating units. Act No. 161/2002, article 39 on purchase of shares in a foreign financial undertaking, applies to the establishment of banks’ cross-border banking operations, If a bank intends to purchase or exercise a qualifying holding in a foreign financial undertaking, it must notify CBI in advance. In case of qualifying holdings in entities located outside of the EEA, CBI may prohibit such acquisition if it has legitimate grounds to presume that information provision for this activity will not be sufficiently reliable, or may impede consolidated supervision, or may create obstacles to the orderly resolution of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As a general rule, CBI must analyze the safety and soundness of the types of investment set out in CP7 EC1, which includes financial and managerial resources. CBI has published a checklist on its website that describes the process and requirements for the approval of merger of financial undertakings. CBI is currently finalizing the internal manual to improve its assessment procedures with regards to adequacy of financial, managerial and organizational resources (November 2022). CBI provided a concrete illustration case of supervisory assessment of a major acquisition submitted by a regulated bank to the approval of CBI which demonstrates effective implementation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in nonbanking activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI is aware of the risks that non-banking activities can entail and has thus limited the banks’ ability to engage in non-banking activities, for instance by limiting banks’ ability to pursue ancillary activities only as a normal extension of their financial services (as developed under CP7 EC1). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 7 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
As for transfer of significant ownership (CP6), regulation of major acquisitions envisaged by banks (CP7) has been enhanced accordingly, with the introduction of the qualitative criteria of significant influence in addition to standardized quantitative thresholds, which enables more flexibility for implementing risk-based supervision of major acquisitions. Legislation and regulation, notably Act No. 161/2002, do not include a specific Section on “major acquisitions” explicitly, yet the combination of legal provisions on ancillary activities, mergers, equity interest arising from the work-out of problem exposures, and regular prudential requirements on large exposures, may compensate. Yet semantic clarification of legal requirements on authorization of major acquisitions envisaged by banks would be useful. The legal regime of major acquisitions is restrictive to banks, which have not developed a significant development strategy through major acquisitions. CBI has adequate powers to examine and possibly reject any major acquisition envisaged by a bank. Based on the recent case of a major acquisition made by a non-systemic Icelandic bank through its UK subsidiary, CBI may wish to upgrade its capacity to supervise major acquisitions at consolidated level further, even if it may create some duplication with the host country, yet this single case looks as it has been closely monitored by CBI. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 8 |
Supervisory Approach An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks:
The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI/FSA utilizes a supervisory review and evaluation process (SREP) for less significant institutions (LSI) under the single supervisory mechanism (SSM) overseen by the European Central Bank (ECB). EBA’s Guideline on common procedures and methodologies for the supervisory review and evaluation process and supervisory stress testing (EBA/GL/2014/13 updated 19 July 2018) provided the basis for CBI/FSA’s SREP framework. As part of the EEA, Iceland is obligated to abide by the EU framework, both from a banking legislative stance as well as in its supervisory approach for banking supervision. EEA members have considerable freedom to develop their own supervisory approaches on the basis of the SSM LSI SREP methodology. While the ECB sets overarching boundaries (e.g., in terms supervisory priorities, SREP methodology, joint supervisory standards, supervisory cycle and allows for a proportionate approach), national competent authorities/EEA members can develop within these boundaries their own supervisory framework and approach for LSIs tailored to the local circumstances. CBI/FSA’s SREP methodology is outlined in a document entitled Common Criteria and Methodologies for SREP (CBI/FSA’s SREP methodology). This document is to be read in conjunction with three Annexes, all published on CBI/FSA’s website, entitled:
The Icelandic authorities have been utilizing its SREP methodology since 2016. As outlined in Sec 2.1 of CBI/FSA’s SREP methodology, the SREP score is one of the key drivers for the frequency and intensity of supervisory activities (including both the minimum engagement level (MEL) and the supervisory examination program (SEP)). The Figure below provides a high-level overview of the SREP, depicting the general phases of the overall SREP assessment, including: i) classification or categorization of institutions; ii) monitoring of key indicators; and iii) an assessment of the business model analysis (BMA), strength of internal governance and institution-wide controls, and the overall assessment of the impact of all risks to an institution’s capital and liquidity and funding. Once the overall SREP assessment is completed, CBI/FSA may determine the appropriate supervisory measure pertaining to an institution’s capital and liquidity or other appropriate supervisory measures. The SREP framework also includes intervention measures (as per Article9, 86(h) and 107(c) to (e) of Act No. 161/2002).
As per Article 86(b) of Act No.161/2002, CBI/FSA’s categorization of banks has resulted in the classification of three Domestic Systemically Important Banks (D-SIBs) based on an annual assessment, approved by the FSN, that takes into consideration, among other criteria: a) the size of the group; b) interconnectedness of the group with the financial system; c) whether the services or financial infrastructure provided by the group are available elsewhere (substitutability); d) complexity of the group; and e) scope of international activities. Note that the resolvability assessment of the banks is undertaken as part of the classification system, but also as part of the business model assessment and the formal resolvability assessment undertaken by X. (please see EC X for more detail). These three D-SIBs are considered high impact institutions as per the table below.
According to CBI/SREP methodology, CBI/FSA undertakes business model analysis that aims to identify possible threats to the viability of the business model and the sustainability of the overall strategy of the institution. The business model analysis includes an analysis of the business focus (overall strategy based on the risk appetite of the bank), and the organizational structure (to assess risks from entities in the group and the structure overall) as well as addressing a resolvability issues identified as part of the risk assessment, among other things. See sec 2.4.1 of the SREP methodology. CBI/FSA’s assessment of the internal governance and institution-wide controls involves, among other things, the assessment of the bank’s overall governance framework, risk management framework pertaining to ICAAP/ILAAP, and information systems, etc. CBI/FSA monitors key risk indicators on a quarterly basis using regulatory data as well as undertaking a risk assessment of the D-SIBs across all key risks (both quantitative and qualitative assessment), resulting in a risk report. There is a comparison of institutions, and the D-SIB risk reports are provided to the Director of Banking, the DG of Financial Supervision, and the Governor. Aggregate risk reporting is provided to the FMEN regarding the D-SIBs. The Icelandic SREP framework is based on a proportionality approach, that takes into consideration the impact category rating of the institutions which results in a SREP score (see table below in EC2) and distinguishes between the nature/intensity and frequency of the SREP. For a high impact institution, a full SREP is completed annually and is aligned with CBI/FSA’s minimum engagement model (see EC2 for more detail on the MEM). Other categories of impact result in a proportionately timed analysis ranging from two to four years frequency. Note that the SREP score of F (one level below score 4) indicates that the institution is “failing or likely to fail” and is subject to early intervention measures pursuant to Article 86(h) of Act No. 161/2002 or measures pursuant to Chapter XII and Temporary Provision VI of the same Act - outlining CBI’s resolvability framework. CBI/FSA has an extensive Supervisory Handbook (CCQ) for supervisors to know and understand each aspect of what needs to be assessed for each component of the SREP processes, included guided questions the supervisors should ensure they obtain answers on as part of their risk assessment. Although not impacting CBI supervisors’ capability in undertaking its SREP assessment, it was noted that certain aspects of this Handbook need to be updated (e.g., where new risks have not been defined, or where the Handbook is outdated and not in line with CBI’s current supervisory framework such as the use of the new supervisory assessment system). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As indicated in EC1 CBI/FSA, based on the categorization of institutions, an annual SREP assessment is undertaken for the D-SIB based on these banks’ high impact category rating. Therefore, for the D-SIBs, CBI/FSA undertakes a considerable amount of forward looking analysis through the utilization of stress testing methodology for the BMA analysis as well for the assessment of ICAAP and ILAAP as well as meeting with bank’s risk experts/management to understand the results of these forward looking views. Should the analysis reveal issues/concerns (for example, if CBI’s analysis of a DSIBs ICAAP with respect to a certain kind of credit product was not adequate, CBI may request additional information from the bank, require additional or different stress testing, and or undertake an on-site credit review to obtain additional supervisory information to conclude on the bank’s overall SREP score/risk assessment), further work/follow up is undertaken by the supervisors. CBI/FSA makes a determination/conclusion on the assessment which could result in an additional prudential requirement (e.g., additional Pillar II capital requirements, etc.). The results of such analysis are taken into consideration for the determination of the SREP score. CBI/FSA uses stress testing to determine the impact of a baseline scenario on an institution’s income statement and balance sheet and to determine whether its own funds are sufficient to meet the overall capital requirement over the forecasted period (Sec 2.4.1 of the SREP framework). As part of the ICAAP review process, CBI/FSA undertakes an assessment of the institutions’ stress testing results pertaining to credit, counterparty and concentration risk; market risk; IRRBB and operational risk. CBI/FSA also undertakes an assessment of institution’s ILAAP, including the results of the stress testing of risks to liquidity and funding. CBI/FSA’s SREP framework/assessment results in a SREP score of 1 (minimal risk identified) to 4 (very high levels of risk identified), and includes an additional negative rating of F (as mentioned in EC1), please see table below for a further description. Note that the SREP score of F (one level below score 4) indicates that the institution is “failing or likely to fail” and is subject to early intervention measures pursuant to Article86(h) of Act No. 161/2002 or measures pursuant to Chapter XII and Temporary Provision VI of the same Act - outlining CBI’s resolvability framework. Any results of the SREP (e.g., assessment of Pillar 2 requirements), are publicly released as per CBI’s transparency requirements Article9(a) of Act No. 87/1998. The SREP score is not communicated to either the bank or the public.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Icelandic banks are required to comply with prudential regulations and many other legal requirements given the necessity to abide by the EU regulatory framework. This at times makes the assessment of banks’ compliance with prudential and other legal requirements a somewhat complicated task. CBI/FSA has mapped all prudential regulations and other legal requirements into one document to maintain an evergreen list of requirements. Prudential regulations and requirements are in place and are closely tracked through regulatory reporting (monthly, quarterly, annual, etc.) based on FINREP and COREP and in some cases additional reporting (e.g., Portfolio Loan Analysis for credit risk, which tracks loan quality data; credit registry, which highlights large exposures and connected clients) and ad hoc reporting when CBI/FSA deems it necessary (e.g., exposures to problematic countries, etc.). Further, CBI/FSA closely monitors other legal requirements (e.g., governance - fit and proper requirements, ultimate beneficial ownership, AML/CFT etc.). CBI/FSA prepares a risk report (D-SIBs) that pulls all risk assessments together (prudential minimum requirements across all risk areas, off-site analysis, on-site inspection results, etc.) which is reported up through to senior management on a quarterly basis. Further, banks are also closely monitoring internal prudential limits that go beyond minimum prudential and regulatory requirements (embedded in among other things recovery plans) and are legally bound to inform CBI/FSA immediately (e.g., Article 52(e) of Act No. 161/2002). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The assessment of the macroeconomic environment in Iceland is carried out by the Financial Stability Unit (FSU) in CBI. In addition, the FSU also carries out the inherent liquidity risk assessment for the D-SIBs as well as overseeing liquidity and funding risk for the entire financial sector. Prior to the FME and CBI merger, representatives of the FSU would meet to discuss various issues. All liquidity data is shared amongst the banking supervisors and the FSD staff. Post-merger, CBI/FSA is able to ensure more frequent communication and cooperation than before between supervisors from financial supervision with specialists in the FSU as well as with the supervisors for non-bank financial institutions that CBI/FSA regulates. Even though this integration and cooperation is still being evolved and formalized, progress has been made to connect micro and macro prudential supervision and integrate it into prudential decisions on individual and market level. Wider spectrum of collected data is now available for bank and non-bank markets and CBI/FSA now has access to regular information and analysis from financial stability on economic development and on the market situation at each time. For example:
CBI/FSA incorporates the factors of the macroeconomic environment into its forwardlooking supervision in its assessment of BMA, ICAAP/ILAAP as well as financial statements (e.g., D-SIBs adhere to IFRS 9 financial asset valuation standards) which both form part of the SREP process and add to the assessment of the buildup of risk in banking sector. Cooperation is critical between the Banking Department and FSU that evaluates banks’ macroeconomic assumptions with peer review and comparison to publicly available forecasts on the macroeconomic environment. Emphasis is on challenging the presumptions of the banks for their forward planning and estimation of evolution of risk in their operations and forecasts. CBI supervises all non-bank financial institutions such as payment institutions, pension funds, investment funds and insurance companies etc. CBI/FSA therefore possesses a first-hand overview of the banking sector and non-bank financial sector and its developments. The outcome of this review is incorporated into not only the risk assessment in SREP for each supervised entity but in an aggregated way to assess the banking sector which is regularly presented to the FSN and the FMEN. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The FME monitors, identifies and assesses the build-up of risks (e.g., credit and problem assets/adequacy of provisioning, liquidity and funding risk, market and IRRBB, etc.), trends and concentrations within and across the banking system as a whole through different supervisory means such as different on-site and off-site inspections, reviewing of regular reporting from the banks, through the SREP process. The FME communicates significant trends and emerging risks to the banks through the SREP process as well as by other different means depending on each situation. System-wide risks, such as those arising from international imbalances or excessive risk concentration potentially leading to sectorial bubbles (e.g., residential, or commercial real estate) are monitored by the FSU. It is based on analysis performed by CBI/FSA and other EU institutions, particularly macro-prudential analysis. Sectorial analysis also facilitates the understanding of key market developments. The most important findings of the banks are regularly reported to CBI committees where the MoFEA is present. The financial position and the major concerns of the supervisors regarding the condition of the banks or the banking sector is presented to the FSN and the FMEN quarterly and more frequently if required by certain circumstances. Furthermore, Directors within CBI/FSA have weekly meetings where major concerns can be discussed if needed. Last, CBI publishes its Financial Stability report twice a year wherein all macroeconomic variables, significant trends and emerging risks are discussed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and findings re EC6 |
As part of CBI/FSA’s on-going SREP assessment, analysis is carried out regarding banks’ organization structure, systems, outsourcing arrangements, etc., taking into consideration the bank’s risk profile and systemic importance. The objective of this assessment is to provide the foundation for a strategy/or measures that CBI/FSA should adopt to ensure resolvability issues are dealt with in advance of a problem. At the FSN’s meeting of 28-29 September 2021, the Resolution Authority45 presented draft resolvability assessments for the D-SIBs. Thereafter, the FMEN’s opinion of the resolvability assessments was sought (as per the FSN’s Rules of Procedures). After no comments from the FMEN, at the meeting held 5 November 2011 (minutes published on 29 November 2011), the FSN approved the resolvability assessments of the D-SIBs (no major requirements for D-SIBs resulted from the resolvability assessments - especially given the straightforward ownership structure of the banks post financial crisis) . No issues remain with respect to CBI/FSA’s ability to resolve the D-SIBs. Assessors noted that the financial supervisors did not provide input into the drafting of the resolvability assessments prior to being submitted to the FSN. Although the FMEN was able to provide input/comments after the development of the resolvability assessment. It would be beneficial to involve the financial supervisors in future versions, given their deep knowledge of the D-SIBs. Furthermore, on 26 April 2022, CBI announced publicly46 that the Resolution Authority prepared approved resolution plans for Iceland’s D-SIBs. (please see EC7 for more details on the role of the Resolution Authority and the resolution plans put in place for the D-SIBs). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI/FSA has an internal framework in place for handling banks in times of stress. At the outset, early detection of bank weaknesses are considered a part of the SREP process and the regular monitoring of each bank. KRI’s have been defined for each risk and signs of increased risk are addressed in the risk assessment. The close co-operation between supervisors within the Banking Department, Compliance and Financial Stability ensures that any signs of stress are addressed in a timely manner. CBI/FSA does have the ability to call an emergency or special FMEN meeting to deal with an emerging issue with a problem bank. Further, CBI/FSA has a framework and operational processes for handling banks in times of elevated stress that require actions to be taken in a timely manner. Internal mechanisms for dealing with problem banks are established however a document formalizing the escalation process is in the midst of being finalized. A working group is in the process of drafting a manual to formally describe the framework and the escalation process within CBI for handling banks in times of stress related to own funds or liquidity. This document reflects expectations of CBI/FSA supervisors to raise issues on a timely basis up to senior management and including the use of intervention tools, strategies and enforcement actions (such decisions are taken by the FMEN). Moreover, part of the framework includes ensuring that D-SIBs (that make up 94 percent of total assets in the banks sector as at end of June 2022) have both a recovery and resolution plan in place. Early intervention is considered by CBI/FSA when:
Assessors are of the view that waiting until the overall SREP score or the viability score for one of the main risk elements is rated 4 would not be deemed “early intervention”. CBI should re-assess when it chooses to undertake “early intervention” measures to ensure it acts on a timely basis when necessary. Further, CBI/FSA should be taking corrective action well before banks reach regulatory capital and/or liquidity prudential requirements. Supervisory measures are utilized when needed as stipulated in Article107(a) of Act No. 161/2002. Article107(c) outlines all early intervention tools available to CBI/FSA which is also in line with the EBA GL on triggers for use of early intervention measures (EBA/GL/2015/03), pursuant to Article27(4) of Directive 2014/59/EU. Recovery plans, which have been prepared since 2017-18, are assessed on a yearly basis. Recovery plans are suited to list appropriate measures for recovery based on strategic analysis of core business lines and critical functions. CBI/FSA’s assessment of these plans includes a review of the proposed measures in connection to the scenario analysis is conducted in the recovery plan. Further, in accordance with Article 4, Paragraph 2, of the Act on Resolution of Credit Institutions and Investment Firms, No. 70/2020 (Act No.70/2020 or the Resolution Act) and Rule No. 1733/2021, CBI together with the Resolution Authority will, among other things, put in place resolution plans for the D-SIBs. It is the decision of the FMEN if an institution is deemed to be failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so) with the Governor of CBI who takes the final decision on the resolution process itself. Further the resolution plans cover the execution of bank resolution in the event that their financial position deteriorates to the point that they are deemed failing or likely to fail. Should a D-SIB fail, the resolution plan assumes that it will be possible to resolve it quickly and securely, and without funding from the Treasury or CBI. Resolution is intended to ensure that households and businesses continue to have unrestricted access to critical functions, thereby supporting financial stability in Iceland. Arts 98-106 of Chapter XII of Act No. 161/2002 describes CBI’s legal framework in dealing with bank’s financial reorganization, winding up and mergers of financial undertakings in a crisis. All decisions of such nature are undertaken by the FMEN. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article 20 and 21 of Act No. 161/2002 outlines the authorized activities of credit institutions and other permitted and ancillary activities. Further, Article 3 states that only legal entities that are licensed as credit institutions may operate by collecting deposits or other repayable funds from the public. Therefore, if a firm wishes to undertake banking activities or a current bank wishes to undertake a new area of business that is not outlined in its current license, it must first obtain the prior approval of CBI. CBI regularly monitors the market for any firms operating bank-like activities, as well as undertaking an annual project to actively survey the market for any new institutions within specific ISAT categories and checking for key wording linked to banking activities. If a firm is found to be undertaking bank-like activities without a license, further investigation is conducted and if appropriate, CBI can impose administrative fines (as per Article 110(1) of Act No. 161/2002) which states that CBI/FSDA may level administrative fines on any party violating Article 3, prohibiting pursuit of activities subject to license without an operating license. Further, CBI may inform the public through the publication of a transparency announcement (as per Article 9(a) of Act No. 87/1998). Decisions of this nature are taken by CBI’s FMEN. Internal procedures (e.g., CCQ) exist regarding what steps CBI representatives are required to address regarding a case of a firm undertaking bank-like activities. Last, CBI/FSA supervisors review banks’ activities, including any restructuring initiatives that could avoid or circumvent certain conditions of law, rules, and regulation. In each such case, the Authority responds appropriately and demands that the banks rectify the situation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 8 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
FSA/FME fully implemented its risk based SREP framework in 2019 which is based on a proportionality approach, that takes into consideration the impact category rating of the institutions which results in a SREP score and distinguishes between the nature/intensity and frequency of the SREP. For a high impact banks, a full SREP is completed annually and is aligned with CBI/FSA’s minimum engagement model that include deep analysis of ICAAP/ILAAP, BMA, etc. Other categories of impact result in an analysis ranging from two to four years frequency which in practice does not provide adequate supervisory coverage for these institutions, as most of the financial supervisor’s time/attention is focused on the DSIBs. For example, the forth commercial bank (not a D-SIB), although classified as medium to low impact, has experienced additional growth, etc. in the past year which should therefore have resulted in additional frequency of supervisory assessment or contact with senior management of the bank. CBI undertakes a quarterly risk assessment analysis for high impact banks, speaks to bank’s senior management quarterly and rolls this assessment into the SREP framework culminating in a SREP score. CBI’s SREP methodology is very labor intensive, and therefore it is important to ensure it has an on-going, ever green view (e.g., not just annually) of the risk assessment/risk profile of the banks, especially for DSIBs. Last, CBI’s SREP methodology should reflect early intervention measures well before a bank reaches capital and/or liquidity minimum prudential requirements. Further, CBI should not wait until the overall SREP score or the viability score for one of the main risk elements is rated 4 to take intervention measures as this would not be deemed “early intervention”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 9 |
Supervisory Techniques and Tools The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor employs an appropriate mix of on-site47 and off-site48 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
On-site and off-site supervisory functions are split amongst several departments within CBI/FSA that work very closely together and are described as follows:
The Banking Department oversees the SREP process cycle and will request, as part of the planning process, the on-site inspection team to undertake an area of particular concern. In addition, at times, there is a need for a follow-up inspection concerning any shortcomings that were found as highlighted in previous on-site inspections. During CBI/FSA’s Supervisory Work Programme process formal requests are made by the Banking Department for on-site inspections, together with a justification. Meetings are usually held with the Inspections department to further clarify the request, scope the inspections, including holding discussions to determine the best way to conduct the onsite. During each on-site inspection regular meetings are held between the Inspections department and Banking department to provide progress update. The IA of CBI/FSA regularly assesses the main processes for off-site and on-site supervision providing feedback and recommendations. Post-merger of CBI and the FSA, the IA undertook several reviews to ensure that the various areas dealing with banking supervision and regulation were working as it should. Assessors reviewed several D-SIB supervisory files pertaining to the quarterly risk assessment and risk report, SREP analysis (BMA, ICAAP and ILAAP) which appeared to be extensive in both in how the analysis is undertaken/captured and then communicated to banks. Any observations from on-site inspections are also rolled into these various assessments. Further, assessors reviewed example on-site inspection reports for various D-SIB “thematic reviews”. The on-site risk specialists are very knowledgeable, have industry experience and are very capable of undertaking reviews across various risk areas. The onsite inspections are generally carried out on a thematic review basis, covering all three D-SIBs. Individual follow-up inspections are carried out when necessary. It was noted that when undertaking an on-site credit risk review, the inspectors would choose a limited sample of credit files to review, albeit these files would potentially be classified as large exposures, and then make broader comments/conclusions on the bank’s overall practices. It is recommended that future on-site inspections are undertaken, particularly for the D-SIBs, with larger sample sizes and overall, a deeper scope across the various aspects of the risk area. Further, with the extensive EBA guidelines that have been released over the past several years, it would be beneficial for CBI to undertake deeper on-site inspections of the DSIBs’ various material risk areas to ensure adequate compliance with these newly adopted guidelines. Overall, the mix of off-site supervision with on-site inspection appears to be appropriate with most of the work being allocated to the D-SIBs. However, the approach of the onsite inspection should be re-assessed to ensure that the depth of the reviews encompasses, on a risk basis, the review of adequate policies and procedures, internal controls, including the strength of bank’s risk management processes. Further, CBI should implement a standard for the frequency of on-site inspections applicable for all banks, regardless of impact rating. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and offsite functions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As part of the annual supervisory planning process, the supervisory tasks planned for the following year is based on the outcome of the risk assessments undertaken over the prior year, together with the results of the SREP process and prior on-site inspections. In general, future tasks are scheduled to mitigate the risk identified using the most appropriate measures available (off-site or on-site inspections, follow-up meetings etc.). CBI/FSA’s methodology for the planning off-site risk assessment versus on-site inspections is also driven by the minimum engagement model (based on the impact rating) - please see CP8 EC1 for more detail. All tasks surrounding the planning cycle for both on-site and off-site supervisors is described in detail in CBI/FSA’s CCQ. For example, the list of the tasks for the following year that the off-site banking supervisors wishes the on-site inspectors to perform are listed as an input for the planning process. (VER-0107). Following this step, the CCQ then lists the processes that describe the “project planning” phase which helps determine the annual Supervisory Work Programme. Regular progress updates can be found as per processes VER-0041 and VER-0073 outlined in the CCQ. The off-site supervisors (owners) meet with the on-site inspection team to discuss planned tasks. The senior management of the Banking Department then decide/discuss what priorities need to take place for the coming year based on the resources available and finalize the Supervisory Work Programme for the following year, as well as prepare the budget planning process that results in a view of the Supervisory Work for the next 3-5 years. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable49 and obtains, as necessary, additional information on the banks and their related entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA utilizes a variety of information, including prudential data (see CP10 for compliance with EBA reporting framework), additional reporting requirements, ad hoc data requests, data obtained from on-site inspections, risk reports and other documents directly from the bank, including shareholdings, as well as publicly available data to assess and evaluate the major risk categories on a monthly, quarterly, and annual basis. Additionally, CBI has an extensive data gathering from both supervised entities, other corporations, and institutions for various usage for central bank tools, such as Portfolio Loan Analysis (PLA), credit registry (corporate loans that provide collateral data and connected client/group information and data on real estate backed loans such as household mortgages). Not all data gathered by CBI (e.g., data collected by the FSU) is available to the Banking Department supervisors but if there is need for certain information available it can be requested and it is provided so long as personal client information is not released. CBI also subscribes to various databases and information centres like Bloomberg, S&P banking data (mostly used by the FSU). Further, CBI/FSA makes use of information from both open public sources as well as subscribed ones for on- and off-site supervision. Open sources like Firm registry - Skatturinn, National registry - Pjodskra (integrated into Vaki), Statistics Iceland from Hagstofan. With respect to shareholder information, Article19(4) of Act No. 161/2002 requires all financial undertakings to specify on its website the names and proportional holdings of all shareholders that hold 1 percent or more in the financial institution. Changes are to be updated in four days or less. Real owners are to be disclosed for legal entities that hold shares larger than 1 percent in the financial undertaking. Several CBI/FSA on-site thematic inspections have been carried out over the past 24 months to validate D-SIB’s reporting, covering the following topic: review data reporting in credit registry; the right use of SME-discount; review on the use of risk weights in COREP report - limited to certain risk weights and mitigation for loans with insurance in real estate (home and corporate); valuation review; and a review on forbearance50. All communications, findings and material important data are filed in OneCrm file management system of CBI/FSA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as:
The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerability that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA uses a variety of tools to review and assess the safety and soundness of the banks as part of its SREP process and its quarterly monitoring risk assessment/risk reporting including KRIs. This assessment includes a review of: (a) the financial statements of the banks, issued on a quarterly basis. Following the review supervisors undertake meetings with the banks’ management to discuss CBI/FSA’s evaluation of risks inherent in the bank’s operations. (b) the banks business plans and models which are reviewed annually through the SREP process and challenged in this context. The different stress tests performed by the banks are also reviewed and challenged by CBI/FSA especially when analyzing the different types of risks in the SREP process (e.g., credit, concentration, liquidity and funding, market risk and IRRBB, etc.). (c) results of the quarterly risk assessment and risk reports provide senior management to make peer comparisons across all three of the D-SIBs. (d) results of bank’s stress testing is embedded in the ICAAP and ILAAP reports received and reviewed by CBI/FSA as part of its annual SREP assessment for the D-SIBs (less frequent review for the lower impact banks); and (e) corporate governance and internal controls are mainly monitored through the SREP process but also the evaluation of the eligibility and fit and proper conditions of the board of directors and the managing director of the bank is assessed regularly through off-site assessment processes. The quality of risk management of the various risk reviews is carried out when on-site inspections are undertaken but limited to the subject of the review (see CP15 for more information). Assessors are of the view that CBI does not undertake formal or deep assessments of bank’s corporate governance, including the quality of risk management or internal control functions, except through off-site analysis and when the on-site team happens to carry out a thematic on-site inspection (e.g., there is not a dedicated and focused review of corporate governance, etc.). The findings of the SREP process as well as off-site inspections are communicated to the banks including expectations on the requirements of banks to address any deficiencies identified. See EC8 for additional information on how the result of this analysis is carried out and the frequency of this communications. CBI/FSA follow-up with banks on its findings through the use of the bank IA, as well as through additional discussions or follow up on-site inspections. CBI/FSA tracks outstanding deficiencies in its internal system. Further, CBI/FSA also makes use of the EA to follow up on specific issues previously identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or systemwide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerability that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI/FSA supervisory practices ensure constant awareness of the importance of individual institutions health and soundness for the banking and financial system as a whole. The Banking Department and the FSU work together with the purpose of identifying, assessing, and mitigating emerging risks, across banks and for the banking system as a whole. Risk is assessed on both on an individual bank and system-wide level in CBI. Macroprudential supervision stress tests are undertaken as part of the risk assessment under CBI/FSA’s SREP procedures as well as part of the bank’s recovery plan scenario analysis. Various stress tests and scenario analysis is used under and for assessment on various risk categories, according to Banking Department supervisory procedures that build on the SREP methodology. FSU and the Banking Department work together on assessing the stress test framework in ICAAP/ILAAP reports as well as the bank’s recovery plans. This analysis is mostly dedicated to the D-SIBs which represent close to 94 percent of total assets. Results of stress-tests, including potential vulnerabilities in D-SIBs overall risk profile is communicated to the bank. CBI’s approach is to adjust minimum capital or liquidity requirements for individual banks once vulnerabilities are detected. Assessors noted examples of where this is done in practice by CBI. FSU is also responsible for system wide stress test conducted by CBI. Macroprudential policy51 of CBI centres on safeguarding the stability of the financial system as a whole by limiting systemic risk. Its main objective is to enhance stability and increase resilience, thereby reducing the risk of financial shocks. In order to achieve its macroprudential objectives, CBI has macroprudential tools that it can apply when warranted. These tools generally take the form of CBI rules, including rules on capital buffers for financial institutions, foreign exchange balance, liquidity, and net stable funding, as well as rules restricting loan-to-value ratios and loan-to-income or debt service-to-income ratios for consumer mortgages. Decisions on the application of macroprudential tools are taken by the FSN. The Committee bases its decisions on an analysis of the position of the financial system, the financial markets, the economy as a whole, systemic risk, and resilience against potential shocks. CBI also carries out stress tests to evaluate resilience and conducts scenario analyses of key risk factors. The annual system wide stress test is a systemic one (e.g., a macroprudential stress test with a cyclical stress scenario). The scenarios used are published on CBI’s website and findings as well on aggregated level in the report in CBI’s Financial Stability Report. The credit registry gives a monthly overview of material exposures and systemic built up of risk in the banking system as a whole where financial undertakings with certain thresholds are required to report their loan portfolio to FME with the credit registry, version 3.0. FME can use this data and see how exposures to certain parties, connected parties or sectors is building up in the system and act on it if needed. The information is used to assess connections between debtors of banks and possible contagion effects between banks and to the economy as a whole. CBI/FSA recently received more extensive credit registry data that provides information for the whole loan portfolio of the bank beyond 300 million ISK. This will allow the FSU the ability to run special stress tests on the entire portfolio of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FSA evaluates the work of the banks’ IA functions on a yearly and ad hoc basis. Once a year, at a minimum, the IA of D-SIBs reports to CBI/FSA on the conclusions of its reviews. The Banking Department meets with the bank’s IA to discuss the reviews undertaken and, in some cases, if the reviews are considered reliable, will rely on the results of such findings. Furthermore, the IA shall specifically and promptly report to CBI/FSA any comments made and submitted to the board of directors. The Banking Department/Compliance have asked for copies of IA reports of the D-SIBs for review of findings. Last, CBI/FSA may at any time subject the qualifications of the director of the IA to a special investigation if deemed necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
As outlined in CBI/FSA’s SREP methodology for its minimum engagement model (e.g., the frequency of meetings with Board and senior management representatives is based on the bank’s impact assessment). For D-SIBs, this includes annual engagement with both the Board (which is made up entirely of external representatives) and senior management. Specifically, the Banking Department (together with risk specialists) meet quarterly with the CFO, CRO or their representatives) to discuss the quarterly financial statement and state and trend in material risk categories. Issues addressed are among many things financial results, strategy, operational trends, major operational events, credit risk, valuation of financial assets and asset quality etc. Further, as part of the SREP process a planned meeting is held for all material risk categories within the ICAAP/ILAAP where results of this assessment are presented. High level and middle management attend these meetings from the banks as well as relevant specialists for each risk category. Often more than one meeting is held for each risk. A special meeting is held for BMA where assumptions and presumptions are discussed as well as it helps assess macroeconomic assumptions used for forecasted business plan for 3-5 years. Before final results of the SREP risk assessment are presented to the financial undertaking/bank a draft is delivered and a meeting for that draft is held in case there are misunderstandings or misrepresentation of facts etc. in FME’s SREP results or capital requirements. Finally, after the formal opposition proceedings, findings of the SREP process are presented in letter to the board as well as a meeting is held with the board and senior management where relevant issues are addressed as well as the findings of the risk assessment and capital requirements. As indicated previously, this process is carried out for the D-SIBs only. The Banking Department occasionally contacts the banks’ Boards and Audit Committees on an ad hoc basis, as needed. However, CBI/FSA is in frequent formal and informal communications with the banks’ directors and senior and middle management in connection with various on-site and off-site inspections, requests, and applications, etc. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
The findings of the SREP process are communicated to the banks first informally (via meetings), then draft findings are presented to the bank for in a report for formal opposition proceedings and then final letters are issued to the banks. If results in the SREP contain an assessment of Pillar 2 risks, this letter is posted on CBI/FSA’s website according to the transparency notices (Act No. 87/1998). With respect to on-site inspections, draft reports are provided to the banks prior to the exist meeting, this report also subject to formal opposition proceedings, with a final report issued a usually a couple of weeks after this exit meeting. The Banking Department then issues a formal letter with all requirements and recommendations as a result of the on-site examination which is sent to the bank. In this letter, the timeframe for finishing all amendments is defined and it is the Banking Department supervisors who are tasked with the follow up to ensure that relevant amendments are implemented by the bank. The findings of any particular off-site inspection are communicated to the banks on various case specific issues and based on the inspection’s level of formality, depending on the severity of the issue /issues at hand. In a formal off-site inspection, the findings are communicated through a formal report following the similar procedure as on-site inspection and delivered with a formal letter and communication process. In a less formal inspection, findings can be communicated to the bank by letter, at a meeting, through email or in a phone conversation. All findings are accounted for in the SREP risk assessment process. If findings are severe and need boards involvement necessary measures are taken, including valuating if the matter calls for revaluation of SREP risk assessment. Results of on-site inspections sent to the senior management of the bank and the final decision letters are sent to the BOD. Assessors note that the on-site inspection reports should also be provided to the BOD to ensure awareness of the detail of CBI/FSA’s findings. Furthermore, assessors noted the substantial time lag (up to 8 months) between the results of the inspection reports being handed over to senior management of the bank and the final letter on the results of the on-site inspection issued to the BOD. CBI/FSA should re-assess its timeliness of communication with the BOD with regards to the on-site inspection formal letters as the time lag between when the on-site inspection report is issued and the formal supervisory letter is issued, could cause confusion with the bank’s BOD/senior management as to what deficiencies are still outstanding, etc. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI/FSA’s SREP framework entails continuous communication with the D-SIB (less so for savings banks), KRI and risk assessment monitoring. CBI/FSA’s Vaki internal reporting systems tracks all outstanding requirements and recommendations as well as findings that require further investigation or follow-up where specific timelines/deadlines for action is tracked. This electronic system will send automatic notifications to the Banking supervisor for follow-up, this helps ensure nothing is left unattended in the follow-up process. Urgent matters regarding for example a bank becoming aware of a breach of a capital or liquidity requirement prior to CBI/FSA, are required to report such issues immediately. CBI/FSA then determines how such issues are handled according to its severity and urgency. KRI and regular quarterly risk assessment monitoring also ensures issues are follow-up on a timely basis. If the matters under consideration are deemed material, CBI/FSA will re-consider the risk score of the SREP assessment. CBI senior management are notified as well as approve any actions or update to the SREP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article 9(2) of Act No. 87/1998 states that the FSA shall be notified in advance, as applicable, of any changes in previously submitted information, including information concerning the board of directors or managing directors, any increase or decrease in the number of branches, and when a financial undertaking no longer meets the conditions for the issue of an operating license. CBI/FSA receives notifications regarding various changes in the banks’ activities, structure, and conditions. For example, the banks frequently inform CBI/FSA in due time of major changes or foreseeable breaches of laws, rules, or regulations. The notifications are usually informal at first and subsequently require a meeting with the banks or that the banks write a formal letter to CBI/FSA. Notification of some changes is done through regular reporting. Last, banks are required to provide notification to CBI/FSA of any structural changes as per Article21 (2) and Article22 of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
Article9(2) of Act No. 161/2002 states that the FSA may appoint an expert to investigate certain aspects of the activities or operations of a regulated entity, or to undertake other specific supervision of such an entity. CBI/FSA performs its supervision to large extent with its own staff. Occasionally CBI/FSA hires an independent third party to assist its employees with specific tasks such as an onsite inspection. CBI/FSA in this case would assess its degree of reliance on such work with third parties. CBI/FSA seeks to assess the ability of the third party to perform the task in question professionally and subjectively considering relations and potential interests. Third parties sign statements in this regard and agreement are made for their mandate. Various internal checklists are outlined in CBI/FSA internal requirements and include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
In recent years CBI/FSA has increased its ability to store, process, monitor and analyze information automatically by developing its IT systems and its business intelligence capabilities. Streamlining information gathering across the post-merger of CBI/FSA in order to ease the burden of reporting with the common reporting framework (EU) is in progress. Further, much work is being undertaken to implement solutions for supervisors to access and analyze relevant data (e.g., newly developed Power BI tool) as well as implementing solutions for supervisors to access and analyze relevant data. Older outdated solutions are in the process of being outed like Targit and InfoPath reports. In addition, the data warehouse stores sources of information that is accessible to relevant employees through various tools and analysis, like PBI, Vaki and K-helix. Analysis of the prudential data in COREP, FINREP, PLA and the credit registry reports are an important part of the supervision and build the foundation for KRI monitoring along with the EBA risk reporting framework. CBI/FSA has implemented its KRI system wherein many indicators with defined limits indicate warning signals that supervisors must take into account in their regular monitoring and risk assessment reporting. Although Vaki is designed to store and structure the risk-based supervision, risk assessment and supervisory information as well as document KRI breeches, it is still somewhat under development due to technical issues. Results of SREP reports, including the conclusion of SREP and letters sent as a result of an on-site inspection are documented and tracked in Vaki (see ECX for more detail). Furthermore, risk assessment, with recommendations for on- or off-site inspections or other supervisory measures, is stored in Vaki and used in supervisory planning process as well. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 9 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI’s off-site supervision function undertakes the full SREP assessments, however the scope for the on-site program needs to encompass a broader scope of review work (not just thematic reviews focusing on specific risk areas of concern), covering not only material risks but deep assessments of corporate governance, including the quality of risk management and internal control functions, with a risk-based approach over a multi-year cycle. While on-site inspectors carry out their inspections on a timely basis (inspection reports are provided to management only), banks’ Board of Directors only receive “formal letters’, which include remedial/corrective actions that are being issued with at times delays as supervisors await the results of all three on-site inspections to be completed (to ensure consistency in findings) and legal sign off on letters. This current process is undermining the effectiveness of CBI’s communication which needs to be done on a timely basis. CBI’s internal standard on completion of reviews (e.g., the issuance of the formal letters to the Board within 4 weeks), should be adhered to. Further, CBI should implement a standard for the frequency of on-site inspections applicable for all banks, regardless of impact rating. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 10 |
Supervisory Reporting The supervisor collects, reviews and analyses prudential reports and statistical returns52 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor has the power53 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 32 of Act. No. 92/2019 and Article107 of Chapter XIII of Act No. 161/2002, provides CBI/FSA with the authority to require banks to submit all information that it deems necessary, on both a solo and consolidated basis. Article107 (2-6) states that: The FSA may demand any sort of documentation or information from subsidiaries or affiliates, or from other parties regarded as having close connections with a financial undertaking, which the FME regards as necessary in the course of its supervision of the financial undertaking concerned. The FSA may demand any sort of data or information from holding companies in the financial sector or mixed holding companies, provided the FME deems such information necessary for its supervision of financial undertakings that are subsidiaries of these holding companies. The FSA shall oversee dealings by a financial undertaking with its subsidiaries and affiliated companies, companies that control or have holdings in the financial undertaking, and other subsidiaries and affiliated companies of such companies. Furthermore, the FME shall keep track of dealings between a financial institution and individuals with holdings of 20 percent or more in the above-mentioned companies. Financial undertakings shall provide the FSA with a report on such dealings in accordance with its specific instruction. Where the dealings are made with enterprises or individuals in other states, cooperation between supervisory authorities shall be as provided for in international agreements to which Iceland is a party and cooperation agreements concluded by the FSA on their basis. The FSA may, at the request of supervisory authorities in another state, verify information from parties in Iceland subject to supplementary supervision of financial conglomerates. The supervisory authorities concerned may participate in efforts to verify such information. Should the FSA be of the opinion that activities covered by this Act are pursued without the required authorization, it may demand from the parties concerned or parties subject to supervision such data and information as are necessary to determine whether such is the case. It can demand that such activities be ceased immediately. In addition, it may make public the names of parties regarded as offering services without the required authorization. Article 9 of Act No. 87/1998 states the FSA shall inspect the operations of regulated entities as often as deemed necessary. These entities are required to grant the FSA access to all their accounts, minutes, documents, and other material in their possession regarding their activities which the FSA considers necessary. CBI/FSA has adopted and implemented EBA reporting framework and validation rules. Lists for regular reporting to CBI/FME is publicly available for each sector54 covering both EBA reports and CBI/FSA reports. Example of various amendments requirement for rereporting based on data validation rules have been numerous in recent years. CBI receives the following standardized reports according to CBI’s data reporting process, that includes solo (parent bank), consolidated (group) as well as on and off-balance sheet information and include: Monthly: (either from parent companies and/or subsidiaries)
Quarterly:
Semi-annually:
Annually:
In addition to the above referenced reports, additional information is routinely collected and verified as part of on-site and off-site inspection and as well as ad-hoc inquiries. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article 88 of Act No. 161/2002 states that the annual accounts must give a clear picture of the financial position and operating performance of the financial undertaking. They must be compiled in accordance with law, rules, and good accounting practices, and include, for instance, a profit and loss account, a balance sheet, explanatory notes, and information on off-balance-sheet items. The D-SIBs have implemented the IFRS accounting standards as stipulated by Chapter VIII of Act. No. 3/2006 on Annual Accounts. Rules No. 834/2003 on the Financial Statements of Credit Institutions apply to the smaller savings banks as they have not implemented the IFRS standards. CBI is of the view that it would be too onerous to have the smaller savings banks adhere to the IFRS standards - opting for the continued use of Rules No. 834/2003. The FSA has issued the following Rules relating to annual accounts of financial undertakings which provide clear reporting instructions to banks:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
FSA has issued methodology and benchmarks for assessing risk systematically in the SREP process. These benchmarks are reviewed regularly. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. IFRS 9 standards are required in accordance with Chapter VIII of Act No. 3/2006. The requirements set out in the Chapter are consistent with the EU Accounts Directive. Smaller banks that have not implemented the standards must prepare their accounts in accordance with Chapter VII (valuation rules) of Rules No. 834/2003. All banks are required to have audited financial statements utilizing appropriate valuation methodologies and practices. Financial undertakings are required to have their financial statements audited by certified auditors. Part of the audit and the discussion with the auditor of supervised entities involves discussing value of financial assets and valuation methods. The supervisor may disagree with the financial undertaking on what constitutes a prudent valuation and may require banks to either write down (impair) assets or increase the own funds requirement. CBI/FSA legislation, rules or guidelines (including EBA guidelines) do not specifically require that bank’s valuation framework and control procedures be subject to adequate independent validation and verification, either internally or by an external expert. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA collects and analyses data from banks in accordance with the impact assessment of the banks based on its SREP Methodology. Please see EC1 for detail on the type and frequency of reporting to CBI/FSA by banks. D-SIBs are required to file FINREP prudential reporting which provides more in-depth data and at a greater frequency than the COREP reporting applicable to savings banks with less frequency and data points. CBI collects information regarding KRIs, as well as for the regular monitoring to undertake its risk assessment of banks according to supervisory handbook of FME (CCQ). Post-merger, CBI/FSA is working towards the streamlining of information gathering, the data warehouse and the way information is accessible to supervisors. Still all reported data is available and accessible through legacy systems and PowerBI software. FME has adopted the EBA data model framework and collects EBA material reports. Risk indicators of the EBA risk framework have been in use and FME uses KRI approach in its regular monitoring and risk assessment. The risk management procedure (see CP 8 and 9) of the FME and of CBI ensure that information is collected, analyzed, and reviewed according to risk-based supervision. Analysis is conducted at intervals corresponding with reporting frequency and calibrated to the significance of data collected for risk analysis (e.g., liquidity reports are collected and analyzed monthly, whereas less important data may be collected and analyzed with lower frequency). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As described in EC 1 and 2, reports and data are collected by the FSA from all credit institutions are on a comparable basis and related to the same dates and periods as appropriate. Risk assessment, KRI-approach and regular monitoring include cross comparison and tends between reporting periods. FINREP and COREP data collection is put through various validation exercises (in accordance with EU requirements), and therefore CBI/FSA is able to draw meaningful comparisons between banks. Data is collected from all relevant entities covered by consolidated supervision; however, the legal structure of the D-SIBs is very straight forward with no cross border operations, without any issues regarding whether dates and periods are questionable. Another way to compare data from banks is to use EBA published data like the quarterly risk dashboard and annual transparency exercises information where banks, countries etc. can be compared. Now that the EBA has expanded its data collection under EUCLID to include all credit institutions in the EC/EEA a larger set of data for comparable institutions is expected to become available. Also, CBI has access to S&P Global Market Intelligence data and can, when necessary, compare various data to set of banks and companies around the world. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FME has the power to request and receive any relevant information from banks or any related party where it is believed to be material for the supervision or to the financial position of the bank as per Article9 (3) of Act No. 87/1998 states that both individuals and legal entities are required to: In connection with its supervision and investigations under the provisions of special legislation, natural and legal persons are required to supply the Financial Supervisory Authority with any information and material the Authority considers necessary. In this context it is of no relevance whether the information concerns the party to which the request is directed or transactions with other parties on which the party is able to supply information which concerns the investigation and supervision of the FSA. Provisions of law concerning confidentiality do not restrict the obligation to provide information and access to data. This shall not apply to information obtained by legal professionals in the course of ascertaining the legal position of their client, including advice on instituting or avoiding judicial proceedings, or information obtained before, during or after the conclusion of judicial proceedings if the information is directly related to such proceedings. Please see EC1 for more detail. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has the power to access55 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Article 9(1) of Act 87/1998 and Article107 of Act No. 161/2002 states that CBI/FSA has the power to have full access to information regarding its supervisory work (see EC1 for more detail). Article 9 of Act No. 87/1998 states the FSA shall inspect the operations of regulated entities as often as deemed necessary. These entities are required to grant the FSA access to all their accounts, minutes, documents, and other material in their possession regarding their activities which the FSA considers necessary. As part of risk-based supervision regular interviews are conducted with board and high-level management and can be conducted on ad-hoc basis as well. Onsite inspections are also conducted where all bank data and information are made available on basis of forementioned legal requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines-the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article11 (Penalties and daily fines) of Act No. 87/1998 states that the FME has the power to impose penalties if the regulated entity fails to provide the requested information or fails to heed requests for rectifications within a reasonable time limit. Further, Article112(b)(2) of Act No. 161/2002 states that deliberate misreporting to an official is a criminal offence punishable by up to 2 years imprisonment. Last, CBI has comprehensive legal powers that can be applied to gather data or information as well as enforcement aid as per Chapters IX and XI of Act No. 92/2019. The FME imposes penalties in the form of ’per diem’ fines if banks fail to provide the requested information within a set time limit. The FME also follows up to ensure that inaccurate information is amended in a timely manner. FME has imposed such penalties in practice (as described above) as well as for bank’s misreporting or for persistent errors. The authorized official of the bank must sign all supervisory returns. Also, automated reminder notices via e-mail of upcoming reporting due dates are delivered 5-7 days to the bank before the due date by FSA’s reporting system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.56 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI/FSA applies professional skepticism in its risk-based supervision on qualitative and quantitative information. KRI-review is used in addition to delta analysis of reported data, followed by off-site communications when needed. The verification is supplemented by on-site visits. Comparison of financial reporting is also compared to risk reporting like FINREP. The FSA has defined, implemented, and issued a high-level process for data reporting to ensure consistency in the FSA approach to determining the validity and integrity of supervisory information. A process and procedure for Data Quality Assurance (DQA) rules have been implemented in the FSA Management-IT systems which result in defective data submissions being either rejected or flagged for follow-up. As part of this framework FSA has adopted the EBA Data Model and its validation framework and validation rules are applied for data integrity and reporting in other FSA’ reports like Credit registry. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor clearly defines and documents the roles and responsibilities of external experts,57 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article9(2) of Act No. 87/1998 states that: The FSA may appoint a specialist for inspecting certain aspects of the operations or management of a party subject to supervision, or to undertake specific supervision of such a party. The specialist shall be appointed for a specific period, but no longer than four weeks at a time. The specialist is entitled to working facilities on the premises of the party subject to supervision, and shall be given access to all requested accounts, minutes, documents, and other material in their possession. The specialist is entitled to attend meetings of the board of the party subject to supervision as an observer with the right of speech. His obligation to observe secrecy shall be in accordance with Chapter IV of this Act. The party subject to supervision shall carry the expense of the specialist’s work, in part or whole, as estimated by the FSA. The FSA defines and documents the roles and responsibilities of external experts, including the scope of the work, and monitors the quality of the work. Procedure thereabout is available to FSA if needed. Further Article94 of Act No. 161/2002 states that the FSA may carry out special audits and engage a State Authorized Public Accountant for this purpose. Please see CP9 EC11 for more detail. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
When an external expert is appointed by the FSA according to Article9 of Act No. 87/1998 indicates that a contract is signed that requires the expert in question to inform the FSA about any material shortcomings identified regarding the operation of parties subject to supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
CBI/FSA has defined a high-level process for the review of all data reporting to ensure that supervisory data needs are being met. The process includes the performance of an annual assessment as part of the planning process when determining the banks’ mandatory reporting requirements and submission schedule for the following year. CBI/FSA has a process for assessing and reviewing incoming data and this process is being adapted for the overall merged CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 10 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI’s IT infrastructure, supervisory data collection and interfaces built or being built for supervisors is very dynamic. CBI collects data from a variety of sources (FINREP, COREP and goes beyond the EU framework LPA, credit registry data, ad hoc data requests etc.). Further, the interfaces in the process of being built or are built (Power BI,Vaki) enable supervisors to effectively work with key data points, produce graphs and analysis to support the SREP and risk assessment processes. Further, CBI utilizes data verification methodology in line with EU expectations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 11 |
Corrective and Sanctioning Powers of Supervisors The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article10 of Act No. 87/1998 states that if a bank does not comply with laws or regulations, CBI must order that the situation be rectified within a reasonable time limit. CBI must opine on any aspect of the situation or operation of a regulated entity that it considers unsound and inconsistent with proper business practices in other respects. Should that situation arise, CBI may call a meeting of the board of directors to discuss its comments and demands, and ways to rectify the situation. A representative of CBI may chair the meeting and have the right to speak and make proposals. If on-site and/or off-site inspections reveal that a bank does not comply with laws and regulations, the bank is required to make corrections/take corrective actions within a defined time limit communicated in writing. Following on-site inspections CBI requires the IA of the bank to assess whether corrective actions have been met. CBI also assesses whether corrective action have been completed in a satisfactorily manner. The findings of CBI are always in written form, addressed to the bank’s BOD or its CEO, as per Article108 of Act No. 161/2002 states that the FSA shall justify its decisions in writing regarding the application of supervisory powers or penalties pursuant to this Act. For example, assessors noted that in certain cases where material findings from such a review result in the inspection report being provided to the CEO instead of the BOD. CBI/FSA should ensure that all inspections reports are provided to bank BODs/Audit Committee and not just the CEO. (noted in CP9) In addition, assessors noted that CBI/FSA tend to make use of an assessment of additional capital rather than make use of the other intervention tools/measures outlined in Article107(a) of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has available58 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article107(a) and (c) of Act No. 161/2002 provides CBI/FSA with a range of appropriate options for intervention when a bank is not complying with laws, regulations, rules or guidelines. Article107(a) is used for less severe situations. If the credit institution does not fulfill legal and regulatory requirements of if CBI is of the opinion that, within the next 12 months, it is likely that a credit institution will not be in a position to fulfil legal or regulatory requirements, CBI can impose certain measures upon the credit institution, the choice of which is appropriate given the gravity of the situation (Article 107 A (3)) Article107 (c) is used when the financial situation has further deteriorated: When the credit institution violates the Act (161/2002), or its regulations, or increasingly serious financial situation (including worse liquidity position, increased leverage or increased defaults) makes it more likely that it will violate the Act or its regulations (cf. 107 9(c)(1)) as well as subject to per diem fines pursuant to Article 11 of Act 87/1998.. See EC4 for a full description of tools. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA has the power to intervene at an early stage to require banks to address issues. Specifically, Article107(a) and (b) of Act 161/2002 outlines the ability of CBI to require banks to hold additional capital well before the breach of regulatory ratios and states that: The FSA shall notify financial undertakings of the guidance on additional own funds it deems desirable, in particular on the basis of a stress test as provided for in the seventh paragraph of Article 80, in excess of its obligations under this Act and the requirements of the FSA laid down in Art.107(a) to cover risks that the obligation does not cover sufficiently. CBI has a range of options to address scenarios described in EC2 and EC3 - please find description of supervisory measures and tools in EC4. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA has an appropriate range of supervisory measures to address, at an early stage, when a bank is not complying with laws, regulations, rules and/or guidelines. Article107(a) of Act 161/2002 outlining supervisory powers states that the FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it. If, on the basis of data or information in its possession, the FSA considers it likely that a financial undertaking will not be able to comply with the provisions of this Act within the next 12 months, as well as the regulations and rules deriving from it, the FSA shall require the financial undertaking to take the necessary corrective measures in a timely manner. Corrective measures may include, among other things, the application of powers pursuant to this Article or other provisions of the law that are necessary to respond to the situation of the relevant financial undertaking. To enforce the requirements and follow up on the evaluation as provided for in Article 80 and the fourth and fifth paragraphs of Article 81, third paragraph of Art.109(ff) and Regulation (EU) no. 575/2013, the FSA is authorized to prescribe: 1. higher own funds requirements than those laid down in Regulation (EU) no. 575/2013 2. improvements to internal processes, cf. Chapter IX, 3. that a financial undertaking present a special plan on how the undertaking will fulfil the requirements of this Act as well as the regulations and rules deriving from it, and set deadlines for financial undertakings regarding the implementation of the plan, including due to delays or improvements made to the plan. 4. write-down of assets in the calculation of own funds. 5. limiting or restricting a financial institution’s activities or, as applicable, sale or assets or business units that create excessive risk. 6. reduction of the risks entailed by the undertaking’s activities, products or system, including due to outsourced activities. 7. that financial undertakings limit bonuses to a percentage of net profits when payouts lead to insufficient own funds. 8. that financial undertakings use net profits to strengthen its own funds. 9. that dividend and interest payments to shareholders, guarantee capital owners and owners of additional Tier 1 instruments shall be limited or prohibited, provided this does not cause the financial undertaking to default. 10. Imposing specific liquidity requirements, including due to maturity mismatches between a financial undertaking’s assets and liabilities. 11. More frequent reporting requirements. 12. Additional disclosure to the market. Article107(c) of Act No. 161/2002, which outlines early interventions by the FSA states that the FSA can apply early interventions against a credit institution or investment firm with guarantee capital if: a. the undertaking violates the provisions of this Act or government directives based on them and regulations established on their basis, including Regulation (EU) no. 575/2013 or b. it is likely that, due to a deteriorating financial situation, including a deteriorating liquidity position, increased hedging, increased defaults by borrowers or a concentration of exposures, that the undertaking will violate the Act or government directives as provided for in point (a). If the circumstances referred to in points (a) or (b) exist, the FSA can implement or demand that a credit institution or investment firm take at least one or more of the following actions: 1. Take measures prescribed in the recovery plan or update the recovery plan and carry out actions according to the updated plan. 2. Submit an action plan with a timeframe to the Financial Supervisory Authority. 3. Call a shareholders’ meeting or guarantee capital owners meeting. If that requirement is not complied with, the Financial Supervisory Authority can call a shareholders’ meeting or guarantee capital owners meeting. In both cases, the Financial Supervisory Authority determines the agenda of the meeting and can demand that certain issues be discussed and decided upon. 4. Dismiss one or more board members and/or managing director, if they do not meet the requirements as provided for in Article 52 (eligibility requirements), Article 52(a) (conflict of interest), Article 54 [also covered in Article107(c)] (violating the conditions of early intervention measures). Note that Article 110 (b) and 112 (f) provide the power to ban an individual from working at a bank or serving on a bank Board. 5. Submit to the Financial Supervisory Authority a plan for negotiations on debt restructuring with creditors. 6. Change the undertaking’s business strategy. 7. Restructure the undertaking. Further, Article 107 (c) provides for the ability to put in place interim management. Last, conditions precedent for the CBI to revoke a banking license are set out in Article 9. CBI/FSA has formed a working group to put in place a formal “escalation” procedure when a problem or issue arises. This procedure, when finalized, is expected to also cover all procedural mechanisms to deal with a crisis situation for a problem bank. This document is expected to be finalized in the coming months. Although certain procedures are covered in the CCQ Supervisory Handbook, assessors have indicated that this escalation of procedures to deal with problem banks should be finalized quickly to ensure that CBI/FSA staff know and understand the procedures and supervisory measures/tools that need to be undertaken quickly in a crisis situation. Assessors were informed regarding the use of supervisory measures in 2015 for a savings bank wherein various legislative tools were utilized. This is the only case available for assessors review since the crisis of Icelandic bank failures in 2009. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Administrative sanctions in the form of penalty payments can and has been issued against both individuals and legal entities. CBI/FSA has the power to remove a credit institution’s CEO or one or more of its board members if it is of the opinion that the credit institution has seriously violated against laws or administrative rules or if there has been a case of serious mismanagement, cf. Article107(d) of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Article10(a) of Act 161/2002 states that CBI/FSA has the power to restrict activities of a bank. CBI/FSA is further empowered to set conditions for the continued operations of individual operating units. CBI/FSA would utilize these powers to take corrective actions to limit of restrict actions between parents and other entitles within the groups when/if necessary (e.g., restrict the payment of management fees or dividends, payment of service fees, etc.). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Recovery plans are assessed on a yearly basis. Recovery plans are suited to list appropriate measures for recovery based on strategic analysis of core business lines and critical functions. The assessment reviews these proposed measures in connection to the strategic analysis scenario analysis is conducted in the recovery plan. Recovery plans of systematically important credit institutions have been assessed by FME since 2017-2018 and discussed in detail with each institution. Further, in accordance with the Article4, Paragraph 2, of the Act on Resolution of Credit Institutions and Investment Firms, No. 70/2020 (Act No.70/2020 or the Resolution Act) and Rule No. 1733/2021, it is the decision of the FMEN if an institution is deemed to be failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so) together with the Governor of CBI who takes the final decision on the resolution process itself. Resolution plans have been put in place by the Resolution Authority to cover the execution of bank resolution in the event that their financial position deteriorates to the point that they are deemed failing or likely to fail. Should a D-SIB fail, the resolution plan assumes that it will be possible to resolve it quickly and securely, and without funding from the Treasury or CBI. Resolution is intended to ensure that households and businesses continue to have unrestricted access to critical functions, thereby supporting financial stability in Iceland. CBI is empowered to pass necessary information on to other financial supervisors within the EEA as per Arts 109(u), 109 (v), 109(w), 109(x) and 10 (aa) of Act 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC2 |
When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 11 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI/FSA has an appropriate range of supervisory measures to address, at an early stage, when a bank is not complying with laws, regulations, rules and/or guidelines. Assessors did note CBI/FSA’s tendency to make use of an assessment of additional capital (P2R) rather than make use of the other intervention tools/measures outlined in Article107(a) of Act No. 161/2002. CBI/FSA has established a working committee to develop and implement internal escalation procedures which help CBI to effectively operationalize such a plan when needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 12 |
Consolidated Supervision An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.59 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
A legal framework is established to enable CBI to implement consolidated supervision of banking groups. Main legal provisions are laid out in Act No. 161/2002, notably Chapter XIII Section B articles 109 to 109(t) on supervision on a consolidated basis, covering a wide range of relevant issues, from consolidated prudential requirements to the conduct of consolidated supervision, including consolidated regulatory reporting, cooperation among authorities on cross-border banking groups, conditions for group financial support. In addition, CBI is empowered to address banking groups fragilities at consolidated level, by article 107(g) on early intervention on a consolidated basis. Among other legal provisions relevant to consolidated banking supervision included in Act No. 161/2002 are the following:
Act No. 61/2017 on supplementary supervision of financial conglomerates implemented EU directive No. 2002/87/EC (FICOD), as amended by EU directive No. 2011/89/EU, in Iceland . This Act provides CBI with additional responsibilities and tools to supervise financial conglomerates. While specific banking and insurance regulations are already applicable to the banking activities of financial conglomerates, this Act requires CBI to apply supplementary supervision to financial groups in order to reduce the risks inherent in their activities, and CBI is provided with powers to oversee the conglomerates’ parent entities, such as holding companies. There is only one financial conglomerate in Iceland, with no major bank involved. Supervision of banking groups is conducted both on a consolidated basis and on a standalone basis. CBI maintains oversight on the overall structure of a bank, both through prudential reporting checklists, and the bank’s consolidated financial statements and reports. Regulatory prudential reporting encompasses both the stand-alone and consolidated levels. CBI supervisors review prudential reporting and financial statements of banking groups on a quarterly basis and file their findings and concerns in checklists. SREP is implemented for banking groups on a consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002 lays down rules on prudential requirements applicable to banking groups on a consolidated basis. Chapter X sets prudential regulations of capital buffers. Rules on consolidated supervision of capital adequacy and liquidity are mainly found in EU CRR and CBI Rules No. 1520/2022 on liquidity requirements for banks which implements the EU liquidity regulation. Chapter XIII of Act No. 161/2002 has enacted provisions on measures to be taken if own funds are insufficient. In addition, Chapter XI states rules regarding annual accounts, auditing, and consolidated accounts. CBI also refers to EU CRR, Part 4, articles 387 to 403, on rules regarding large exposures. Consolidated capital requirements are defined in article 83(d): “Capital buffers for systemically important financial undertakings globally shall be maintained on a consolidated basis. CBI of Iceland may stipulate by regulations that other capital buffers be maintained on a consolidated, sub-consolidated or entity basis, as appropriate.” Article 109 is extending the scope of legal requirements to banking groups as a principle: “The provisions of Chapters VII, IX and IX A shall apply to groups where the parent company is a financial undertaking, mixed financial holding company or financial holding company. The parent company shall be responsible for implementation of this provision within the group.” CBI has legal power to impose prudential standards at the stand-alone and consolidated levels regarding capital adequacy, large exposures, exposures to related parties, lending limits, group structure, and liquidity. Consolidated supervision powers are enforced in prudential regulations by Act 161/2002, Article 109 (l), as well as in supervisory processes, such as regulatory reporting templates on a consolidated basis. Moreover, CBI imposes more stringent standards well above the minimum requirements, based on its own assessment, if needed. CBI has also issued the following rules on liquidity and funding: Rules No. 266/2017 on credit institutions’ liquidity ratios, and Rules No. 750/2021 on credit institutions’ minimum net stable funding ratios. CBI reviews reports from banks and their financial statements on a consolidated basis, and takes appropriate action, when necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any crossborder operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Cross-border activities of banks and banking groups are regulated by Act No. 161/2002, notably Chapter V, supplemented by Chapter XIII Section B that includes many detailed articles (from 109 to 109(hh)) regarding consolidated supervision. CBI may demand any sort of documentation or information from subsidiaries or affiliates or from other parties regarded as having close connections with a regulated bank, which CBI regards as necessary for consolidated supervision. Regular supervision is conducted on a consolidated basis, including foreign operations. CBI implements oversight of the overall structure of a bank, based on banks’ prudential reporting, consolidated financial statements, and reports. The prudential reporting is structured on a consolidated as well as on a stand-alone basis. Management of group operations can be evaluated during on-site inspections. The SREP is conducted on a consolidated basis, resulting in evaluating the risk profile of each banking group, and key risks are rated. Part of the SREP focuses on corporate governance and risk management, covering both domestic and international activities. Icelandic systemically important banks have developed very few operations in foreign countries since the 2008-10 great financial crisis. One commercial bank has very recently developed its network abroad, with the acquisition of a UK subsidiary, which operations are still not material. CBI considers the effectiveness of supervision conducted in host countries in which banks have material operations. Should operations in foreign countries become material, CBI would step up supervisory work accordingly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As a general principle, CBI has legal power for implementing supervision of foreign branches and subsidiaries of a banking group regulated in Iceland, according to Act No. 161/2002, article 107. In reality, given that Icelandic banks have currently no foreign establishments, except one subsidiary of a non-major bank in the UK, the existing legal framework on international cooperation aimed at enabling consolidated supervision by CBI has not been concretely implemented. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As already mentioned under CP5 EC4, CBI has legal power to identify the shareholding structure of regulated banks, including qualified holdings and ultimate beneficial ownership. Based on Act No. 161/2002, Article 107 (Para 2) and Article 49, CBI has legal power to oversee main shareholders of regulated banks, including parent companies, as well as sister companies (that is, subsidiaries of parent companies), in order to identify any risk issue that might impact regulated banks, coming from shareholders’ group structures that are not included in the scope of consolidated banking supervision. During the mission, CBI has mentioned that there has been no need to oversee any parent company so far, given the absence of non-financial holding companies among major banks’ shareholders. Therefore, there has been no case for which banking supervisors would have needed accessing to a parent company on-site, applying enforcement action over the parent company and/or its directors and managers, requiring financial reports of the parent company, restricting upstream dividends or transactions between the bank and its affiliates, or applying consolidation of any relevant entity, even if not directly controlled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI has legal power to limit the range of activities that banking groups may conduct, according to Act No. 161/2002, Chapter V Section B. CBI may prohibit activities of banks abroad. Powers of limitation of banks’ foreign activities are included in Act No. 161/2002. Article 9 lays down the grounds for revocation of an operating license, which may be decided in full or in part. Article 10(a) lays down rules regarding restrictions on banks’ activities, which may be decided if CBI sees specific reasons to do so. In addition, CBI is authorized to establish special conditions for the continued operations of individual establishments of a bank. Furthermore, CBI is permitted to temporarily restrict, in part or in full, operations that an undertaking is permitted to engage in, whether the undertaking is subject to an operating license or not. Before any revocation may be enacted by CBI, related banks must be allowed a suitable period to rectify the situation, if rectification is possible in the estimation of CBI. In practice, such power has not been used, because CBI did not need to use it. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.60 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI implements banking supervision at stand-alone level and consolidated level through supervisory processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 12 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The legal framework is in place to ensure consolidated supervision of banking groups, which is implemented by CBI in supervisory processes. The existing legal framework enable CBI’s oversight of regulated banks’ main shareholders, including parent companies and sister companies (at least, risk-significant subsidiaries of parent companies), in order to identify and address any risk issue that might impact regulated banks, coming from shareholders’ group structures that are not included in the scope of consolidated banking supervision. In practice, the need of such extended CBI oversight on banks’ shareholders has not been identified yet. Effective CBI oversight of banks’ shareholdings on a regular basis, not only at the licensing stage or at the change of ownership stage, may be further developed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 13 |
Home-host Relationships Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI has legal power to establish supervisory colleges that would be needed for international cooperation aimed at ensuring consolidated supervision of banking groups, according to Act No. 161/2002, article 109(j) on supervisory colleges. In reality, since no Icelandic bank has any foreign branch or subsidiary, except one nonmajor bank’s subsidiary in the UK (Alternative Investment Fund Manager), there has been no concrete need for CBI to set up supervisory colleges. This UK subsidiary is nonmaterial for UK supervisory authorities, and bilateral cooperation may take place as needed based on the bilateral MoU. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group61 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As mentioned in CP3 EC2, CBI has signed many bilateral and multilateral Memorandums of Understanding (MOUs), and CBI has legal power to share information and collaborate with foreign supervisory authorities, within and without the EEA. According to Act No. 87/1998, article 14, CBI may provide foreign regulatory authorities of other EEA member states with confidential information, if such information sharing is part of cooperation in the supervision of activities of regulated entities and is useful in permitting the conduct of the supervision prescribed by law. CBI may share confidential information with regulatory authorities of non-EEA countries, provided that obligations of confidentiality are observed. Existing MoUs include provisions concerning information sharing, on-site inspections, and protection of confidentiality. There are no branches of foreign banks operating in Iceland, and no supervised entity in Iceland has any branch in another country. Subsequently, CBI is not using any of the signed MoU’s for the purpose of prudential supervision of specific entities, except for the UK subsidiary of the non-major Icelandic bank (a recent acquisition). However, CBI mentioned that it used these MoU’s for getting information when assessing the qualified holders of supervised entities, years ago, and it faced no issues that impacted CBI assessment. CBI is a member of only one supervisory college relating to a payment institution (therefore, not a bank). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not started any work concerning coordinating or planning supervisory activities with other authorities acting as home or host supervisors. Only one European foreign investment firm has opened a branch in Iceland, using the EU/EEA passporting framework. CBI has received information concerning the branch from the home supervisor according to EU Directive 2014/65/EU. Supervision of this branch is performed by CBI according to Act No. 115/2021 on markets in financial instruments. CBI has faced no issues with cross-border information sharing on that case. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not developed any communication strategy with other authorities acting as home or host supervisors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not developed any crossborder crisis cooperation and coordination that would involve relevant home and host authorities. Yet Iceland is part of the cooperation agreement on cross-border financial stability, crisis management, and resolution signed between relevant ministries, central banks and financial supervisory authorities of Iceland, Denmark, Finland, Norway, Sweden, Lithuania, Latvia, and Estonia. On a national basis, the Resolution Authority of CBI has made resolution plans for banks, according to Act No. 70/2020, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
The resolution framework of a cross-border banking group is subject to legal provisions in Act No. 161/2002, Chapter XII, which addresses financial reorganization of a bank with head offices located in Iceland and a branch in another EEA state, as well as financial reorganization of a bank with its head office located abroad and a branch in Iceland. As mentioned under CP13 EC5, CBI has not developed any cross-border crisis cooperation and coordination that would involve relevant home and host authorities, because there has been no need to do so, given the inexistence of cross-border banking groups in both ways. Therefore, development of group resolution plans including cross-border arrangements has not been relevant so far. Yet the Resolution Authority of CBI has made resolution plans for domestic systemically important banks, according to Act No. 70/2020, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The legal framework enforces the principle of a similar supervision of domestic banks and Icelandic branches and subsidiaries of EEA foreign banks. Yet this principle has not been implemented, because there has not been any branch of foreign banks in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
The legal framework enabling mutual on-site inspections exists, but it has not been implemented so far, because of the lack of cross-border entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
The licensing regime prohibits shell banks from operating in Iceland. In that regard, when examining applications for a new banking license, CBI reviews the applicant bank’s operational structure. CBI has confirmed that there are no shell banks, nor any booking office of any bank located in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
The legal framework in place states that information received by CBI from foreign supervisors for banking supervision is protected as confidential. In the event that CBI would have to take action on the basis of such information, CBI would consult with foreign supervisors, as appropriate, before taking action. Yet such framework has not been concretely implemented so far, because of inexistence of cross-border entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 13 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Home-host relationships don’t need to be much developed in Iceland because crossborder banking activities through branches and subsidiaries is limited in both ways. However, a dedicated legal and institutional framework is in place on home-host relationships, which is appropriate. Immateriality of cross-border banking entities has made the set-up of supervisory colleges, as well as the conduct of on-site inspections abroad, unnecessary so far. Crossborder cooperation for supervisory purpose is implemented on a case-by-case basis. CBI is well connected to other supervisory authorities with which it may be relevant to ensure effective relationships, especially among Nordic countries. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Prudential Regulations and Requirements |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 14 |
Corporate Governance The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,62 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The responsibilities of the BOD of a company are set out in Article68 of the Act respecting Public Limited Companies, No. 2/1995, (Act No. 2/1995) which state the BOD undertake the Company affairs and ensures the Company’s organization and activities are at all times in correct and in good order. The Company’s BOD and the Director undertake the administrative activities of the Company, where the Director is in charge of daily operations. Furthermore, the Company’s BOD shall ensure that the book-keeping and the handling of Company funds be sufficiently supervised. Iceland has implemented Article 88 of Directive 2013/36/EU into Arti 54 of Act 161/2002. It is stated that the board is responsible for the company’s operations and strategy, robust governance arrangements, which include a clear organisational structure with well-defined, transparent, and consistent lines of responsibility, risk strategy, adequate internal control mechanisms, including sound administration and accounting procedures. The board must oversee the process of disclosure and communications. CBI/FSA’s expectations and guidance on governance are set out in various guidelines and rules, including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Part of CBI/FSA’s regular monitoring includes the financial supervisors’ identifying issues as early as possibly by monitoring changes or signs that could be indicators of weaknesses or threats to the institution’s governance and internal control framework. Regular monitoring consists of quarterly “status” assessments performed three times a year (i.e., quarterly - as the overall risk assessment is conducted in one of the quarters). The main objective is to have in place a documented summary of the status of the bank’s governance including an overview of incidents, indicators and cases that have occurred in the last week and months. However, the assessment may trigger further investigation or need for an on- or off-site inspection, based on the severity of the case. CBI internal methodology and guidance for supervisors is outlined in its Supervisory Handbook (CCQ) 01 entitled assessment of governance and internal control as well as the requirements for regular monitoring. CBI/FSA supervisors assess whether bank’s governance systems are in place and in line with supervisory expectations. Internal guidance is outlined in CBI/FSA’s Supervisory Handbook (CCQ) and includes the following subjects: 02 Overall internal governance framework (VIN-0042) 03 Composition, organization and functioning of the management body (VIN-0044) 04 Corporate risk and culture (VIN-0043) 05 Remuneration policies and practices 06 Internal control framework (VIN-0047) 07 Risk management framework, including ICAAP and ILAAP (VIN-0046) 08 Summary of findings and risk scores for the overall risk assessment of internal governance (VIN-0049) The annual SREP assessment for D-SIBs takes into account all on and off-site inspections, reviews of regular reporting (risk reports, internal audit and compliance reports, etc.), interviews with board members, managers and employees, and institution’s selfassessments. Deficiencies are communicated to the bank through different channels depending on the severity of the issue. Arti 107(a) of Act No. 161/2002 states that CBI/FSA may require a financial undertaking, which does not meet the provisions of Act No. 161/2002 and regulations and rules based thereof, to take corrective action in a timely manner. In order to ensure compliance, CBI may require:
In case of formal (administrative) decisions, CBI demands corrective actions to be implemented within a specific timeframe. Some weaknesses, i.e., strengthening risk culture, are long term projects. Then CBI requires a documented project plan for the implementation of improvements within in a certain time frame. In order to ensure compliance with the plan, CBI has meetings with senior management and if necessary, the BOD. CBI/FSA requires banks to make improvements and correct deficiencies through various channels - regular communication, formal meetings and with formal administrative actions (letters). Recent corrective measures include:
Assessors note that CBI/FSA’s SREP methodology pertaining to low and medium-low impact category classification, do not necessary require meetings/interviews with the CRO, CFO, IA, Board members, compliance officer or EA - only ’when necessary’. Further, meetings with the CEO are only required every 3 years. Although it is acknowledged that CBI/FSA financial supervisors are in contact with the bank throughout the year, and will take action if there are any indications of breaches/poor governance however this does not necessarily equate to having contact with the Board members and critical control functions. CBI/FSA does undertake fitness and propriety of board members upon appointment and financial supervisors review IA and EA reports as part of the regular monitoring. CBI/FSA during on-site inspections does have the opportunity to make contact with certain of these key individuals and that the last formal comprehensive assessment of governance for institutions classified as low/medium low risk was in 2016 with plans to make another similar assessment in 2023. Assessors recommend that CBI/FSA re-assess the frequency with which it makes contact with Board members for both the savings/commercial banks that are classified as low or medium low impact to ensure adequate coverage/oversight of corporate governance frameworks in these banks. According to the SREP framework, it is possible these key functions/Board members may never be interviewed. Although the size of the savings banks may be immaterial, the reputation risk to CBI/FSA of one of these institutions failing is high considering the general view of the importance of these banks in the Icelandic community. Moreover, CBI/FSA should ensure adequate oversight of the strength of these critical functions/board members for banks that operate cross border. Last, the corporate governance expert working within the Banking Department oversees the D-SIBs only and it would therefore be appropriate for similar coverage of the remaining banks, on a risk basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Iceland has a two-tier system by law and at the shareholder’s meetings elects the members of the board which is a supervisory board. All members of the supervisory board are required to be non-executive directors (NED’s). Following the shareholder’s meeting and appointment of board members, the board convenes and elects’ members of the committees in line with legal and supervisory requirements. Appointment of new members is subject to approval of CBI/FSA. Please see below and EC 6 for the assessment of fitness and propriety of individual board members, which includes an assessment of whether the proposed non-executive member possess adequate experience for the position. Article88 of directive 2013/36/EU (CRD), the establishment of a nomination committee has not been required by law nor expected by the supervisor. However, in June 2022 requirements on the establishment, responsibilities and functioning of the nomination committee were incorporated in Act No. 161/2002 on financial undertakings (Article53) and will apply to D-SIBs from July 2023. Article53 includes an exemption clause, the requirement of a nomination committee does not apply if all board members are appointed by the Icelandic State Financial Investments (ISFI). Article78 of Act No. 161/2002 sets out detailed requirements of the establishment, responsibilities and functioning of the risk committee of the board. The risk committee consists of board members only and are all non-executive directors (paragraph 1). CBI/FSA has the authority to allow financial undertakings to combine the risk committee and audit committee (Article78, paragraph 4). CBI also has the authority to grant an exemption of the establishment of a risk committee (Article78 paragraph 5). CBI/FSA grants exemptions, as per paragraph 4 and 5 in relation to the undertaking’s size, nature, and complexity. Article108(a) in Act No. 3/2006 on Annual accounts sets out requirements of the establishment, responsibilities and functioning of the audit committee in public interest entities including banks. Article57(e) of Act No. 161/2002 sets out detailed requirements of the establishment, responsibilities and functioning of the remuneration committee for D-SIBs. It is stipulated that the committee should consist of at least three members of the board, including the chairman. CBI/FSA’s expectations and guidance for the establishment, responsibilities and functioning of the committees of the board are set out in the following guidelines:
BCI/FSA assesses the composition of the board in line with the bank’s strategy, risk profile and complexity by:
Assessors note that the EBA guidelines (Art. 76(3), sub-paragraph 4, of CRD IV) as well as Art. 78(4) of Act 161/2002 suggest that, based on nature, size, and complexity of the institutions, that the audit committee and the risk committee of the Board may be combined. Assessors recommend, in line with Basel standards, that if a supervisory authority requires an audit committee and risk committee, that the audit committee be kept distinct from other committees, such as the risk committee (BCBS Guideline on Corporate Governance Principles for Banks, July 2015, item 68 and 7163). It is recommended that different non-executives be appointed to the audit committee and the risk committee, as well as keeping these subjects/issues separate in order to assure the member who oversees the risk of the institution is not also approving/reviewing the audited financial statements of the institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.64 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC 4 |
The requirements of fitness and propriety are set out in Art. 52 of Act No. 161/2002 and in the EBA-ESMA/GL/2021/06 on the assessment of suitability. Following the initial appointment members of the board/CEO submit background information which CBI/FSA examines and verifies as well as evaluating their knowledge, skills and experience based on the submitted information. In the case of board members of D-SIBs and the CEO of the commercial bank designated as a financial conglomerate the knowledge will also be evaluated during an oral interview. For smaller institutions, individuals will only be evaluated with an oral interview if there are doubts about their knowledge. Review and assessment of self-assessments of the board and senior management are in line with Annex I - Joint EBA and ESMA GL on the assessment of suitability is part of regular monitoring and the annual SREP process. Article52, paragraph 2 of Act No. 161/2002 states that the main fit and proper criteria for the board members and the managing director is that they may not behave in any manner that would give cause to doubt their ability to be responsible for sound and prudent business operations or to abuse their position or harm the undertaking. Assessors recommend that going forward, CBI/FSA specifically assess Board members “duty of care” and “duty of loyalty” as defined in the footnote attached to EC4 of CP14 and with respect to Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite65 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The board’s role and responsibilities are set out in Article54 of Act No. 161/2002. CBI/FSA regularly assesses, through its off-site and in on-site inspections, and as part of the annual assessment in line with requirements of the board’s responsibilities in (Article 54). Article 54 stipulates that the board of directors is also responsible for ensuring that corporate governance and internal organization promote the efficient and prudent management of the undertaking, and the separation of duties prevents conflicts of interest. These requirements are further stipulated in EBA/GL/2021/05 on internal governance, in Title II - Role and responsibility of the management body (Art. 22.l), Chapter IV Risk culture and business conduct and Chapter 11 Conflict of interest policy at institutional level and Chapter 12 Conflict of interest policy for staff. CBI/FSA’s objective is verifying the board is fulfilling it role and responsibilities in setting and overseeing the implementation of its policies through various on- and off-sites and regular interviews. Supervisors determine if and how the BODs are promoting a strong risk culture and awareness of risk (tone from the top) throughout the operations of the bank. The assessment of the board’s role and responsibilities includes reviewing meeting minutes, policies, governance statements, procedures, risk reports, results of internal audits and compliance reports. Further, CBI/FSA’s objective is to verify if the board discusses the institution’s risk appetite on regular basis and whether the board receives adequate and appropriate information on risk (risk reports) and whether sufficient time is allowed in board meetings to consider and discuss those risks. Supervisory Handbook in CCQ used by supervisors as part of this guidance: 03 Composition, organization and functioning of the management body; 04 Corporate and risk culture (VIN-0043) 07 Risk Management framework, including ICAAP and ILAAP (VIN-0046). The assessment includes the:
CBI/FSA has required bank’s boards to enhance their role in overseeing the implementation of its policies and to increase their focus and attention on a specific issue, for example during the ICAAP/ILAAP process, assessment of internal controls, recovery plans, and conflict of interest policies. CBI/FSA has also required banks boards to strengthen banks risk culture, emphasizing the importance of strong corporate and risk culture and “tone from the top” and how it should be visible not only in policies, codes of conduct and published material but also in the conduct of board, senior management and employees and all activities of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FSA regularly assesses, as part of the SREP process “assessment of internal governance and institution-wide controls” and in line with requirements of the board’s responsibilities in (Article 54) which are further stipulated in EBA guidelines. The EBA/GL/2021/05 stipulates that internal governance should set out clear requirements of the supervisory role of the board. The EBA/GL/2021/06 stipulates the assessment of fitness and propriety. EBA-ESMA/GL/2021/06 sets out clear requirements on the responsibilities of the financial undertaking to assess the fitness and propriety of board, senior management, and other key functions holders. CBI/FSA determines the bank’s fit and proper procedures by undertaking the:
CBI/FSA has required a bank to review and update their policy and of assessment of senior management and key function holders. In that case the bank had only carried out the assessment at the time of the initial appointment and did not fulfil their role in continuously ensuring the fitness and propriety of senior management and key function holder. CBI has also required corrective measures where the board’s policy did not include heads of internal control functions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Iceland has implemented Article94 of EU’s CRD V into Article57 B(1) of Act No. 161/2002, which obliges financial undertakings, including credit institutions, to ensure that variable remuneration (“bonuses”) fulfil a number of conditions, including but not limited to
CBI/FSA is of the view that a compensation system that fulfills the above-mentioned conditions is consistent with the long-term objective and financial soundness of banks. In recent years, CBI/FSA has imposed fines and undertaken other enforcement actions on financial undertakings, including but limited to banks, that have violated rules on variable remuneration. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Following the initial appointment of members of the board and the CEO of D-SIBs and conglomerates, their knowledge of the bank and banking group operational structure and its risk, including those arising from the use of structures that impede transparency is evaluated. Regular interviews with the board and senior management have been part of regular monitoring since 2016 (CCQ CBI/FSA Supervisory handbook) and an important part of the annual SREP assessment. Topics vary and depend on activities, issues, and risks which the bank is faced with at the time. In recent years CBI has emphasized the importance of clear and transparent organisational, operational, and legal structures of the bank in line with the term “know your structure” in the EBA/GL/2021/05 on internal governance. As part of the annual assessment the composition, organisation and functioning of the board, its committees and management board, self-assessments of the board and senior management are reviewed, and the results are discussed with board and if relevant with management. Assessors noted that commercial banks in Iceland have very straight forward and transparent organizational structures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Article 10 paragraph 4 of Act No. 87/1998 states that if the board members or managing directors of regulated entities do not meet the eligibility requirements of the special laws that apply to the activities of regulated entities, the FSA may demand that the person resign, either temporarily or permanently. If the requirements of the FSA are not met within a reasonable time limit, the FSA can unilaterally dismiss the person. CBI/FSA has made use of this section of the legislation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 14 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Assessors recommend that CBI/FSA re-assess the frequency with which it makes contact with Board members for both the savings/commercial banks that are classified as low or medium low impact to ensure adequate coverage/oversight of corporate governance frameworks in these banks. According to the SREP framework, it is possible these key functions/Board members may never be interviewed. Although the size of the savings banks may be immaterial, the reputation risk to CBI/FSA of one of these institutions failing is high considering the general view of the importance of these banks in the Icelandic community. Moreover, CBI/FSA should ensure adequate oversight of the strength of these critical functions/board members for banks that operate cross border. Last, the corporate governance expert working within the Banking Department oversees the D-SIBs only and it would therefore be appropriate for similar coverage of the remaining banks, on a risk basis. The work undertaken by the corporate governance expert is adequate with many touch points with senior management and boards. Further, CBI carries out fit and proper assessments when Board members are on-boarded. CBI/FSA do not specifically assess Board members “duty of care” and “duty of loyalty” as defined in the footnote attached to EC4 of CP14. Further, CBI permits audit committee and risk committee to combine, whereas Basel indicates these two committees should be distinct., as keeping these subjects/issues separate in order to assure the member who oversees the risk of the institution is not also approving/reviewing the audited financial statements of the institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 15 |
Risk Management Process The supervisor determines that banks66 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate67 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.68 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 77 of Act 161 states that a financial undertaking must always have in place a secure risk management system for all its activities. Furthermore, the financial undertakings shall have in place adequate and documented internal processes to assess the necessary size, composition, and internal distribution of the capital base considering the risks entailed by the business activity at any time. Further Article 78 of Act 161 states that financial undertaking shall have a risk committee and indicates how they should manage the risks in its activities. Financial undertakings shall always have in place a sound and comprehensive risk management system covering every aspect of their activities. (a) a sound risk management culture is established throughout the bank Since 2016, CBI has documented its assessment of bank’s risk culture and continuously puts emphasis on boards to enhance their role in risk culture. Risk culture is a consistant topic in all interviews with board’s, senior management, heads of internal control functions and yhe external auditor. CBI has formally required D-SIBs to strengthen their risk culture and required the BOD and senior management to enhance their role in setting and communicating the bank’s values and expectations. The corrective measures have included putting forward a detailed plan, with time limits, on how the bank intends to strengthen their risk culture. Follow ups have included formal meetings with the board, senior management and project team. Supervisors determine if and how the BOD and senior management are promoting a strong risk culture and awareness of risk (tone from the top) throughout the operations of the bank. Supervisors determine if attitudes, behaviors and decisions in daily operations are in line with the bank’s values, risk appetite and internal rules. The assessment includes reviewing meeting minutes, policies, procedures, risk reports, results of internal audits and compliance reports. CBI’s Supervisory Handbook (CCQ) includes guideance on the review of corporate and risk culture (VIN-0043) and risk management framework, including ICAAP and ILAAP (VIN-0046).
Part of CBI/FSA’s annual assessment of D-SIB’s SREP process pertaining to internal governance and institution-wide controls, financial supervisors require banks to submit policies and processes regarding risk appetite, strategy risk taking and risk management. For example, for one D-SIB, an assessment was done on the bank’s overall strategy, organization, and policies. The handbook includes all policies, rules and charters approved by the BOD in effect at the date of publication. The objective of the handbook is to maintain in one place the relevant documents to provide a holistic view of the Bank’s policies and corporate governance. Further, there is a requirement that the risk management and risk appetite metrics are outlined to the Board, and executive management in the monthly Risk Report. The report shall include information about any temporary deviations from the risk appetite or risk limits which occurred during reporting period. CBI/FSA also monitors KRIs with respect to risk limits and prudential requirements. Further, CBI/FSA’s assessment of BMA as part of SREP and in reviewing for example the risk indicators in the Recovery Plan. Governance assessment also include annual interviews with IA. Assessors noted that CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit expsoures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices, and especially critical for the D-SIBs. (c) uncertainties attached to risk measurement are recognized; No comments were provided in this regard. Assessors recommend that CBI/FSA determine if bank’s recognize any uncertainties with respect to the risk measurement practices.
CBI/FSA regularly reviews D-SIBs’ monthly risk report which displays an aggregate view of whether the bank is operating within risk limits. In all the banks are risk dashboard and risk reports. That being said, Assessors noted that supervisors do not necessarily challenge banks, especially the D-SIBs, with respect to whether appropriate limits are in place commensurate with bank’s risk appetite and risk profile. CBI/FSA does challenge the adequacy of bank’s capital strength through the SREP ICAAP process.
Banks are required to monitor and control all material risks consistent with the Board approved strategies and risk appeitite. Although CBI/FSA supervisors reviews certain aspects of bank’s reporting against limits established in the various risk areas, including reviewing the monthly risk report submitted to the FSA, as well as the review off-site of risk appetite, assessors recommend that CBI/FSA develop an approach that will provide a deeper analysis of whether appropriate limits have been established by banks in line with the bank’s risk appetite, risk profile, capital strength. The analysis would be key for the supervisors to utilize as part of the discussion with Board and Senior Management if/when there is a need to challenge the bank regarding higher risk or inappropriate thresholds. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Several references in legislation/regulation refer to the responsibility of banks’ Boards to implement adequate risk management practices and internal controls. References include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that risk management strategies, policies, processes and limits are:
The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA reviews D-SIB’s risk management policies and procedures taking into consideration whether the policies are properly documented, regularly reviewed and adjusted according to changes in the risk appetite and communicated within the bank as part of its on-site inspections and only within the subject area within scope of the inspection. For example, one on-site inspection at a D-SIB carried out in July 2021, which examined the risk management structure, roles, responsibilities and scope of risk management related to credit risk and the role of the board and the risk committee in managing it. CBI also looked at the bank’s risk culture and whether it is conductive to making well-informed and professional decisions. CBI/FSA financial supervisors, in their off-site inspections, have also conducted similar reviews as mentioned in the previous paragraph. For example, CBI/FSA’s Supervisory Handbook requires financial supervisors to assess bank’s risk management framework as it pertains to ICAAP/ILAAP (CCQ VIN-0046). Assessors recommend that CBI/FSA re-assess its overall approach to its assessment of bank’s risk management policies, procedures and practices (See EC1 for more detail regarding the Assessors’ views), and whether practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Article 80 (paragraph 1) of Act No. 161/2002 stipulates that bank’s BOD are required to approve and provide an ICAAP/ILAAP report to CBI/FSA. In practice this is on an annual basis for D-SIBs and less frequently for lower and medium impact banks. The bank’s recovery plan also addresses the comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control. The bank’s recovery plan is reviewed every year. As part of its SREP process, CBI/FSA financial supervisors and risk specialists are provided with in-depth analysis, stress testing of the material risk areas of the D-SIBs and how these risks relate to the bank from a capital and liquidity. CBI/FSA is able to examine the adequacy of senior management’s view of the risk profile of the bank, challenge bank’s assumptions, and assess capital and liquidity requirements according to prudential requirements as part of the ICAAP/ILAAP review process. Limitations with respect to D-SIB’s use of risk measurement techniques/models in comparison to CBI/FSA’s benchmarks (e.g., benchmarks utilized by CBI/FSA and provided in the relevant annexes to the SREP Methodology document as posted on CBI’s website) are discussed on an indepth basis but generally conducted “off-site”. The results of these assessments, specifically differences in opinion on CBI;s benchmarks, are discussed with D-SIB risk specialists and senior management as well as comments obtained in writing from banks are considered by CBI/FSA as part of the ICAAP/ILAAP process. However, CBI/FSA on-site inspections do not necessarily include a deep examination of whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). Senior management and board members are required to review and understand liquidity risks of the banks. For example, according to Principle 3 of Guidelines No. 2/2010 on best practice on liquidity management for financial undertakings, the senior management should develop a strategy, policies, and practices to manage the liquidity risk in accordance with the risk tolerance and to ensure that the financial undertaking maintains sufficient liquidity. The senior management should also continuously review information on bank’s liquidity developments and review reports to the board of directors on a regular basis. A financial undertaking’s board of directors should review, understand and approve the strategy, policies, and practices for management of the liquidity, at least annually, and ensure that senior management manages the liquidity risk effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
In general, overall capital and liquidity adequacy is estimated in accordance with the capital requirements regulation No. 575/2013 on prudential requirements for credit institutions and investment firms Implemented in Icelandic law and rules of CBIs No. 266/2017 liquidity ratio of credit undertakings. CBI/FSA’s SREP process dictates an in-depth assessment of D-SIB’s ICAAP/ILAAP on an annual basis. This entails an assessment of the ICAAP (meetings on each risk area, discussion and assessment of Pillar 2 requirements, results in letters to the bank and CBI posting the results of overall capital requirements for the D-SIBs on its website). For low or medium impact banks, ICAAPs are required to be filled annually but CBI carries out its assessment every two years (with the result of a Pillar 2 assessment at that time). Throughout COVID, banks with a lower impact rating, ICAAPs were not reviewed/Pillar 2 assessment not changed - but this is in line with how other jurisdictions dealt with the P2R process during the pandemic. The FSA’s assessment of an institution’s liquidity and funding needs, outlined in the ILAAP, is an integral part of the SREP (pursuant to Article 79 (para 2) and Article 81 (para 2) of Act no. 161/2002 and FSA’s Guidelines No. 2/2010 on best practice of liquidity management). The assessment is based on three factors including an assessment of: liquidity and funding risk management; inherent liquidity risk; and inherent funding risk (pursuant to Article 78(h) and 83 of Act no.161/2002). The outcome of the assessment may lead to CBI/FSA to require specific liquidity requirements and requests for improved management and control of the risks in question. The outcome may also lead to requirements that the institution extend maturities, acquire additional own funds, reduce off-balance-sheet exposures, and so forth. CBI/FSA’s Supervisory Handbook (CCQ VER-0002) provides guidance to financial supervisors on what assessment criteria to utilize as part of the assessment. FSU also assists with the assessment of D-SIB’s ILAAP. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Where banks use models to measure components of risk, the supervisor determines that:
The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
(a) All the Icelandic banks use the Standardized Approach for assessing their regulatory capital (Pillar I). In the banks ICAAP assessment for additional capital requirement (Pillar II) they use internal models that are not approved by CBI/FSA. Models developed by risk management are widely used throughout the D-SIBs such as PD models and LGD models. The Banks uses its internal PD, LGD and macro-economic models and its IFRS 9 framework to translate the scenarios to PD, LGD and losses and write-offs. CBI/FSA financial supervisors have not finished reviewing these models, but CBI/FSA supervisory benchmarks are often used in assessment of pillar II requirements. b) Although model risk is one of the risks discussed in ICAAP reports of the banks and the report is approved by the D-SIB bank BOD, it is difficult for CBI/FSA financial supervisors to assert that the D-SIB boards and senior management, other than the risk management representatives, know and understand the limitations of these models. In CBI/FSA’s SREP process in the previous few years, as D-SIBs have been focusing on developing and calibrating these models, CBI/FSA has been making an effort to assesses whether the model outputs appear reasonable as a reflection of the risks assumed in the SREP process. c) Banks perform regular and independent validation and testing of the models. Assessors note that CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes around the use of models, including whether banks perform regular and independent validation and testing of such models. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital, and liquidity needs and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Banks are required to comply with Guideline EBA on ICT and security risk management EBA/GL/2019/04. In general CBI/FSA assesses bank’s strength of reporting through an assessment of the data and reporting provided to D-SIB BOD and to CBI as part of the off-site monthly monitoring process (e.g., risk reports provided by the D-SIBs to CBI). CBI/FSA indicated that an assessment of the D-SIBs IT systems has not been undertaken with respect to the adequacy of information for the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. As a result, CBI/FSA is not in a position to challenge the quality of banks risk management reporting from IT systems (off-site) regarding information received by the senior management/BOD. Assessors do acknowledge that when CBI/FSA does carry out an on-site inspection, supervisors do an examination of the quality of the data pertaining to the subject matter under review (e.g., large exposures, etc). If CBI becomes aware of insufficient documentation to senior management/BOD and/or insufficient submission of material to CBI, either as part of an on- and off-site inspection, it requests corrective actions. Assessors recommend that CBI/FSA carry out on-site inspections (especially for D-SIBs) with respect to the strength of bank’s risk management information systems, in order to ensure these systems are accurately measuring, assessing, and reporting exposures across all applicable risk areas and that senior management and the BOD are receiving adequate risk management information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,69 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
EBA Guidelines on product oversight and governance arrangements (POG) for retail banking product, EBA GL 2015/18, banks are required to have an approval process in place for new products and material modifications to existing products. The risk management department of a financial undertaking should analyze and control the risk inherent in new products and exceptional transactions. The financial undertakings should ensure that product oversight and governance arrangements are an integral part of its governance, risk management and internal control framework as referred to in EBA Guidelines on internal governance under Directive 2013/36/EU, EBA/GL/2021/05, where applicable. D-SIBs have developed processes for launching new products. As part of CBI/FSA’s SREP process is to review banks’ business plans annually and comments on the banks’ processes when appropriate. Further, on occasion, an on-site inspection is carried out to assess bank’s processes on new products, of which assessors reviewed one example. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Article 77 of Act No. 161/2002 requires banks to have at all times secure risk management systems in place for all activities and regularly assess internal processes for measuring and controlling all types of risks with regard to the nature, scope, and diversity of operations. CBI/FSA has issued Guidelines EBA 05/2021 on internal governance under Directive 2013/36/EU where requirements regarding segregation of functions within the bank are outlined and required. CBI/FSA requires banks’ risks control functions and risk-taking functions to be clearly segregated. In some instances, on-site inspections have resulted in CBI requiring stricter segregation of risk control and of risk-taking functions. Further, an inspection at one of the D-SIBs was completed in July 2021 which examined the bank’s risk management structure, roles, responsibilities and scope of risk management related to credit risk and the role of the board and the risk committee in managing it. CBI/FSA also looked at the bank’s risk culture and whether it was conducive to making well-informed and professional decisions. Assessors are of the view that this type of inspection should be carried out on all D-SIBs, during the risk based supervisory cycle. Throughout the SREP process, and at least annually, CBI/FSA receives and analyzes offsite, detailed information on the D-SIBs risk management and corporate governance, such as the role and tasks of the risk management and risk management committees. In addition, the IA functions of banks undertake reviews regarding bank’s risk management divisions. CBI assesses the frequency of IA bank reviews in general and receives an annual report of all IA reviews undertaken and if relevant, CBI/FSA will request/review a copy of such report. Although certain aspects of bank’s risk management functions are assessed by CBI/FSA corporate governance expert and financial supervisors in its off-site capacity, and certain aspects of bank’s risk management practices have been reviewed by on-site examiners (e.g. only one D-SIB, which included the review of 1st and 2nd line of defense, etc.), assessors recommend that CBI/FSA re-assess its approach to assessing the adequacy of bank’s risk management function to assess whether these functions are adequately staffed, have required independence, direct access to the BOD, duties are clearly segregated (an assessment of each D-SIB). Assessors are of the view that CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function (as outlined earlier) to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article 77 (g) of Act No. 161/2002 requires that the head of risk management will neither be dismissed, nor be transferred to work except with the approval of the board. CBI is notified if the CRO is removed from his/her position and calls the person for an interview to further discuss the reasons for the removal. Article 77 (b) of the same Act states that if the head of risk management terminates employment, it shall be notified to the FSA. The head of risk management will not be dismissed or transferred without the approval of the board. There is no requirement in the legislation or procedures that the dismissal of the CRO be disclosed publicly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
See CP1 EC 4, as well the discussion in each of the CPs pertaining to a) CBI/FSA’s adoption of the EU regulations, directives, guidelines into Icelandic law and b) the need for additional standards to be implemented related to certain of these risk areas (e.g., credit risk and operational risk). Although certain national standards currently exist, they do not necessarily address the updated EU requirements. A list of CBI guidelines are as follows:
Part of CBI/FSA’s SREP process is to evaluate the banks’ risk assessment and practices. In each on-site inspection, CBI assesses the banks’ practices where appropriate if deemed part of the thematic review. For example, in recent years CBI has reviewed the banks’ liquidity contingency plans, assessed the loan valuation processes for certain products (albeit very small sample), the quality of the risk reporting, and the certain aspects of the processes of operational risk assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
Article 88 of Act No. 161/2002 sets out requirements for Recovery Plans and Article78(g) requires banks to have, and annually test, Business Continuity Plans (BCP) in place. CBI/FSA reviews the BCPs of D-SIBs annually and will make comments/suggestions for improvements when needed. Further, CBI/FSA Rule No. 266/2017 Article 5 on the liquidity ratio of credit institutions also have requirements for banks regarding contingency arrangements should the credit institution’s liquidity ratio falls below the minimum requirements. Further CBI Guidelines No. 2/2010 on liquidity risk stipulate requirements concerning BCP should liquidity issues arise. D-SIBs first submitted recovery plans to CBI/FSA in December 2018, further to Directive 2014/59/EU) entitled The Bank Recovery and Resolution Directive (BRRD) which was enacted in Iceland on 6 June 2018 (Act No. 54/2018, amended Act No. 161/2002 accordingly). The BRRD is designed to provide authorities with a set of tools to intervene sufficiently early and quickly in an unsound or failing relevant entity and provide measures to be taken by the Bank for the Group to restore its financial position following a significant deterioration of its financial situation. Other applicable laws and regulations regarding Recovery plans for banks:
The Recovery plans of the D-SIBs, approved by bank BOD, have been reviewed four times 2018, 2019, 2020 and 2021. CBI/FSA has noted bank’s improvement in the quality of plans since 2018. Along with the Recovery Plan, the Bank’s Contingency Plans for Liquidity Shortage is integrated into the Bank’s BCP, as well as other contingency plans (such as IT Incident response plan and IT Cyber-attack response plan). Part of CBI/FSA’s SREP process is evaluating the strength of banks’ contingency arrangement, both regarding capital and liquidity position. The financial supervisors assess the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Assessors reviewed one such example as part of the BCP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC13 |
The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing programme:
The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC13 |
Article 77 of Act No. 161/2002 requires banks to perform stress tests regularly, both for capital and liquidity positions. These stress tests form part of the banks’ risk management process and includes risk identification, on a bank-wide basis, including a system-wide interaction between the risks. Further, guidelines regarding supervisory review of stress testing include:
CBI/FSA’s annual SREP process for D-SIBs includes an evaluation of banks’ stress testing programs which includes a deep assessment of bank’s ICAAP and ILAAP. Further, bank’s stress testing assumptions embedded in the recovery plans are also assessed once a year. Financial supervisors regularly push back on bank’s assumptions/scenarios regarding ICAAP and ILAAP stress testing, wherein CBI/FSA may require bank’s Pillar 2 capital assessment to be modified as a result of such assessment (e.g., Pillar 2 capital increased in the form of a corrective measure). ICAAP and ILAAP are approved by the Board and key senior management are involved with the creation of these assessments. CBI/FSA comments on any aspect of the financial position of a D-SIB, or its operations in other respects, which it considers unsound and inconsistent with normal business practices and may also require corrective action within a reasonable time limit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC14 |
The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC14 |
CBI/FSA has not published any rules or guidelines specifying requirements regarding internal pricing and performance measurement. Guideline EBA on ICT and security risk management EBA/GL/2019/4 and Guideline EBA on product oversight and governance arrangements for retail banking products EBA/GL/2015/18 does specify requirements on new product approval process. To date, CBI/FSA has not assessed banks internal pricing processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 15 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Although CBI/FSA supervisors review certain aspects of bank’s reporting against limits established in the various risk areas, including reviewing the monthly risk report submitted to the FSA, as well as the review off-site of risk appetite, assessors recommend that CBI/FSA develop an approach that will provide a deeper analysis of whether appropriate limits have been established by banks in line with the bank’s risk appetite, risk profile, capital strength. Assessors noted that CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit exposures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices, and especially critical for the D-SIBs. Assessors therefore recommend that CBI/FSA re-assess its overall approach to its assessment of bank’s risk management policies, procedures and practices. Further, Assessors recommend that CBI/FSA determine if risk management practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). CBI/FSA indicated that an assessment of the D-SIBs IT systems has not been undertaken with respect to the adequacy of information for the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. As a result, CBI/FSA is not in a position to challenge the quality of banks risk management reporting from IT systems (off-site only) regarding information received by the senior management/BOD. Assessors therefore recommend that CBI/FSA carry out on-site inspections with respect to the strength of bank’s risk management information systems, to ensure these systems are accurately measuring, assessing and reporting exposures across all applicable risk areas, especially for the D-SIBs. Further, Assessors note that CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes around the use of models, including whether banks perform regular and independent validation and testing of such models. Although certain aspects of bank’s risk management functions are assessed by CBI/FSA corporate governance expert and financial supervisors in its off-site capacity, and certain aspects of bank’s risk management practices have been reviewed by on-site examiners (e.g., one D-SIB, review of 1st and 2nd line of defense, etc.). Assessors are of the view that CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. This type of review should be covered for all D-SIBs at a minimum (not just one D-SIB). In addition, CBI/FSA should include a review of banks internal pricing processes, as part of its risk based supervisory cycle. In addition, Assessors noted that CBI/FSA on-site inspections do not necessarily include a deep examination of whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). Although banks are required to notify CBI/FSA of the dismissal of the CRO, there is no requirement in the legislation or procedures that the dismissal of the CRO be disclosed publicly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 16 |
Capital Adequacy70 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC 1 |
Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The CBI/FSA’s prudential requirements for capital adequacy applicable to banks, both on a stand-alone and consolidated basis are aligned with the EU framework. Although the CBI/FSA is of view that it has adopted Basel III capital adequacy requirements, with the transposition of the EU framework into Iceland’s banking legislation, however, there exists some deviations from the Basel standards. The EU rules (Capital Requirement Regulation (CRR)/Capital Requirements Directive (CRD)) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Please see below an overview of Iceland’s capital adequacy requirements for credit institutions, with reference to the BIS BCBS’s RCAP assessment (which outlined the deviations between the EU rules and the Basel standards regarding capital adequacy), an update to the EU rules (CRR II/CRD V) applicable to Iceland, as well as assessor’s views on the materiality of these deviations/gaps with respect to the specific jurisdiction of Iceland. The CBI/FSA capital rules are outlined in Act No. 161/2002 (Article 1(c), 117 to 117(b) and Chapter X on capital buffers (Articles 83 to 86(c)) (further detail/discussion outlined below). The CBI/FSA formally adopted the EU framework into its legislation in 2016 based on EU Directive (CRD IV) No. 2013/36/EU; EU regulation (CRR) No. 575/2013 is directly applicable and binding in its entirety (contains Pillar 1 and Pillar 3 requirements). However, in H2 2022 (two months prior to the BCP on-site assessment), amendments71 72 to EU regulation No. 575/2013 (CRR II directly applicable) and EU Directive (No. 2013/36/EU) (CRD V73) were transposed into Act No. 161/2002. The EU rules, together with binding Level 2 EBA guidelines (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) adopted by delegated acts) and Level 3 EBA guidelines which provide guidance and recommendations on how to comply to EU requirements (compliance/intention to comply with Level 3 guidelines is tracked by the EBA). The adoption of the CBI/FSA Rules in 2016 and updated in 2022 harmonized the Icelandic regulatory framework with the current EU capital framework as provided for in the Commission Delegated Regulation (EU) 2015/61. The regulatory framework in the EU pertaining to capital adequacy, which was adopted by Iceland into its legislative framework (as stated above), is not fully compliant with Basel III standards. The EU’s capital framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III capital adequacy standards in 2014.74 The EU framework was found to be overall materially non-compliant.75 One of the main areas of difficulty cited in the RCAP was the IRB approach for credit risk. It is noted that the recent changes and implementation of CRR II and CRD V for the EU framework have not been subject to an updated RCAP, neither has the EU provided an updated selfassessment to previously noted deviations of the Basel capital regulations that would provide a sufficient reference on the materiality of remaining deviations. In general, CBI adheres to the CRR (definition of capital, eligible components of capital -Pillar 1 and Pillar 3 capital requirements of banks). Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process (risks not captured by Pillar 1) is considered by assessors as adequate and consistently utilized by the supervisor (updated annually for D-SIBs). In addition, Icelandic capital buffer requirements for D-SIBs are considered strong given the nature, size and complexity of Icelandic D-SIBs that are not internationally active) resulting in very high levels of Tier 1 and total capital. Further, Iceland has not made use of any of the national discretions available. Finally, Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (as stated above as one of the most egregious deviations from Basel standards according to the 2014 RCAP) is not applicable/utilized at this time for its three D-SIBs, this issue could prove material in the future. Assessors, however, are of the view that this is not considered a material or relevant deviation from the Basel standards at this point in time for Iceland. Overview of CBI/FSA’s capital requirements: 1°/ Minimum capital for Iceland Rules on minimum capital applicable to banks are set by Act No. 161/2002 at the equivalent amount of EUR 5 million (1 million for smallest savings banks), as mentioned under CP5 EC6. 2°/ Definition of capital (own funds), and elements of capital The CRR establishes the following minimum capital requirements thresholds: Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital) 8 percent. Part Two of the CRR defines the components of capital following the Basel-based capital tier structure, which reflects varying degrees of loss absorption capacity, and the deduction requirements. It includes CET1 and AT1 in Tier 1 which are loss absorbing on a going concern basis, and Tier 2 which is a gone-concern capital. Same deductions from Tier 1 and Tier 2 apply as in the CRR with no exceptions. Subordinated capital (additional Tier 1 and Tier 2 instruments) should be capable of being fully and permanently written down or converted into Common Equity Tier 1 capital at the point of non-viability of the bank. 3°/ Capital adequacy requirements on credit risk, market risk, and operational risk (Pillar 1) Calculation rules of capital requirements cover credit risk, market risk, and operational risk are defined. The regulatory approach for calculation of capital requirements, including risk-weighted assets (RWA), allows the use of internal models by banks, subject to the validation of CBI, yet banks only use internal models for their internal capital adequacy assessment process (ICAAP), as well as for their internal risk management. CBI has not validated any internal model of a bank to be qualified as a regulatory internal ratings-based (IRB) model aimed at calculating regulatory capital adequacy requirements. Only one request for validation of an IRB model was submitted to CBI for validation many years ago, which was not approved, and no further request of that kind has occurred afterwards. Therefore, banks, including major banks, use standardized methods, as is possible with CRR. 4°/ Additional capital adequacy requirements (Pillar 2), and capital buffers An Internal Capital Adequacy Assessment Process (ICAAP) is requested from banks, based Act No. 161/2002, article 80 (generic provision of paragraph 1), supplemented by CRR regulatory provisions. Banks are encouraged to use internal models for that purpose, although internal models are not formally validated by CBI, however the bank’s outcome may be challenged by CBI. CBI has finalized implementation of it’s SREP in 2020, which includes a formal review process for ICAAP reports and ensuring supervisory dialogue with banks on capital adequacy. These guidelines have been tailored to Iceland and disclosed in English:
Above-mentioned CBI guidelines on SREP and Pillar 2 enables CBI to implement a riskbased and conservative Pillar 2 approach aimed at determining tailored capital adequacy requirements applicable to banks in order to capture specific risks areas that CBI considers as being not sufficiently covered by regular Pillar 1 requirements. CBI identifies such risk areas specific to Iceland (for instance, concentration risk, certain collateralized loans), and consequently uses supervisory databases and benchmarking models for challenging banks’ ICAAP calculations. CBI’s assessment results for each D-SIB have resulted in substantial Pillar 2 additional capital, in addition to Pillar I standardized capital requirements (that is, minimum capital adequacy ratio and capital buffers). The conservative prudential strategy used by CBI for Pillar 2 may have some drawbacks, in the sense that requiring high Pillar 2 additional capital may be considered as a kind of curative supervisory approach, more than a preventive supervisory approach. In other words, ordering substantial quantitative capital buffers under Pillar 2 may somewhat compensate determining specific qualitative expectations for sound risk management aimed at preventing banks from excessive risk-taking policies. Major banks are classified as other systemically important institutions (O-SIIs) or D-SIBs. They must submit an ICAAP report to CBI at least once a year. Non-systemic banks only submit an ICAAP every two to three years, and the systemic risk buffer has been implemented at a slower pace for these smaller banks. CBI typically announces the submission date at least two months in advance, and banks are notified by mail of this. Banks receive feedback from CBI on their ICAAP reports through the SREP, based on CBI guidelines. CBI supervisory processes follows guidance from EBA and BCBS. Although CBI continuously monitors the financial strength and other supervisory information for savings banks, the SREP has been effectively performed in 2021, five years after the previous formal assessment, which is not in line with CBI’s SREP methodology as these small entities are typically assessed on a frequency of 2-3 years (see CP 8 and CP9 for more detail). Based on the SREP, specific Pillar 2 capital requirements are decided and tailored for each bank, usually in the 2-4 percent range for O-SII banks. Pillar 2 decisions are proposed by CBI supervisors, then submitted to an internal CBI risk committee chaired by an independent external expert who may challenge technical assumptions on which Pillar 2 requirements are calculated, then validated by the FMEN. CBI then formally notifies each bank with specific each bank’s total capital adequacy requirements, including Pillar 2 additional capital, which banks may discuss and object to, however CBI does enforce Pillar 2 capital adequacy requirements that are deemed appropriate for each bank, even if banks disagree with CBI’s approach. As stated above, the minimum Pillar 1 capital ratio is set at a minimum 8.0 percent (Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital) totaling 8 percent. In addition, prudential requirements on capital adequacy include several capital buffers:
Therefore, before any specific additional Pillar 2 capital is assessed, the minimum capital requirement applicable to all major banks is 17.5 percent. CBI has disclosed this requirement: https://www.cb.is/financial-stability/macroprudential-policy/capital-buffers/. CBI has also disclosed additional capital requirements based on the additional Pillar 2 capital assessment applied to each of the three major banks (O-SIIs), as follows:
The capital adequacy requirement has been slightly adjusted by CBI with reductions in the systemic risk and countercyclical capital buffers for foreign exposures, adjusted for each bank (from -0.2 percent to -0.4 percent). In conclusion, total capital adequacy requirements enforced by CBI for major banks (which altogether represent most of the banking sector) are the following:
As at H3 2022, the three O-SIIs’ average capital adequacy ratios were reported above 23 percent, of which CET1 (higher quality capital) was reported above 20 percent - , which is considered quite high. 5°/ Regulatory templates on capital adequacy Banks submit quarterly COREP reports, which they fill out in accordance to Act No. 161/2002. COREP reports show how banks calculate their total minimum capital requirement according to Pillar 1. 6°/ Supervision of capital adequacy Off-site supervisors responsible for each bank review the reports using a prepared checklist. They examine both methods and calculations to verify that ratios are not lower than required. This is done through the COREP report, the financial statements of the banks, and the SREP. On-site inspections performed by CBI have not covered the whole framework of capital adequacy ratio calculation recently. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
At least for internationally active banks,76 the definition of capital, risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
See EC1 for details on Basel minimum standards for Pillar 1, applied by Iceland (CRR), including the definition of capital, the manner in which CBI/FSA assesses the risk coverage (SREP process, including additional Pillar 2 requirements and capital buffers), as well as an overview of the calculation of capital requirements. Of note, Iceland has not made use of any national discretions with regard to the capital definition, regulatory and reporting requirements. In addition, as stated in EC1, the BCBS RCAP of 2014, identified several deviations from the Basel standards (see footnote #72) of which the materiality of the IRB credit approach is not yet applicable to Iceland. As stated above the CRR and CRD apply to all institutions, which includes internationally active banks. Iceland’s D-SIBs, which are not internationally active, are considered domestic systemically important in Iceland, but in comparison to other EU banks, the D-SIBs would generally equate to “less significant institutions” within the EU framework. That being said, CBI has treated its D-SIBs as O-SIIs within the context of the EU framework and as defined in the CRR. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)77 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Based on applicable legislation and rules (as described under CP16 EC1), CBI may require quantitative and qualitative adjustments considering banks’ risk profiles: (i) higher capital requirements, based on Pillar 2 rules; (ii) improvements of internal processes; (iii) depreciation of assets; (iv) restrictions or limitations of business activities; and (iv) reduction of risks entailed by the business activities of a bank. Act No. 161/2002 stipulates the capital adequacy requirements (CAR) and the method for determining the risk base of banks (risk-weighted exposures) both for on- and off-balance sheet items. The COREP report, based on a uniform report template disclosed by EBA, shows how banks calculate the total minimum capital requirement according to Pillar 1 and include both on-balance sheet and off-balance sheet risks. CBI has the power (and it has used that power) to impose a specific capital limit. A 16 percent CAR ratio requirement was for example imposed on all three O-SIIs in 2009 to create a cushion in the event of future setbacks. This minimum capital requirement expired in 2012. However, capital requirements imposed on the banks through Pillar 2 of the SREP, together with capital buffer requirements, have always exceeded 16 percent since then and now stand at 17.5 percent. CBI imposes additional capital requirements under Pillar 2 relating to risks such as concentration risk, market risk, credit risk and operational risk, as well as other risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The prescribed capital requirements reflect the risk profile and systemic importance of banks78 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The regulatory framework in place for capital adequacy requirements (as described in CP16 EC1) is conceptually risk-based, considering the tailored risk profile of banks as well as the classification of major banks as systemically important institutions (O-SIIs), and adjustable to capture risk areas that are not embedded in quantitative calculation rules (Pillar 2). CBI has legal power to set higher capital requirements than the minimum for banks having unsatisfactory capital strength with regard to their risk profile and exposures. Such power is implemented periodically, usually through the SREP, but on-site inspections can also result in increasing capital requirements for specific banks, if justified by the inadequacy of provisions and reserves to cover expected losses on exposures. Furthermore, the macroprudential capital buffer (CCyB) is used to cover systemic risks that apply to the banking sector as a whole. Without exception, CBI has increased the capital requirements through Pillar 2 for O-SIIs for the past 10 years. This has been due to wrong classification of exposures as well as inappropriate application of the correct methodology to calculate the capital requirement for certain exposures or risk classes. This has mainly resulted from credit and concentration risks, but also market risk. CBI considers that relatively high capital requirements currently applied to banks in Iceland, which are among the highest in Europe, take into account the degree of uncertainty in the Icelandic economy and consequently in the banks’ operating environment. A leverage ratio is implemented in Iceland, based on EU CRD/CRR, on a standalone and consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Prudential rules on the use of banks’ internal models aimed at calculating capital adequacy requirements are included in applicable regulations, requiring prior approval of CBI after review of banks’ internal models. According to Act No. 161/2002, banks’ internal assessments of risk as inputs to the calculation of regulatory capital are subject to the same rigorous approval process as outlined in EU Directive (CRD IV) 2013/36/EU. Banks must demonstrate annually to CBI that they continue to meet the qualifying standards and validate all their rating systems. Rules also stipulate that banks have to either present a plan for timely return to compliance or demonstrate that the effect of non-compliance is immaterial should they cease to comply with the requirements. CBI has a right to revoke its approval of banks’ internal risk assessment systems. Interpretation of existing regulation relating to using Internal Ratings-Based (IRB) approaches for calculating capital adequacy requirements was clarified during the BCP assessment mission, as outlined below.
All banks in Iceland use the standardized approach of the Basel framework for the calculation of regulatory capital for credit risk and market risk. For operational risk, one O-SII is using the standardized approach, the others are using the indicator-based approach. The implementation of Basel III has not yet impacted the methods used by banks, although some banks are developing internal models and might apply for using them for regulatory calculation of capital requirements in the future. None of the banks in Iceland is using an Internal Ratings-Based (IRB) approach. One O-SII bank did apply to use the F-IRB approach to calculate regulatory capital for a part of its loan portfolio. The application was submitted in the autumn of 2013 but was rejected by the FSA due to the inadequacy of this internal model. However, the three large banks use internal models to calculate their economic capital (ICAAP) in view of setting their own strategy on capital adequacy. If any bank would apply for CBI’s permission to use internal models for the purpose of calculating regulatory capital, such an application would be subject to the same rigorous approval process as outlined in applicable regulations. Each internal model must be approved formally by CBI before it is used for capital calculations. The approval is only granted if banks meet all regulatory criteria. These criteria relate to the use test, governance, and risk management framework, independence of risk management and development of internal models, the adequacy of the rating system, the internal validation process, documentation, data collection, and conservatism of estimates. When approving an internal model to calculate regulatory capital, CBI would attach conditions to the approval to allow for periodic monitoring of the model and assess results of implementation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).79 The supervisor has the power to require banks:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Prudential rules are enacted on the stress testing framework that banks must implement in order to assess the resilience and adequacy of their capital to adverse shocks. Act No. 161/2002, article 77(a), stipulates as a general principle that all banks are required to conduct regular stress tests, and to document underlying assumptions and outcomes. Stress test results and subsequent proposed actions for upgrading banks’ capital resilience shall be communicated to banks’ boards at the earliest opportunity. The assessment power of CBI on banks’ stress testing and SREP is laid down in articles 80 and 81 of the Act. The FSA issued Guidelines No. 2/2015 on stress testing, concentration risk, and interest rate risk. Furthermore, 2018 EBA guidelines on stress testing are used, and referenced as follows: https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2282644/2b604bc8-fd08-4b17-ac4a-cdd5e662b802/Guidelines%20on%20institutions%20stress%20testing%20%28EBA-GL-2018-04%29.pdf?retry=1. As part of the ICAAP process, banks are required to perform stress tests using several scenarios, differing in severity. The output from these stress tests is then used in the capital planning part of the ICAAP report. CBI also conducts its own stress test as a part of the SREP, and can use the results from these stress tests to add a capital charge, or capital guidance, for stressed conditions on the banks through Pillar 2 guidance of SREP. In practice, capital adequacy requirements are already quite high, given the substantial additional Pillar 2 capital, so that supervisory stress tests have not resulted in any need of requiring even more capital through Pillar 2 Guidance (P2G). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 16 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Act No. 161/2002 outlines the capital requirements for Icelandic banks with the EU framework (CRD transposed in 2016 and updated in 2022 and the CRR No. 575/2013 which is directly applicable and binding in its entirety). In H2 2022 (two months prior to the BCP on-site assessment), amendments to EU regulation No. 575/2013 (CRR II directly applicable) and EU Directive (No. 2013/36/EU) (CRD V) were transposed into Act No. 161/2002. Although the CBI/FSA is of view that it has adopted Basel III capital adequacy requirements, with the transposition of the EU framework into Iceland’s banking legislation, there are some deviations from the Basel standards. The EU’s capital framework was subject to a BCBS RCAP regarding the compliance with Basel regulations in 2014. The EU framework was found to be overall materially non-compliant. One of the main areas of difficulty cited in the RCAP was the IRB approach for credit risk (rated materially non-compliant). It is noted that the recent changes and implementation of CRR II and CRD V for the EU framework have not been subject to an updated RCAP, neither has the EU provided an updated self-assessment to previously noted deviations of the Basel capital regulations that would provide a sufficient reference on the materiality of remaining deviations. The EU rules are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process (risks not captured by Pillar 1) are considered by assessors as strong and consistently utilized by the supervisor (updated annually for D-SIBs). In addition, Icelandic capital buffer requirements for D-SIBs are considered adequate (given the nature, size and complexity of Icelandic D-SIBs that are not internationally active) resulting in very high levels of Tier 1 and total capital. Further, Iceland has not made use of any of the national discretions available. Finally, Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (as stated above as one of the most egregious deviations from Basel standards according to the 2014 RCAP) is not applicable/utilized at this time for its three D-SIBs, this issue could prove material in the future and should be watched for in future FSAPs. Assessors, however, are of the view that this is not considered a material or relevant deviation from the Basel standards at this point in time for Iceland. CBI requires a high level of capital from banks, as a precautionary supervisory strategy, using accumulated capital buffers and significant Pillar 2 additional capital. Major banks are classified as D-SIBs. In addition to the minimum capital adequacy ratio of 8 percent (Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital)), they are subject to a capital conservation buffer (2.5 percent), a systemic risk buffer (3 percent), a so-called other systemically important institution (O-SII) buffer (2 percent), a macroprudential countercyclical capital buffer (2 percent), and ad-hoc Pillar 2 additional capital requirements, which are quite significant (from 2.6 to 3.5 percent). Furthermore, a leverage ratio is required, though not impactful on Icelandic banks at this time. For determining Pillar 2 requirements, CBI uses in-house benchmarking models aimed at supplementing Pillar 1 requirements for risk areas that CBI considers as being not enough covered by capital. Banks may discuss CBI’s calculations with banks; however, CBI’s views are usually enforced by CBI on an annual basis through the SREP process. CBI’s methodology and decisions on capital adequacy requirements are publicly disclosed for each major bank for full transparency. In all and average, the capital adequacy ratio of D-SIBs stands above 23 percent, which is quite high and conservative. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 17 |
Credit Risk80 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk81 (including counterparty credit risk)82 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regulated financial institutions apply CRD (Article73) and CRR (Part III, title II) on credit risk as it has been implemented in Iceland (re: Article1(c) of Act No. 161/2002) in addition to relevant Icelandic laws (Act No. 161/2002), relevant technical standards and guidelines are also applicable requirements for banks on credit risk management, and include:
Further, Article77(a) of Act 161/2002 states that financial undertakings shall operate a secure risk management system for all its activities and internal processes to assess the necessary size, composition and internal distribution of the capital base in light of the risks entailed by the business activity at any time. CBI/FSA has established a Supervisory Handbook (CCQ) for financial supervisors and credit risk experts when assessing bank’s credit risk function. The Supervisory Handbook is largely based on the EBA guidelines for SREP and there are two main elements on credit risk assessment: a) regular monitoring where there is a description on how to monitor credit risk every quarter; and b) provides a description on how to do a more comprehensive assessment on inherent credit risk and risk management and control in relation to the SREP process. Assessors noted that the handbook for credit risk assessment does need to be updated to adequately reflect all newly issued EBA guidelines. Over the past five years, CBI/FSA has carried out a number of thematic on-site inspections pertaining to various areas of credit risk (such as evaluating forbearance in accordance with EBA/GL/2017/06, FINREP reporting and stage 3 IFRS 9 (EBA/GL/2018/06). In addition, financial supervisors in the Banking Department, together with the Banking Department credit risk specialists, have undertaken some off-site inspections into various areas of credit risk management on a bi-lateral basis with the D-SIBs they oversee. Most of this work pertains to the review of ICAAP wherein bank’s credit risk exposures are stressed using pertinent macroeconomic factors with a result of making a Pillar 2 assessment. Off-site inspections were also carried out for other areas of credit risk that were a concern to the financial supervisors, such as a review of large borrowers. Given the extent and recent release of the EBA guidance pertaining to credit risk exposures that Icelandic banks (and in particular the D-SIBs) need to comply with, the Assessors are of the view that additional on-site inspections need to be undertaken by the credit experts to determine/assure themselves that bank’s credit underwriting, evaluation, administration and monitoring processes in practice comply with prudent standards that the banks have put in place. Off-site assessment work that CBI/FSA has undertaken would no doubt ensure credit experts as well as financial supervisors would be aware of credit risk policies, however there is a need to ensure these policies are in fact adhered to in practice across all types of credit risk exposures (e.g., not limited to small sample sizes covered during the thematic on-site inspections). Last, given the extent of the EBA guidelines, CBI/FSA should consider putting in place external prudential standards that are tailored to Iceland to ensure banks know and understand all of CBI/FSA’s expectations with respect to credit risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,83 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI/FSA gains some insight into the Board’s setting and monitoring of credit risk through a) the review of D-SIBs ICAAP/ILAAP, BMA processes submitted and assessed as part of the SREP; and b) through the monthly/quarterly risk report and discussions with senior management on a quarterly basis. Specifically, there is a discussion on the overall risk profile pertaining to credit risk and other risk data that CBI/FSA has access to through prudential reporting. CBI/FSA also carries out thematic on-site inspections related to a bank’s credit risk practices wherein these inspections have provided some assurance that Board approved credit risk policies/procedures are being adhered to by senior management in the areas under the focus for the credit review (see EC3(c) for more detail). In addition, certain of these on-site reviews looked at whether a D-SIB’s credit policy is part of the governing structure of a bank and if it is properly signed by the board and if it is regularly reviewed. As an example, one particular on-site inspection of a D-SIB examined the bank’s protocol (delegation of lending limits) for ensuring that person who signed off on loan agreements, had the proper authority to do so. Also, the risk appetite of the board was reviewed and compared to the underwriting rules of the bank (e.g., extension of loans, etc.) - see EC3(c) for more detail. CBI/FSA requests and reviews the banks’ risk reports and risk dashboards, which are regularly presented to the bank’s BOD and the senior management. Assessors acknowledge that CBI/FSA does gain some in-sight into how bank Boards oversee the credit risk exposures (through the review of quarterly risk reporting that goes from senior management to the Board), however it is recommended that credit experts, on a risk based supervisory cycle, review the strength/quality of bank’s ability to identify, measure, evaluate, monitor, report and control or mitigate credit risk in practice, is line with/complies with not only the bank’s overall credit risk strategy but the credit limits put in place and approved by the Board as part of its credit risk appetite. This would include the credit experts having a view across all types of credit risk exposures and not just limited to the thematic credit reviews undertaken in the past five years. This is a critical component of CBI/FSA’s oversight of bank’s credit risk management practices. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Article 77(a) of Act 161/2002 requires financial institutions to operate secure risk management systems. Further, institutions are required to operate a properly controlled credit risk framework with sound policies and processes. Requirements where different issues are addressed are outlined in several EBA guidelines, within the scope of credit risk, which have been adopted in Iceland. Credit risk assessment in SREP, includes a determination of certain aspects of the risk management of credit risk. The supervisors evaluate various elements within risk management and control framework in the SREP process and assign a risk score to each element within the main categories. Main categories covered in SREP assessment are:
Although CBI/FSA utilizes a “thematic approach” for its on-site inspection program focusing on specific topics/areas of concern of the financial supervisors/credit risk experts in the Banking Department, deeper assessments should be undertaken on a per bank basis to ensure CBI/FSA is adequately assessing not only overall credit risk exposures against limits, but ensuring that bank’s credit risk management policies and procedures are being adhered to in practice. These credit risk assessments can be carried out on a risk basis during the supervisory cycle (e.g., spread out the reviews that will result in better supervisory coverage of credit risk) which is considered given that credit risk is considered one of the most material risks for Icelandic banks. Assessors noted that certain aspects of the requirements listed in this EC were covered by CBI/FSA on-site examinations or off-site inspections over the last several years, however, several critical areas need further or deeper assessment. For example, CBI/FSA is not fully determining for example, bank’s:
Moreover, CBI/FSA supervisors need to assure themselves that banks (especially D-SIBs) have effectively implemented the EBA guidelines (given the recent publication for loan origination and monitoring). This can be accomplished on a risk basis supervisory cycle. CBI/FSA financial supervisors as well as the credit risk experts within CBI/FSA need additional training on the latest requirements. Not because these individuals do not have deep knowledge and expertise, but to afford them an opportunity (e.g., the time) to get across these recent guidelines so that they are on par with the bank’s knowledge. Further, the Supervisory Handbook should be updated to reflect recently released guidelines. It is noted that one on-site credit expert did form part of a working group/task force that examined NPL management, loan origination and monitoring as well as internal governance (e.g., borrower affordability). This credit expert is tasked with training the other credit experts in CBI/FSA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Credit risk assessment in SREP, includes an “off-site” determination of banks’ strategies, policies and processes for all material risks have been integrated into the banks risk management processes and approved by the banks’ Boards assessed as part of the ICAAP. Chapter 5, item 86 of EBA/GL/2020/06 outlines a list of items that a bank should consider when underwriting a loan, among the items listed is “financial position and commitments, including assets pledged and contingent liabilities”. Further, 5.2.9 item 182 of the GL speaks to the need to assess total indebtedness of the client. CBI/FSA has carried out an on-site inspection at one of the D-SIBs in 2021 that included a sample of 5 large borrowers, where inspectors examined the origination of loans and what information the bank collects and uses when deciding on a loan among the information is the total indebtedness. CBI/FSA also focused more broadly on the valuation of loans (a few loans were sampled) where loans were already committed and the inspector replicated the underwriting of the loan to a certain extent, including looking at the overall valuation of the loan, the ability of the borrower to pay which was estimated by looking at the total indebtedness. The authority looks at examples of customers and all relevant information is considered with the annual accounts of the customer, borrowing at the relevant bank, the documents of the bank on originating the loan and value of collateral. Assessors however are of the view that this type of on-site inspection should be carried out using a deeper loan sample across all types of credit exposures at all D-SIBs (at a minimum) as part of a risk based supervisory cycle. The FX lending risk is reviewed in CBI’s credit risk assessment with focus on unhedged borrowers, in accordance with the Supervisory Handbook (CCQ). In the risk evaluation of the SREP process the largest borrowers of FX are listed and evaluated in relation to exposure to FX risk (as part of the “off-site” program. The banks are then evaluated depending on the amount of exposure of FX that is considered unhedged. CBI/FSA expects the banks to prudently address FX lending risk policy. Chapter 5.2, item 108 of EBA/GL/2020/06 stipules what banks need to address with respect to FX lending risk policy. Strict requirements have been implemented regarding FX mortgage loans in Act No. 118/2016 on loans to consumers. Specifically, Article 21 stipulates that foreign exchange mortgage consumer loans to borrowers that do not have sufficient income in the same currency, are prohibited. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
See CP20 EC2 for an overview of legislative references within Act No. 161/2002 on the granting of loans by institutions to a related party. (e.g., Article29, 27 and 55) dealing with conflicts of interest. Article 6 of Rules No. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. Issues regarding the definition of a related party are addressed in CP20. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks are required to operate according to Chapter 4.1 and 4.2 of EBA’s Final Report -Guidelines on loan origination and monitoring (EBA/GL/2020/06). The EBA GL states that the management board set the credit risk appetite within the overall risk framework, including credit-granting standards, qualitative statements, quantitative metrics and limits, and escalation thresholds, without business performance biases. The EBA GL states in general that banks should establish thresholds that require management board approval. Chapter 4.2 (paragraph 34) of the GL states that credit risk policies and procedures should specify: policies and procedures and rules for the approval of credit granting and decision- making, including appropriate authorization levels set in accordance with the credit risk appetite and limits. CBI/FSA has conducted an on-site supervision inspection in 2018 on the framework of loan approval within the D-SIBs. The supervision looked at the policy from the board regarding credit activities and the role of the CEO in the credit underwriting process. The setup of loan committees and the approval structure of loans was also under consideration and especially how the rules for each committee were determined. Also, it was investigated what cases were decided by the board or the board loan committee and how exceptions were handled. The banks have limits for the banks loan committee that if loans go past this limit the board loan committee is the deciding party of the loan. This applies to a single loan as well as accumulated loans of a customer. In the bank’s loan committee, there is a party from the CRO that has a veto or the ability to escalate a loan decision to the next level if that party considers that the loan is outside the banks risk appetite or otherwise out of scope. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
According to Article 9, paragraph 1 of Act 87/1998, the parties subject to supervision are obliged to grant the authority access to all their accounts, minutes, documents, and other material in their possession, regarding activities the authority considers necessary. In pursuance of its activities, the authority may perform on-the-spot checks or request information, in such a manner and as often as it deems necessary. The authority has full access to all bank personnel, including management and the Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article77(a), paragraph 2 of Act 161/2002 stipulates that all financial undertakings should perform a stress test on a regular basis and that the board should be presented with the results at the next meeting after the results are ready. Requirements on credit risk exposures and stress testing programs for risk management purposes are outlined in the EBA GL on institution’s stress testing chapter 4.7 page 34 of EBA/GL/2018/04. Further, banks are expected to also follow domestic guidelines No. 2/2015 on stress testing As part of the ICAAP process, banks are required to perform stress tests using several scenarios, differing in severity. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 17 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comment |
Although CBI/FSA utilizes a “thematic approach” for its on-site inspection program focusing on specific topics/areas of concern of the financial supervisors/credit risk experts in the Banking Department, deeper assessments (e.g. extend size of loan sample, across all types of credit exposures, etc.), should be undertaken on a per bank basis (especially for the D-SIBs) to ensure CBI/FSA is adequately assessing not only credit risk exposures against limits, but ensuring that bank’s credit risk management policies and procedures are being adhered to in practice. These credit risk assessments can be carried out on a risk basis during the supervisory cycle (e.g., spread out the reviews that will result in better supervisory coverage of credit risk) to ensure adequate supervisory coverage of credit risk is given it is considered one of the most material risks for Icelandic banks. Assessors noted that certain aspects of the requirements listed in the various ECs were covered by CBI/FSA during the “thematic” on-site examinations or off-site inspections over the last several years, however, several critical areas need further or deeper assessments. For example, CBI/FSA is not fully determining for example, bank’s:
Moreover, CBI/FSA supervisors need to assure themselves that banks (especially D-SIBs) have effectively implemented the recently adopted EBA guidelines (given the recent publication for loan origination and monitoring). CBI/FSA financial supervisors as well as the credit risk experts within CBI/FSA need additional training on the latest requirements. Not because these individuals do not have deep knowledge and expertise, but to afford them an opportunity (e.g., the time) to get across these recent guidelines so that they are on par with the bank’s knowledge. Further, the Supervisory Handbook should be updated to reflect recently released guidelines. Last, given the extent of the EBA guidelines, CBI/FSA should consider putting in place external prudential standards that are tailored to Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 18 |
Problem Assets, Provisions, and Reserves84 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.85 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Commercial banks prepare their accounts in accordance with the IFRS accounting standards which address provisions on impaired loans in their financial accounts. The savings banks have not implemented IFRS9 and therefore are obliged to follow Rules No. 834/2003 on the Annual Accounts of Credit Institutions. Banks and CBI/FSA also rely on the view of the EA with respect to the asset classification, provisioning and write-offs of bank’s loans. CBI/FSA thematic on-site inspections do cover a review of the asset classification, provisioning and write=offs of bank’s loans, but only in the area of the credit exposures being examined as part of the thematic credit review, and not necessarily across all credit exposure types (see CP17 for more detail), as the EA would typically do as part of their annual audit of the bank. Requirements on policies and processes for identifying and accounting for problem assets that banks must comply with, as well as the requirement to undertake periodic reviews, are stipulated in Article 57 and Appendix I of the Rules. Regulated financial institutions apply CRD (implemented through Act No.161/2002) and CRR (implemented directly) as it has been implemented in Iceland in addition to relevant laws (Act No. 161/2002). Article178 of CRR defines default exposures. Relevant technical standards and Guidelines are also applicable as requirements on credit risk management. The Authority has defined sound practices by implementing the EBA
CBI/FS’s Supervisory Handbook provides for internal guidance to supervisors to help determine how to value loans. This guidance is used for on-site inspections (e.g., how to value cash flow and how to value collateral). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The commercial banks prepare annual, semi-annual and quarterly financial statements and accordingly review problem assets quarterly in compliance with IFRS. Notes to the annual accounts, as well as the semi-annual accounts, of the commercial banks contain detailed information on the provisioning processes and write-offs of the banks. Further, CBI/FSA regularly review the overall financial statements of the banks and performs a comparison analysis between the banks. CBI/FSA collects quarterly reports from all financial undertakings on the status of loans in default where all loans and receivables are classified according to arrears by type of debtor and type of loan. Annual audited financial statements prepared by EA, according to Arts 2, 6, 8, 9, and 13 of Rules No. 532/2003 on the Audit of Financial Undertakings, describe the methods used for the provisioning of the bank and, if deemed necessary by the auditor, as well as provide comments on the bank’s management of credit risk. Further, banks are required to comply with EBA guideline on non-performing and forborne assets (EBA/GL/2018/063) and CBI/FSA conducted a thematic review of D-SIBs to ensure that banks were in fact complying with these guidelines. On-site inspections regarding non-performing loans and forbearance was conducted for the D-SIBs in 2021. The first part of the inspection focused on the adoption of the EBA guidelines (chapter 6 forbearance and 7 NPE recognition) and annex 5 (chapter 17 nonperforming exposures and Chapter 18 forborne exposures) of the Commission Implementing Regulation (EU) 2021/451 (implemented with rules 1163/2022) that covers the management of non-performing and forborne assets. The second part focused on the methods of the banks classifying forborne exposures. This type of on-site inspection is not necessarily typical for CBI/FSA as this thematic review was deemed timing given the adoption of the EBA guideline. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.86 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
The D-SIBs financial accounts are IFRS compliant, including the classification of problem assets and provisioning take into consideration off-balance sheet exposures and information regarding off-balance sheet exposures are reported in FINREP. Furthermore, Rules No. 834/2003, applicable to savings banks, require off-balance sheet items to be taken into account when provisioning for problem assets, cf. Annex I of the Rules. CBI/FSA review commercial bank’s credit classification systems through the audited financial statements with confirm both on-balance sheet and off-balance sheet exposures. Further, notes to the annual financial accounts of the commercial banks contain detailed information on off-balance sheet exposures. CBI/FSA conducted an on-site inspection of off-balance sheet exposures at the D-SIBs in 2022, one objective of the inspection was to confirm that the off-balance sheet exposure is correctly reported in FINREP. In the on-site the reporting of the off-balance sheet exposure was checked to see if the banks reported under the appropriate conversion factor. Off-balance sheet exposure of the banks has been stable over the last quarters, last quarter it was 13.5 percent of total assets, the fluctuation over several quarters is from roughly 10 percent to 15 percent. At the same time the non-performing off-balance sheet is in the last quarter 0.9 percent of total off-balance sheet exposure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA reviews provisioning policies processes and write-offs along with their adequacy through various on-site and off-site inspections at the banks. The commercial banks prepare annual, semi-annual and quarterly financial statements and accordingly review provisions and write-offs in compliance with IFRS, which CBI/FSA regular review. Further, although the authority has through various on-site inspections determined if the banks have the appropriate policies and processes regarding provisions and write-offs. For example, CBI/FSA undertook an on-site inspection regarding non-performing and forborne exposures focused on the policies and processes of the classification of loans in non-performing and forborne status. One aspect was to determine if the banks had adopted the definition and procedures stipulated in the EU GL on non-performing and forborne exposures. Another aspect was to determine if the banks were classifying loans properly and if provisions were made respectfully. Another example included the on-site inspection which was conducted at all the savings banks (2021/2022) focusing on three issues: 1) the credit processes; 2) the impairment process and 3) the book value of the largest exposures. In issue 2, the impairment processes, both the general provision and special provision were examined. The process of how the impairment was decided was examined and in the case of the special provisions the provisions of some customers was challenged. On-site inspectors also focused on the bank’s general provisioning methodology, as well as how conclusions of impairments were derived. See EC1 above (as well as the conclusions for CP 17) for Assessor’s comments regarding the depth of the thematic on-site inspections and the need to undertake more work to ensure bank’s practices are in line with the required provisioning policies and practices across all credit exposures, on a risk basis during the supervisory cycle and not just carrying on one off on-site inspections. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The authority, in both its off-site and on-site inspections, reviews the internal rules and procedures regarding problem loans, impairment, collection of past due loans and reviews the banks resources regarding this domain. IFRS requires the banks to classify loans in arrears after 30, 60, 90 days, and older. Savings banks are also required to classify loans in arrears, with the requirement to book specific provisions at 90 days, as well as well as the requirement to maintain a general provision. Further, savings banks must also adhere to standards for the extension or renegotiation of loans87, this manner (see Appendix I, Rule No. 834/2003). During the three on-site inspections conducted at the D-SIBs over the past three years, CBI/FSA focused on whether: a) banks followed the accounting standard regarding classification of loans in compliance with IFRS 9; b) forborne loans were being classified adequately; and c) the valuation of loans where the classification of loans was confirmed if it was in line with standards and guidelines. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
There are several reports that the authority receives regarding information on the classification of assets and provisioning. The main report is FINREP which includes information on classification of loans in stages as well as provisioning. Further, CBI/FSA also collects information from the Loan Portfolio Analysis report (LPA) and from the credit registry which greatly assists financial supervisors with additional information that FINREP does not provide. CBI/FSA financial supervisors also have access data of “days in arrears” however the risk assessment mainly focuses on “stages” of problem loans. Assessors suggest an analysis of both aspects as it will be important to know what credit risk is “moving through the system” (e.g., credit cycle/trends). Last, CBI/FSA has undertaken several on-site examinations on D-SIBs over the past several years, plus undertaken a thematic review for savings banks in 2022, that included a review of whether banks have adequate documentation to support their classification and provisioning levels. The authority has full access to any and all information needed for assessment purposes as per Article 9 of act 87/1998. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Art. 107 (a) of Act No. 161/2002 provides CBA/FSA with the power to increase requirements for own funds or decrease assets if through its work the provisions are deemed to be inadequate for prudential purposes. Assessors noted that CBI/FSA has undertaken several thematic reviews regarding loan classification, valuation and to test whether provisioning is adequate. Assessors recommend that on-site examiners undertake a deeper dive into bank’s asset classification practices (replicating the loan file) across a number of different loan types (real estate back loans, personal loans, etc.), assess collateral valuation practices, etc. See CP17 for additional information. In addition, assessors noted that CBI/FSA financial supervisors tend to adjust Pillar 2 capital of bank’s overall capital requirements rather than force a bank to book additional specific provisions, as banks typically argue that they have sufficient collateral or “insurance” and therefore are not required to take this action. From a “legal enforcement” perspective, CBI/FSA is more confident to assess additional Pillar 2 capital on a temporary rather than prescribe additional provisions. Assessors are of the view that CBI/FSA should be insisting on additional provisions with banks when needed instead of utilizing this temporary corrective measure of increasing capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI/FSA has implemented the guideline on loan origination and monitoring (EBA/GL/2020/06), part of that is regular monitoring of exposures and collateral valuation, includes:
Article 208 of CRR stipulates that there is a procedure for monitoring and valuating immovable property. Further, there have been several on-site inspections on the valuation of D-SIB loans. Part of the valuation process is to valuate collateral and compare to the valuation of the relevant bank. The banks are required to evaluate the collateral regularly and take into account all factors that can affect the valuation. Further, the inspection focused on large loans wherein the banks should be regularly re-evaluating the collateral. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
Laws, regulations or the supervisor establish criteria for assets to be:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
D-SIBs classification systems and provisioning must be compliant with IFRS9, CRR and CRD requirements. Guidelines on management of non-performing and forborne assets (EBA/GL/2018/06) are also in place. Article47(a) paragraph 3 of CRR defines non-performing exposures and paragraph 6 when exposures can be reclassified as performing. In paragraph 3 of Article47(a) of CRR the nonperforming exposures is defined and for the purposes of point (m) of Article36(1)88, the following exposures shall be classified as non-performing: (a) an exposure in respect of which a default is considered to have occurred in accordance with Article 17889; (b) an exposure which is considered to be impaired in accordance with the applicable accounting framework; (c) an exposure under probation pursuant to paragraph 7, where additional forbearance measures are granted or where the exposure becomes more than 30 days past due; (d) an exposure in the form of a commitment that, were it drawn down or otherwise used, would likely not be paid back in full without realization of collateral; (e) an exposure in form of a financial guarantee that is likely to be called by the guaranteed party, including where the underlying guaranteed exposure meets the criteria to be considered as non-performing. For the purposes of point (a), where an institution has on-balance-sheet exposures to an obligor that are past due by more than 90 days and that represent more than 20 percent of all on-balance-sheet exposures to that obligor, all on- and off-balance-sheet exposures to that obligor shall be considered to be non-performing. In paragraph 6 of art. 47a of CRR the reclassification into performing is defined, nonperforming exposures subject to forbearance measures shall cease to be classified as non-performing for the purposes of point (m) of Article 36(1) where all the following conditions are met:
In 2021 CBI/FSA started a thematic on-site inspection of the savings banks that focused among other things on the impairment process (see EC 4). On-site inspections in the D-SIB in 2021 focused on whether the banks were classifying loans timely and appropriately in forbearance status or non-performing status. The method used was to examine the governance, the procedure and the strategy of the banks in this regard. One on-site inspection for a D-SIB in 2020 focused on the reclassification of loans back to preforming status. There were examples of loans examined and the process of reclassification was traced back in history with the borrower and reviewed to examine whether the bank had adequately followed the reclassification rules (chapter 7.3.3. in GL on management of non-performing and forborne exposures (EBA/GL/2018/06)). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
CBI/FSA requires bank Boards and senior management to review the bank’s asset portfolio, including the classification of assets and level of provisioning. CBI/FSA has directed banks’ Board’s to receive risk reporting from the various business units, covering risk areas against Board approved risk appetite and established risk limits. CBI/FSA regularly receives and reviews these risk reports from the bank which help the financial supervisors with their own quarterly risk assessment of the D-SIBs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
The authority has implemented guidelines on loan origination and monitoring. Also, Article208 in CRR outlines requirements involving exposures with collateral in immovable property where there is a threshold for valuation of collateral dependent on the amount of the exposure. During its last thematic on-site credit review of D-SIBs large borrowers undertaken in the last several years, CBI/FSA has ensured that bank’s large exposures, large loans in general and especially significant exposures classified as stage 3 are individually assessed and provided for. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
The authority regularly monitors trend and concentrations in risk across the banking sector in relation to banks problem assets. The results of this assessment on credit risk and potential concentrations is reflected in CBI’s semi-annual financial stability report that is published. The FSR speaks to various factors regarding the macroeconomic conditions, overall indebtedness, asset quality, loan to values (with the various real estate backed loans, etc. Further, CBI has put in place certain policy measures to help manage/mitigate the buildup of risk in the banking sector (e.g., setting debt to equity and loan to value requirements for household lending). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 18 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Assessors note that to a certain extent, CBI/FSA financial supervisors rely on the work of the EA with respect to the adequacy of bank’s asset classification, valuation and provisioning practices. However, Assessors also noted that CBI/FSA has undertaken several thematic reviews regarding loan classification, valuation and to test whether provisioning is adequate. Assessors recommend that on-site examiners undertake a deeper dive into bank’s asset classification practices (replicating the loan file) across a number of different loan types (real estate back loans, personal loans, etc.), assess collateral valuation practices, etc. This recommendation is in line with CP17 observations on the depth and breadth of the thematic on-site credit inspection program. In addition, assessors noted that CBI/FSA financial supervisors tend to adjust Pillar 2 capital of bank’s overall capital requirements rather than force a bank to book additional specific provisions, as banks typically argue that they have sufficient collateral or “insurance” and therefore are not required to take this action. From a “legal enforcement” perspective, CBI/FSA is more confident to assess additional Pillar 2 capital on a temporary rather than prescribe additional provisions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 19 |
Concentration Risk and Large Exposure Limits The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.90 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.91 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 77(a) of Act No.161/2002 states that a financial undertaking shall operate secure risk management systems regarding all of its operations. In the same Article, exposures are defined as loans, securities, shares and guarantees granted by the financial undertaking, as well as all other obligations towards the financial undertaking. Article 1(c) of Act No. 161/2002, also states that the capital requirements regulation, described in EU Regulation No. 575/2013 (CRR), is applicable in Iceland, this includes concentration risk and large exposure limits described therein. Article 78(c) of Act No. 161/2002 states that a financial undertaking shall handle and manage concentration risk in relation to their counterparties. The article identifies that a bank should among other things consider group of connected clients92, sector concentration, geographic, industry, or product. Credit risk mitigation should be taken into account as well as large indirect exposures. The financial institution should also especially consider collaterals from a single publisher. This article is based on Article81 of Directive 2013/36/EU (CRD). Articles 387 to 403 (Part four) of the CRR, define large exposures (Article389-392), impose limits (Article395), and define regular reporting (Art. 394). Article 393 requires that institutions have sound administrative and accounting procedures and adequate internal control mechanism for the purpose of identifying, managing, monitoring, reporting, and recording all large exposures. Article 390 defines that exposures include both on and off-balance sheet items. Article 249 in EBA’s Guidelines on loan origination and monitoring (EBA/GL/2020/06) detail that when monitoring credit risk institutions should aggregate the credit risk exposure in various areas to support the identification of credit risk concentrations. The areas that should be considered include sector, transaction purpose, geographical location of borrower and collateral. Article 255 also indicates that the institution should monitor concentration measures. Further, CBI/FSA’s Supervisory Handbook (030 Risk Assessment - Risk management and control indicators), details CBI’s procedure for evaluation of concentration risk management “[...] institutions should have in place effective internal policies, systems and controls to identify, measure, monitor, and control their concentration risk.” Internal rules, guidelines, and practices regarding large exposures, including how the issue of connected parties is dealt with, are reviewed as a part of annual SREP process for D-SIBs as well as during on-site inspections at the banks when this is a focus. Last, the EBA SREP Guideline, Article186 indicates that competent Authorities should pay particular attention to hidden sources of credit concentration risk that can materialize under stressed conditions, when the level of credit risk correlation can increase compared to normal conditions and when additional credit exposures can arise from off-balance sheet items. CBI/FSA SREP methodology also follows this position. CBI/FSA’s requirements for banks regarding concentration risk is spread out between the EU regulations (CRR), EBA guidelines, Act No. 161/2002, Rules on large exposures and financial undertakings (Rule No. 625/2013 still up on CIB/FSA’s website) and its’ SREP framework (e.g., including Annex 1: Supervisory Benchmarks for the Setting of Pillar 2 Additional Own Funds Requirements for Credit and Concentration Risk). Banks would therefore benefit from CBI/FSA releasing its own specific prudential guidelines, even if streamlined with links, so that all banks know and understand clearly CBI’s prudential requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure93 to single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Although the CBI/FSA is of view that it has adopted Basel standards regarding large exposures (LEX), with the transposition of the EU framework into Iceland’s banking legislation, however, there now exists some deviations from the Basel standards. In the EU, the LEX requirements were first introduced through Regulation (EU) No 575/2013, and then amended for improved alignment with the Basel LEX framework through Regulation (EU) 2019/876, supplemented by a series of acts adopted by the European Commission and Guidelines issued by the EBA. The amendment to EU LEX requirements was published on 7 June 2019 and became applicable from 28 June 2021. Article 392 of the CRR defines a large exposure as an institution’s exposure to a client or group of connected clients which shall be considered a large exposure where its value is equal to or exceeds 10 percent of its eligible capital (e.g., Tier 1). Where that client is an institution or where a group of connected clients includes one or more institutions, that value shall not exceed 25 percent of the institution’s eligible capital or EUR 150 million, whichever the higher, provided that the sum of exposure values, after taking into account the effect of the credit risk mitigation in accordance with Arts 399 to 403, to all connected clients that are not institutions does not exceed 25 percent of the institution’s eligible capital. Financial undertakings report quarterly to CBI/FSA on large exposure in their COREP reporting. The reporting consists of an overview of large exposures, i.e., commitments between 10 percent-25 percent of equity, as well as a more detailed overview of each large exposure, with exposures to institutions and unregistered institutions. CBI/FSA regularly monitors the developments of large exposures (exposures over 10 percent of equity) of financial undertakings based on the quarterly reports, risk assessment, risk reporting and during on-site inspections. The Banking Department and credit risk specialists delve deep into bank’s assessment of credit concentration risk (e.g., sectoral, geographic, etc.) as well as take into consideration single counterparty or groups of connected counterparties as part of its overall risk assessment of the D-SIB. Article 393 of the CRR states that an institution shall have in place internal control systems where all large exposures and their changes are documented. Article394 stipulates the reporting requirements (available in Annex IX Instructions on large exposures, amounts exempted (column 320 in the reporting template (Article 400 of the CRR) where a competent authority may fully or partially exempt certain exposures from the large exposure limits. CBI/FSA, therefore, allows exemptions according to item a) and b) of the previously mentioned paragraph (Article4 of Regulation No. 789/2022). The EU’s large exposure (LEX) framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel LEX standard regulations in 202294. The LEX regulations in the EU are assessed as largely compliant with the Basel LEX standards. The three components of the Basel LEX standard (scope and definitions; minimum requirements and transitional arrangements; and value of exposures) are assessed as compliant, largely compliant and compliant, respectively. The overall grade is driven by a potentially material finding related to the limit applicable to trading book exposures and nine findings that were deemed not material. For trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit. If an EU bank does utilize the excess limit, it must report the breach to the national competent authorities and hold additional capital. EU banks assessed a spart of the RCAP were found to have not utilized this 600% of a bank’s Tier 1 capital. This deviation from the Basel framework is not considered material for Icelandic banks as total trading book assets for all Icelandic banks represented approximately 8 percent of total assets as at Q3 2022 with an average 3 year duration. Article 77(a) of Act No. 161/2002 states that a financial undertaking shall operate secure risk management systems regarding all of its operations. Article 17(a) of Act No. 161/2002 states that financial undertakings shall submit to the CBI/FSA’s credit registry information on all debtors owing gross ISK 300 million or more, as a single counterparty or as a group of connected counterparties. The registry is updated each month and reported to CBI. In the past all financial undertakings report exposures over ISK 300 million monthly, however recently, CBI/FSA has received newly requested credit registry data from the banks for all loans with additional detail on collateral. The validity of the data entered into the registry, including an overview of the bank’s IT system to produce this data, is checked as a part of CBI/FSA’s on-site inspections program. In general, CBI/FSA has not carried out in-depth on-site inspections/reviews of bank’s information systems that identify and aggregate risk, management of such exposures. However, the Banking Department together with the credit risk specialists closely monitor bank’s exposures as part of its quarterly risk assessment, risk reporting, discussions with senior management and analysis and assessment of D-SIB’s credit risk concentration exposures/stress testing as part of the ICAAP submissions/discussion. In 2019, CBI/FSA’s on-site inspection team carried out a “thematic review” at all D-SIBs focusing on, among other things, the large exposures (a few large exposures were examined at each D-SIB). See EC3 for more details. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA’s on-site inspection team undertook a thematic credit review on the valuation of 3-5 large exposures at each D-SIB in 2019 (as outlined above in EC2). The purpose of the reviews was to determine: if bank’s provisioning practices were adequate, for one bank, the inspectors took one exposure that was presented to the bank’s BOD to test whether the internal governance was adequate and whether the BOD’s decisioning was based on adequate data presented, and the last bank had 5 large exposures reviewed for an assessment on whether adequate lending procedures were utilized by the bank. CBI/FSA’s Supervisory Handbook part 030 Risk Assessment-Risk management and controls - Internal control framework details what the supervisor should be determining with respect to adequate limits for concentration risk as well as relevant skills, systems and methodologies for identifying and measuring credit concentration risk, including whether the reporting by banks of concentration risk to management is appropriate. CBI/FSA, through its quarterly monitoring of prudential data, risk assessment and risk reporting to CBI’s senior management, includes an overview and assessment of credit concentration risk and an overview of large exposures, including connected clients (this information obtained through the credit registry). In general, all three D-SIBs have a very few number (less than 5) of large exposures (that is, exposures greater than 10 percent of regulatory capital) to single counterparties or groups of connected counterparties. Assessors recommend that on-site inspections, when carried out on a risk basis, should undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BODs are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA’s SREP process looks at several facets of credit concentration risk, including indirect risk (other financial institutions and unregulated financial institutions), singlename, sector, geographical, collateral and product (data obtain quarterly from FINREP), specifically:
Each of these credit concentration risks are explicitly discussed with the bank risk specialists during the annual meetings regarding CBI/FSA’s assessment of bank’s ICAAP reports. Further information on credit concentration risk is obtained from the bank’s Pillar 3 reports for more information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI/FSA has adopted the CRR into its legislation. Article 4, paragraph 1, sub-paragraph 49 of the CRR, defines the concept of “a group of connected clients” as:
Also, EBA has published Final Guidelines on connected clients (EBA GL 15/2017) that give a more detailed definition on when two obligors should be connected. By subparagraph a) above, when a control relationship exists between two obligors, there is reverse burden of proof. CBI does not exercise discretion in applying this definition on a case-by-case basis as it expects banks to comply with the EBA Guidelines and the CRR. CBI/FSA monitors the group of connected clients and has in the past reviewed when clients were disconnected by a bank. For example, one D-SIB had classified one connection as no longer being connected. In that case the FSA challenged the bank on its reasoning and the bank accepted the FSA’s views. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Laws, regulations or the supervisor set prudent and appropriate95 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Article 395 of the CRR stipulates that a financial undertaking may not incur an exposure to a client, or a group of connected clients, exceeding 25 percent of its own funds. Exposures include all claims and transactions, on-balance sheet as well as off-balance sheet, cf. Article 390 of the CRR. Article 393 of the CRR stipulate that the procedure for the evaluation of concentration risk management, “institution [...] shall have adequate internal control mechanism for the purpose of identifying, managing, reporting and recording all large exposures”. CBI/FSA’s Supervisory Handbook - 030 Risk Assessment - Risk management and controls - Risk identification, measurement, management, monitoring and reporting. Measurement and monitoring of concentration risk limits is considered as part of regular monitoring and the SREP process. The banks have internal risk dashboards (risk reports) which include the legal limits on concentration risk, and generally, also their own internal limits. These risk dashboards goes to the senior management and BOD monthly. These dashboards generally include figures or tables, summarizing the risk and compliance of the banks. These always include a list of the large exposures. CBI/FSA receives a copy of these dashboards and incorporates the results into its quarterly risk assessment/risk report if relevant - limits are monitored on a solo and consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI/FSA utilizes EBA GL on institution’s stress testing, as well as guidelines published by the FSA in 2015, entitled Domestic Guidelines no 2/2015 on Stress Testing. Chapter 6.2.2 of EBA GL 2014/13 describes how concentration risk, including significant risk concentrations, should be taken into consideration as part of bank’s stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:
Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 19 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Although the CBI/FSA is of view that it has adopted Basel standards regarding large exposures (LEX), with the transposition of the EU framework into Iceland’s banking legislation, there are some deviations from the Basel standards. In the EU, the LEX requirements were first introduced through Regulation (EU) No 575/2013, and then amended for improved alignment with the Basel LEX framework through Regulation (EU) 2019/876, supplemented by a series of acts adopted by the EC and Guidelines issued by the EBA. The amendment to LEX requirements was published on 7 June 2019 and became applicable from 28 June 2021. The EU’s large exposure (LEX) framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel LEX standard regulations in 202296. The LEX regulations in the EU are assessed as largely compliant with the Basel LEX standards. For trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit. This deviation from the Basel framework is not considered material for Icelandic banks as total trading book assets for all Icelandic banks (e.g., mostly the DSIBs) represented approximately 8 percent of total assets as at Q3 2022 with an average 3 year duration. CBI undertakes considerable assessment off-site of bank’s concentration risk as part of the SREP ICAAP review. However, CBI/FSA should undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BODs are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank and whether bank’s information systems adequately identify and aggregate risk concentrations and large exposures. Further, CBI/FSA needs to ensure that banks have adequate limits in place to monitor and track exposures. Some of bank’s risk reports embed tracking of concentration risk limits but assessing banks risk management processes in practice would provide additional assurance. This type of review should be incorporated into CBI/FSA’s on-site inspection program (especially for the D-SIBs), on a risk basis supervisory cycle. CBI should contemplate issuing guidance on concentration risk to ensure banks know and understand CBI’s expectations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 20 |
Transactions with Related Parties In order to prevent abuses arising in transactions with related parties97 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties98 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the principle. The supervisor may exercise discretion in applying this definition on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI’s Rule No. 247/2017 on the facilities of a financial undertaking to relational parties Chapter 1 (Sec 2) on Definitions, defines Relational Parties as follows: Related parties according to established accounting principles cf. the Act on Annual Accounts, including directors, managing directors, key employees, those who have qualifying holdings in the Company, their close family members and persons in close contact with the aforementioned parties. Related parties may also include other parties who the FSA assess as having a direct or related interest in the activities of the financial undertaking. Further Article 29(a) (paragraph 2) of Act 161/2002 also outlines additional legislative requirements for banks to comply with related parties (see EC2 below). CBI/FSA’s definition of relational parties needs to be broader not only to include (beyond what was mentioned in the previous paragraph) qualified holdings in the company, but to extend the definition to the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, as per the footnote attached to the overall description of Principle 20 to comply with the Basel Standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.99 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article 6 of Rules no. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. However, Article 29 (a)(paragraph 2) of 161 states that a financial undertaking may not grant a board member, managing director, key employee or party who owns a qualifying holding in it, and close family members or parties closely connected to the aforementioned parties, loans or other credit except against secure collateral. Credit is to be understood as loans, securities assets, holdings, guarantees provided by a financial undertaking, derivative contracts and other obligations towards a financial undertaking or loans to third parties secured by financial instruments issued by one or more parties who have a qualifying holding in it, or their close family members or parties closely connected to them. The total of loans and other credit facilities that may be granted to each person and close family members and persons closely related to them as provided for in the first sentence may not exceed a maximum of ISK 200 million taking into account the restrictions [set in Part 4 of Regulation (EU) no. 575/2013]. Transactions between a financial undertaking and the owners of qualify holdings, board members and immediate family members, or parties closely related to them, shall be subject to the same rules as transactions with ordinarily customers in similar transactions. Further, transactions of managing directors and key employees with the financial undertaking are governed by the second paragraph of Article57 of Act No. 161/2002. The limitation of the first sentence on loans or other credit facilities does not apply to loans to owners of qualifying holdings if the owner of the qualifying holdings is the state or a municipality. A loan or credit facility as provided for in the first sentence does not include deposits owned by another financial undertaking. Although state owned exposures are exempted, financial supervisors track the total state exposures for each D-SIB on a quarterly basis (credit registry report). Given the shareholdings by the state of three the D-SIBs, assessors recommend that CBI/FSA track closely the total outstanding loans to the state and that this information is provided up through to CBI/FSA senior management. As per the Basel definition and highlighted in the footnote attached to Principle 20, related party transactions should include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted more broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. Assessors are of the view that CBI/FSA’s definition of a related party transaction is not broad enough to encompass the definition described in the previous paragraph. Further, CBI/FSA needs to assure itself that banks’ policies, procedures and procedures reflect this definition adequately. Moreover, CBI needs to reassess the appropriateness of excluding the limitations pertaining to “the state” given the current shareholdings in the some of the D-SIBs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Financial institutions are obliged to report on transactions with related parties to CBI, and CBI/FSA reviews EA reporting on related party transactions. Related party transactions are reported to CBI/FSA on a semi-annual basis. Article 55 of Act 161 stipulates that the board of directors of a financial undertaking may not involve itself in decisions on individual transactions, unless their scope is substantial in relation to the size of the undertaking. Individual board members must not involve themselves in decisions on individual transactions. More specifically, paragraphs 2 and 3 of Art. 55 state that: Directors of a financial undertaking may not be involved in handling a question if it concerns: 1. dealings with themselves or undertakings where they are directors, hold responsible positions or in other respects have substantial interests at stake, or 2. dealings with competitors of the parties referred to in Point 1. The same shall apply to dealings with parties personally or financially connected to directors. The Act also establishes that “Commercial transactions of board members, and of undertakings where they hold responsible positions, must be placed before the board of the financial undertaking, or the chair of a company’s board, for approval or refusal. The board of a financial undertaking may, however, adopt general rules on handling of such cases, prescribing in advance what business proposals require, or do not require, special discussion by the board before they can be dealt with” Further, Article 57 (paragraph 1) of Act No. 161/2002 stipulates that an agreement by a financial undertaking concerning loans, guarantees, options or similar dealings with board members, a managing director, and close family members, shall be subject to the approval of its board. Any decision to such effect must be recorded and notified to the FSA. Risk management and control requirements are stipulated in article 9 of the Rules, and institutions must clearly document all transactions with related parties, so that they can be monitored. Institutions are obliged to review transactions to related parties at least annually. Assessors noted that Act No. 161/2002 does not explicitly state that the BOD should review related party transactions over a certain threshold nor to be involved in the approvals process for a transaction with risks posed from related parties. Assessors recommend that CBI/FSA put requirements in place to ensure the BOD is involved, when necessary, with specific thresholds of related party transactions as well as certain of these transactions pose a special risk to the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Article 6 of Rules No. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. There are no general rules or requirements that persons benefiting from transactions be excluded from granting and managing the transaction, except for board members, as described in EC 3. In supervisory reviews of loan portfolios, when the authority encounters situations where, for instance, a loan officer is involved in a transaction with a related party, a comment is made to the bank to review its internal credit risk policies and processes. Assessors recommend that CBI/FSA require banks to have updated policies and procedures to specifically deal with the granting of related party transactions to ensure that persons related to the party/person from being part of the process of granting and managing the transaction. Assessors further recommend that once CBI/FSA clarifies its prudential requirements (including a broader definition of both a related party and a related party transaction) with respect to related party transactions, that a risk based onsite, or off-site inspection be carried out to confirm bank’s compliance with these requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The law only sets limits to and requires secure collaterals of related parties, as described in Article 29(a) of Act no. 161/2002 and Rules No. 247/2017. CBI/FSA has the power to reduce exposures or increase capital requirements for exposures that the authority deems insufficiently accounted for from a provisioning perspective. Assessors recommend that CBI/FSA implement the requirement for banks to set limits on aggregate exposures to related parties that are at least as strict as those for single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI expects banks to have policies and processes to identify individual exposure to and transactions with related parties according to Rules No. 247/2017. Risk management and control requirements are stipulated in Article 9 of these same Rules, and institutions must clearly document all transactions with related parties, so that they can be monitored. Institutions are obliged to review transactions to related parties at least annually. Assessors noted that CBI/FSA have not undertaken independent on-site inspections that focus on related party transactions, whether such transactions are regularly reported to senior management and the Board and whether exceptions to such policies, processes and limits are reported and tracked on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor obtains and reviews information on aggregate exposures to related parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The supervisor obtains and reviews information on aggregate exposures to related parties. Reports on both aggregate exposures and transactions, as well as reports from EAs on transactions with related parties, are sent to CBI semi-annually. The supervisor obtains and reviews information on aggregate exposures to related parties as defined in Rule No. 247/2017. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 20 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI/FSA’s definition of related parties needs to be broader not only to include qualified holdings in the company, but to extend the definition to the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, to comply with the Basel Standards. Further, such definition should not exclude some parties (e.g., state or public entities). Further, CBI/FSA’s definition of a related party transaction is not broad enough to capture related party transactions that include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs (in line with Basel requirements). In addition, CBI/FSA should require bank Boards to review and approve related party transactions over a certain threshold (specified by the bank Boards) as well as undertaking deeper supervisory reviews to determine if banks’ policies and processes in fact prevent persons from benefiting from such transactions and/or persons related to such a person from being part of the process of granting and managing the transaction. Moreover, CBI/FSA should require banks to set limits on the aggregation of total exposures to related parties and that such limits are at a minimum as strict as those for single counterparties or groups of connected counterparties. Given three of the DSIBs are either state owned or have a significant interest in the bank, it would be appropriate to monitor aggregate exposures to the state for these banks, as these loans are normally exempt. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 21 |
Country and Transfer Risks The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk100 and transfer risk101 in their international lending and investment activities on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bankwide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including country risk and transfer risk. Nevertheless, these risk domains are not explicitly covered by specific provisions in the Act. CBI refers to the EU regulation (CRR) which has been incorporated in Act No. 161/2002, specifically on provisions relating to risk-weighting of sovereign exposures, based on country ratings, for calculating capital adequacy requirements. Yet such legal references are not directly pertaining to country risk nor transfer risk, about which there is no specific binding regulation applicable to banks. CBI mentions that banks’ credit policies and procedures are expected to cover country risk and transfer risk associated with lending and other transactions. But guidelines and supervisory documentation don’t address these risk domains explicitly nor systematically. SREP methodologies pointed out by CBI in that regard (for instance, Annex 1 on supervisory benchmarks for the setting of Pillar 2 additional own funds requirements for credit and concentration risk, Sections 2.8 and 3.3) are not very specific nor relevant to country risk and transfer risk. CBI has not issued rules on prudential country exposure limits nor provisioning on high-risk countries which may increase default risk. CBI rules No. 412/2022 on reporting requirements and limits to exposures in currency derivatives, articles 4 and 5, set limits and reporting requirements on FX/ISK derivatives, which topic is not directly related to country risk nor transfer risk: https://www.stjornartidindi.is/Advert.aspx?RecordID = 50f16bd0-5b12-4d5d-b2cb-11306fcfc1df (in Icelandic only). CBI mentions these rules which state that FX/ISK derivatives transactions of commercial banks against each counterparty shall not have a book value (positive or negative) that is more than 10 percent of capital. Commercial banks shall not have a gross forward currency position that is higher than 50 percent of capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Given the unclear regulatory framework on country risk and transfer risk, CBI lacks an explicit supervisory strategy on country risk and transfer risk, aimed at capturing banks’ exposures to such risks and implementing tailored and risk-based supervisory policies, quantitative and qualitative prudential requirements, and monitoring of country risk and transfer risk. CBI indicates that, as with all key risk areas, the methodology for risk assessment of banks, including their risk management and control, is outlined in internal procedures, that is the CCQ quality manual. Credit risk assessment in SREP would include risk management of all exposure types, including country and transfer risk. Yet no evidence of CBI’s off-site supervision and on-site inspection on country risk and transfer risk has been provided. CBI mentions that such risks are not material for Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As a consequence of the supervisory strategy described in CP21 EC1, CBI does not effectively assess banks’ IT systems dedicated to country risk and transfer risk, from a risk management perspective. Banks are required to report geographical breakdown of non-domestic exposures in accordance with reporting requirements in European regulation No. 680/2014 (FINREP and COREP). Banks are also required to monthly report detailed information in the credit registry on all loans, securities, and derivatives, for which counterparties are not natural persons. Residency of each counterparty is included in reporting requirements. CBI has disclosed a list of countries that are considered as risky and non-cooperative, from a specific AML/CFT perspective: https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/ahaettusom-og-osamvinnuthyd-riki/ (in Icelandic only). This list is not used for the supervision of country risk and transfer risk, from a risk management perspective. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The regulatory and supervisory framework does not explicitly require specific provisioning of exposures to country and transfer risks. CBI expects banks to set sufficient provisioning levels covering all expected losses, including on international exposures, in accordance with applicable accounting standards and EBA guidelines on accounting for expected credit losses. The level of provisions, stage allocation and coverage ratios are regularly reviewed by supervisors to ensure that provisions and reserves are consistent with current expectations of credit losses. CBI has in place analytical tools with historical provision levels, stage allocation, and coverage ratios which can be compared between institutions. The analytical tool for loans to companies, which is based on the credit registry, provides granular information. Supervisors can monitor impairments, IFRS 9 stage allocation, etc., on a borrower level and on a loan-by-loan basis. Since non-domestic loans are mostly granted to companies, supervisors can access information on provisioning levels, etc. regarding foreign borrowers. Yet CBI has not demonstrated a specific monitoring of country risk and transfer risk. Such situation should be assessed in light of CBI’s view that country risk is considered insignificant for banks. Overall bank loans to customers located outside Iceland are less than 5 percent of total loans to customers. The ratio of non-domestic exposures to total exposures, was about 6.2 percent (2.4 percent on USA) at end-June 2022 for commercial banks (source: CBI). Regulated credit institutions other than D-SIBs have very limited exposures abroad. In response to a question on Icelandic banks’ exposure to Russia and allied countries, in the context of the war in Ukraine, CBI answered that banks’ exposures to Russia, Ukraine, and Belarus are almost non-existent, in total around ISK 7 million. Exports to Russia and Ukraine are less than 1.5 percent of total exports, therefore direct impact on credit risk towards export companies is considered quite limited. One of the banks has however lent to a company in the Faroe Islands, up to ISK 1.6 billion. This company has been placed on the bank’s watchlist, due to Russia’s invasion of Ukraine and market uncertainties for fish sales. About 49 percent of the debtor’s revenues come from trading with Russia. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
For the purpose of stress testing focusing on country risk and transfer risk, CBI follows EBA guidelines No. GL 2018/04 on institutions’ stress testing, as well as CBI guidelines No. 2/2015 on stress testing. Yet in EBA guidelines, Section 4.7.7 pointed out by CBI is not relating to country risk nor transfer risk. According to Chapter 6 of CBI guidelines, CBI should review whether banks’ stress tests, on a consolidated basis, reflect non-domestic banks activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
According to CBI, country risk to foreign borrowers has been limited for recent years. Should risk towards certain countries increase, for example due to economic situations, increased risk for every material risk category would be assessed, as soon as necessary, or when the SREP is performed. CBI has legal power to obtain additional information as needed. In crisis situations, banks must provide CBI with all necessary data that CBI may request to be able to update banks’ resolution plan and assess banks’ assets and liabilities and its possible resolution procedure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 21 |
Materially Non-compliant. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Though country risk and transfer risk are not identified as significant risk domains to which Icelandic banks are exposed, the applicable legal and regulatory framework applicable to banks relating to prudential requirements on risk management of country risk and transfer risk, as well as supervisory policies and processes implemented by CBI regarding these risk domains, are not clearly structured. Therefore, CBI should clarify prudential requirements and structure a supervisory strategy on country risk and transfer risk, aimed at implementing tailored and risk-based supervisory policies, quantitative and qualitative prudential requirements, and effective monitoring of country risk and transfer risk, though considering proportionality for Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 22 |
Market Risk The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including market risk. In addition, article 78(e) includes specific requirements on risk management of market risk which constitute a legal base for supervision of banks’ market risk management policies and frameworks, from a qualitative risk management perspective, in addition to capital adequacy requirements on market risk which are out of scope of CP22 but relate to CP16 on capital adequacy. According to Act No. 161/2002, banks shall operate secure risk management system for all activities and internal processes. Banks must have in place policies and processes to identify, measure, and manage all significant factors that cause market risk and its effects. Yet legal provisions of Act No. 161/2002 remain quite generic on market risk. For the purpose of regulation and supervision of market risk, with a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1 (c), and articles 117 to 117(b). Therefore, banks must adhere to the following EBA guidelines, at least theoretically:
Regarding foreign exchange (FX) risk, CBI has issued rules No. 784/2018, requiring systemically important banks to limit FX positions in each foreign currency up to 10 percent of capital. Their overall FX position is limited to the same percentage of capital, as well as to a fixed maximum amount of ISK 25 billion. For non-systemically important institutions, these FX limits are slightly higher (up to 15 percent). CBI has implemented a specific framework to calculate Pillar 2 capital requirements on market risk, in addition to regular Pillar 1 capital requirements on market risk exposures: https://en.fme.is/media/vidmid-fme/Annex 2.pdf, as mentioned under CP16 EC1. CBI has issued a regulation No.1592 which sets a ceiling to the total capital requirement for market risk-related activities. Total capital requirements for (i) traded-debt instruments, (ii) equities in the trading book, (iii) equities in the banking book, and (iv) loans where the repayment is dependent on the value of equities or bonds, cannot exceed 15 percent of capital. Higher risk exposure would be deemed excessive by CBI which would require banks to lower the risk. According to CBI, no infringements have been observed. CBI has created a handbook for market risk monitoring and assessment. This handbook is for internal use only. A part of the handbook deals with risk management and control aspects, and it develops details on how to assess whether banks comply with applicable regulation and SREP guidelines. The handbook also details how quarterly regular monitoring is performed, as well as the yearly capital requirement assessment. The third part of the handbook details how a risk rating (1 -4) is calculated for market risk. The methodology considers both quantitative and qualitative aspects, as well as macroeconomic conditions, and it is forward-looking. Banks are subject to close off-site supervision, involving thorough technical support of the single risk specialist in charge of market risk within the Banking department. Yet CBI may be exposed to a significant “key-person” risk, as well as to limited capacity to implement effective supervision thoroughly through on-site inspections, as far as banking supervision of market risk is concerned: (i) this risk specialist covers other risk domains and categories of regulated financial institutions; (ii) this risk specialist does not participate to on-site inspections of banks anymore (he was involved in the latest on-site inspections of market risk that were performed in 2018, and he participated to targeted supervisory meetings on market risk with banks until 2019 before the CBI/FSA merged). From BCP assessors’ viewpoint, this potential source of concern about supervisory human resources should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. Off-site supervisors review banks’ market risk reports. Benchmarks used by CBI for Pillar 2 evaluation of additional capital requirements look prudent. For example, CBI benchmark for equities in the trading book has resulted in capital requirements in excess of 80 percent of the average position on equities, in some cases. Yet the scope of on-site bank inspections performed by CBI for the last five years has not covered market risk frequently nor comprehensively nor thoroughly. A thematic inspection was performed in 2018 on the management of the trading book. CBI has not developed on-site inspections of global market risk management frameworks in the banking sector. Therefore, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. Market risk is also subject to macroprudential surveillance by the Financial Stability department and the Financial Stability Council when deciding macroprudential measures. Such surveillance has been left out of the scope of the BCP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that bank’s strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, article 54(a) on the board’s role in risk management, includes a generic requirement applicable to all risk domains about the requested involvement of banks’ boards in risk management. In that regard, the board of directors in each bank shall approve the risk policy, risk appetite, and implementation of risk management, and it shall ensure that internal risk management procedures, risk-taking, risk mitigation, and other risk management-related issues are reviewed at least once a year. The involvement of the board of directors in setting and monitoring the bank’s market risk management framework is partly determined through CBI’s annual SREP process, by reviewing risk reports to the board of directors as well as other available information. The main objective of ICAAP reports, subject to the SREP process, is to ensure that banks’ boards, as well as senior management, understand banks’ market risk profile, and that there is a system in place to assess, quantify, and monitor banks’ market risk exposures. CBI requires that each bank’s board endorse the business plan, the business policy, and the risk policy inherent in the ICAAP report, as well as the whole ICAAP report. CBI off-site supervisors verify that market risk policies are approved by banks’ boards. Several times a year, CBI requests and reviews banks’ risk reports and risk dashboards on market risk that are presented to banks’ boards and senior management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
By reviewing regulatory reports (COREP, FINREP), as well as other reports (CBI market risk data report, financial statements, internal risk reports to the board, etc.), CBI off-site supervisors remotely assess the quality of banks’ information systems, internal monitoring, and reporting of market risk. Concretely, supervisors discuss major banks’ internal reporting tools and dashboards during their annual SREP, and they review their internal models dedicated to market risk management, yet CBI/FSA has not performed on-site inspections of banks on market risk for long. Therefore, the accuracy and reliability of banks’ IT systems on market risk management have not been verified thoroughly. An overview of banks’ portfolios and risk limits for market risk positions is included in CBI market risk data report, and is discussed with banks, as well as exception tracking. This data report is used by CBI for data integrity checks, as well as for inputting data into VaR models for capital requirement calculations. Major banks use in-house internal models for the purpose of market risk measurement and management. In some cases, banks use VaR or Monte Carlo models for market risk management and/or ICAAP. Based on desk reviews and discussions with banks made during the SREP (but not on on-site inspections), CBI/FSA off-site supervisors analyze banks’ internal market risk management models and may challenge their results. Yet, as mentioned under CP16 EC5, capital adequacy requirements on market risk are not based on IRB models, because major banks have not applied nor been authorized to use such IRB models for regulatory purpose. Whenever a bank introduces a new internal market risk management model or makes changes to existing models, this is reviewed by CBI market risk specialist and discussed in detail with the bank’s model developers. Back-testing and “sanity checks” are a material aspect of such review. As there are only 3 major banks in Iceland, and given that CBI has its own benchmark model on market risk, banks’ model effectiveness and suitability is frequently discussed with banks. As previously mentioned, on-site bank inspections are not regularly conducted by CBI to assess the appropriate implementation of regulations and guidelines on market risk management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that there are systems and controls to ensure that banks marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to operate in accordance with EU regulation (CRR), article 105, that sets out provisions on prudent valuation, and regulation (EU) 2016/101 on regulatory technical standards for prudent valuation, article 105 (14). Banks use market price information disclosed by external data providers (Reuters, Bloomberg, and Kodiak). Data are supplied to banks’ front-office and back-office systems and used for end-of-day revaluation of market operations. CBI requires banks to report (CBI market risk data report) all end-of-day positions for equities, traded debt instruments, and derivatives in the trading book. Revaluation rates and end-of-day profit for each instrument re included. Rates mentioned in banks’ reports are then compared with historical end-of-day rates that CBI gets from third party market data vendors. Banks rely on modeling only for rare equity positions in the banking book, as well as for options. Option models rely on third party software, such as Kondor, Murex, and Fenix. Banks’ internal auditors review internal models and report to banks’ boards as well as CBI. CBI reviews all positions in the trading book as well as all equity positions in the banking book with regards to whether the valuation is prudent and liquid. Only listed securities are allowed to be classified in banks’ trading books. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As mentioned under CP22 EC4, banks are required to operate according to EU regulatory technical standards on prudent valuation. On a yearly basis, banks evaluate their capital requirements for market risk through the ICAAP, while CBI does the same using its own benchmarks and data from COREP and CBI market risk data reports, which include information on the valuation of each equity in the banking book, as well as daily information on each position in the trading book. The valuation of each less liquid position is reviewed by CBI. Subsequent supervisory dialogue with banks leads to an updated Pillar 2 capital requirement for market risk, which banks may discuss, but must implement in the end of the discussion at CBI’s request. CBI’s data, dashboards, and supervisory tools on banks’ market risk exposures are in Icelandic only. According to CBI, banks’ sources of market risk are primarily of client-driven nature. Most significant sub-categories of market risk are securities-price risk, exchange-rate risk, and interest-rate risk. Credit-valuation-adjustment (CVA) risk is low. Banks mostly trade in equities on the Icelandic stock exchange market (90 percent), and occasionally on European or American stock exchanges. Overall positions in banks’ trading book are rather small. Bonds held by banks are mostly government bonds. Banks do use forward and swap instruments, as well as, in some cases, options on currencies, equities, and bonds. In most cases, banks try to close price risk. CBI has reported that no Icelandic bank owns any kind of crypto asset. According to CBI, capital requirements (Pillar 1 and Pillar 2) on market risk for banks are dispatched among equity risk (51 percent), exchange rate risk (29 percent), interest rate risk (18 percent), and CVA risk (2 percent). Regarding savings and loans institutions, market risk capital requirements only cover exchange rate risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks are required to operate in according to EBA guidelines on institutions’ own stress testing framework (EBA/GL/2018/04), which include requirements on stress testing of market risk exposures as part of overall stress testing programs. Furthermore, CBI has issued specific guidelines No. 2/2015 on best practices for stress testing: https://www.fme.is/media/leidbeinanditilmaeli/LT-um-bestu-framkvaemd-vid-alagsprof-til-stjornar.pdf (in Icelandic only). Act No. 161/2002, article 77(a) stipulates that all banks must perform regular stress tests and that banks’ board should be provided with their results and outcome at the next meeting after stress test results are available. Banks are required to maintain internal models aimed at implementing the ICAAP, to measure and monitor market risk. As already mentioned, internal models are not designed for calculating regulatory capital requirements under Pillar 1, and therefore they are not formally validated by CBI for this purpose. Banks’ internal models on market risk are however reviewed and challenged by CBI through off-site supervision. Banks are required to provide extensive documentation as well as stress testing outcomes to support their models. Until such information has been provided, CBI will discount the use of results of banks’ models in their ICAAP reports. Yet no on-site inspection of banks’ internal models nor stress tests on market risk has been implemented by CBI so far to investigate these topics directly and more in depth. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 22 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision of market risk has been carefully implemented in recent years with demonstrated technical expertise, including daily monitoring of major banks’ market risk exposures, as well as reviewing banks’ internal models for market risk management, banks’ stress testing process and outcome, and banks’ overall risk management policies and documentation. Yet global effectiveness of banking supervision of market risk may still be upgraded because CBI has not performed any on-site banking inspection covering the overall market risk management framework of major banks comprehensively nor thoroughly. Though the global risk exposure of the Icelandic banking sector to market risk may be considered as rather low compared to credit risk or operational risk, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. In addition, given that CBI has only one risk specialist of market risk, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “keyperson” risk, as well as possibly limited human resources and technical expertise on market risk. Therefore, CBI should develop comprehensive and thorough on-site inspections to directly ensure that major banks’ market risk management frameworks and practices are effectively adequate, not only from a quantitative perspective focused on calculating capital adequacy requirements on market risk, but also from a qualitative perspective aimed at verifying the adequate implementation of market risk management. In addition, the potential source of concern about the adequacy of supervisory human resources on market risk should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 23 |
Interest Rate Risk in the Banking Book The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk102 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including interest rate risk in the banking book (IRRBB). In addition, article 78(e) includes specific requirements on risk management of interest rate risk arising from non-trading book transactions, which is equivalent to IRRBB. These principles-based legal provisions enable supervision of banks’ IRRBB management policies and frameworks, from a qualitative risk management perspective. According to Act No. 161/2002, banks shall operate sound risk management systems for all activities and internal processes. Banks must have in place policies and processes to identify, assess, manage, and mitigate risks due to possible interest rate changes that affect both the economic value of capital and net interest income from non-trading book transactions. Yet legal provisions of Act No. 161/2002 remain quite generic on IRRBB. For the purpose of regulation and supervision of IRRBB, from a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1 (c), and articles 117 to 117(b). Regarding IRRBB, banks must adhere to EBA guidelines on the technical aspects of the management of IRRBB under the supervisory review process (EBA/GL/2018/02), as well as other relevant guidelines and technical standards under the EBA framework, for risk assessment and management purposes. CBI is currently developing a new IRRBB report and benchmark aligned with the upcoming EBA guidelines on IRRBB issued on the basis of Article 84 (6) of EU Directive 2013/36/EU and the related technical standard. CBI has issued guidelines on supervisory benchmarks for the setting of Pillar 2 additional capital requirements for market risk, including a Section 6.1 specific to IRRBB: https://www.fme.is/media/vidmid-fme/Annex-2-2020.pdf. CBI has created an internal handbook manual for IRRBB monitoring and assessment. This handbook is for internal use of banking supervisors only. Part of the handbook deals with risk management and control aspects and includes details how to assess whether individual financial institutions fully comply with applicable regulation and SREP guidelines. The handbook also details how quarterly regular monitoring is performed by CBI, as well as the yearly assessment of banks’ Pillar 2 additional capital requirement on IRRBB. The third part of the handbook details how SREP risk rating (1-4) is calculated for IRRBB. CBI’s methodology considers both quantitative and qualitive aspects of IRRBB, as well as macro-economic conditions, with a forward-looking approach. According to CBI, interest rate risk has always been significant in Iceland, and more material than market risk, in a context of more or less significant inflation persisting. The relative importance of IRRBB for the Icelandic banking sector has increased since end-2021, given the upsurge of high inflation and successive aggressive hikes of interest rates decided by CBI acting as the authority in charge of monetary policy. Banks are largely exposed to inherent IRRBB, given the size of their loan portfolios, including a mix of (i) loans at interest rates indexed or non-indexed on inflation, and/or (ii) loans at fixed or variable interest rates. Such mix of loan pricing methods has been gradually moving, since before end-2021, due to the change of debtors’ attitude regarding interest-rate categories of housing loans. As highlighted by CBI, most housing loans were traditionally long-term index-linked ISK loans, due to availability of long-term index-linked funding (from the pension funds), and recently many such loans have been converted to normal short-term ISK loans. Since 2021, amounts of loans with fixed interest rates (often, 3-5 years at origination) have increased while amounts of indexed loans with variable interest rates have decreased. As non-indexed interest rates have gone down, those loans have become a more realistic option for households in Iceland to minimize their overall cost of interest, and a record number of homeowners have refinanced from indexed to non-indexed loans. The financial environment has dramatically changed and highlighted IRRBB as a risk domain under increased monitoring. As highlighted by CBI for BCP assessors (typos edited): “When it comes to IRRBB Iceland has a peculiarity; since a large portion of Icelandic bonds, loans and deposits are inflation-linked, an additional inflation-linked-ISK currency has been added to the IRRBB calculation, as well as the normal ISK. Since many of the banks model IRRBB with indexation risk, the latter will be included under this principle”. As for market risk, off-site supervision of IRRBB is quite developed and performed on a regular basis by CBI. This risk domain is mostly handled by a single risk specialist, the same person as mentioned under CP22 EC1, with the same concern about possible “key person” risk and limited staffing at CBI on IRRBB too. CBI’s data, dashboards, and supervisory tools on banks’ IRRBB exposures are in Icelandic only. The impact of the change of housing loan practices on banks’ exposures to IRRBB is monitored by CBI, and subsequent supervisory requirements on IRRBB management are adjusted through the SREP (on a yearly basis for major banks). As CBI has highlighted it for BCP assessors (slight typo edits): “The capital requirement for IRRBB and indexation risk is on average almost twice larger than for market risk. The IRRBB due to FX is most often minimal. When it comes to ISK, assets are mostly corporate loans, and since recently housing loans with relatively short maturity (fixing periods for interest rates), due to lack of long-term ISK funding. Traditionally, most housing loans were long term index-linked ISK, due to availability of long-term index-linked funding. Recently, many of them have been converted to normal short-term ISK loans.” Beyond close off-site supervision of IRRBB by the IRRBB risk specialist within the Banking department, there is unclear material evidence of a supervisory action plan implemented by CBI on major banks aimed at checking that risk management policies and frameworks have been adequately upgraded to manage IRRBB under the current volatile interest rate and inflation environment, beyond calculating Pillar 2 additional capital requirements on IRRBB through the annual SREP performed on major banks. In that regard, no thematic on-site inspection on IRRBB management in the banking sector has been performed by CBI for the last 5 years. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, article 54(a), states that banks’ boards shall approve risk policies, risk appetite, and the implementation of risk management. Banks’ boards must ensure that risk management processes, such as risk taking and risk limitation, are reviewed at least once a year. Article 77(a) requires that banks’ boards be adequately informed of risk topics. CBI assesses the involvement of banks’ boards in setting and monitoring IRRBB management processes through the annual SREP process. The main objective of the ICAAP reports, subject to the SREP, is to ensure that banks’ boards and management understand banks’ risk profile on IRRBB, and that there is a system in place to assess, quantify, and monitor banks’ IRRBB exposures. CBI requires that each bank’s board endorse the business plan, the business policy, and the risk policy inherent to the ICAAP report, as well as the whole ICAAP report. Banks’ risk management and policies for IRRBB are reviewed by CBI in the SREP by reviewing risk reports to the board of directors and other available information. Several times a year, CBI requests and reviews banks’ risk reports and risk dashboards, which are regularly presented to the board of directors and the senior management of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI reviews regulatory reports (COREP, FINREP) as well as other reports (CBI IRRBB report, financial statements, internal risk reports to board, etc.) to assess the quality of measurement and information systems, as well as internal monitoring and reporting of IRRBB. The ICAAP report includes information on banks’ IRRBB limits which is reviewed on a yearly basis when the Pillar 2 additional capital requirement for IRRBB is determined by CBI. Supervisors examine and discuss internal reporting tools and dashboards of major banks during their annual SREP. They also review their internal models dedicated to IRRBB management. Yet CBI/FSA has not performed on-site inspections of banks on IRRBB for long. Therefore, the accuracy and reliability of banks’ IT systems on IRRBB management have not been verified thoroughly. On supervisory powers of CBI on IRRBB, Act No. 161/2002, article 81 has been modified in 2022 to upgrade requirements to banks on monitoring IRRBB (streamlined excerpt): “In the review and evaluation, the Financial Supervisory Authority shall check the effect of interest rate risk relating to non-trading book items. The Financial Supervisory Authority shall [...] demand changes in the assumptions for assessing the effect of interest rate changes on the economic value of a financial undertaking’s own funds [...], if a sudden and unexpected change in interest rates results in the economic value of the undertaking’s own funds decreasing by more than 15 percent of Tier 1 capital, according to one of the six shock scenarios of the regulator, or in the net interest income of the undertaking decreasing significantly, according to one of the two shock scenarios of the regulator.” On banks’ internal models on IRRBB, Act No. 161/2002, article 78(f), states that (streamlined excerpt): “The Financial Supervisory Authority may require the undertaking to use the standard method if the undertaking’s internal processes are not adequate. The Financial Supervisory Authority may require that a small and non-complex financial undertaking use the standard method if the simplified standard method does not sufficiently meet the interest rate risk due to the undertaking’s non-trading book transactions.” Off-site supervision of IRRBB includes thorough and interactive desk reviews, as well as regular monitoring, that cover most of items listed in EC3, though supervisory tasks are not segregated based on the same five categories. CBI/FSA is using a rigid framework to evaluate IRRBB and indexation risk under Pillar 2 (disclosed as Annex 2 on supervisory benchmarks). Banks’ internal reports on IRRBB are examined and discussed. Asset/liability classifications and maturity estimations are reviewed, as well as risk measurement systems and risk exposure’s limits. The CBI/FSA’s supervisory handbook includes a specific chapter and to-do tasks on supervision of IRRBB. Regular monitoring is performed quarterly, using a detailed methodology that addresses main aspects of IRRBB, such as repricing risk, yield curve risk, basis risk, and option risk, using key risk indicators as well as qualitative assessment criteria on IRRBB risk management. Based on their analytical work and desk review of banks’ dashboard and other materials, CBI/FSA supervisors discuss with banks’ specialists in charge of IRRBB management to challenge banks’ estimates, mitigation measures, and risk management policies. Supervisory benchmarks and conclusions are discussed during SREP meetings. CBI/FSA has not performed on-site inspections of IRRBB management for years. Therefore, CBI/FSA has not verified the accuracy and reliability of IT systems and risk management framework and practices relating to IRRBB thoroughly, in view of doublechecking the assessment resulting from desk reviews made by off-site supervisors. Whenever a bank introduces a new IRRBB internal model or makes changes to an existing model, it is reviewed by CBI risk-specialist on IRRBB and discussed with model developers within the bank. Back-testing and “sanity checks” are included in the review. As there are only 3 major banks, and CBI has its own supervisory benchmark models for IRRBB, model effectiveness and suitability is frequently discussed with the banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to maintain an internal IRRBB model for ICAAP purposes to measure and monitor IRRBB. The model and any changes to the model is reviewed and criticized by CBI, and the banks are required to provide extensive documentation as well as stress testing to support it. Until such information has been provided, CBI will discount the use of the bank’s model in the ICAAP report. Act No. 161/2002, article 77(a) stipulates that banks must perform regular stress tests and that banks’ boards should be provided with their results and outcome at the next meeting after stress test results are available. Banks are also required to operate according to EBA guidelines on institutions’ internal stress testing (GL 2018/04), which include requirements on stress testing IRRBB exposures in overall stress testing programs. Furthermore, CBI has issued own guidelines No. 2/2015 on best practices for stress testing (in Icelandic only): https://www.fme.is/media/leidbeinanditilmaeli/LT-um-bestu-framkvaemd-vid-alagsprof-til-stjornar.pdf). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 23 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision of interest rate risk in the banking book (IRRBB) has been carefully implemented in recent years with demonstrated technical expertise, including daily monitoring of major banks’ IRRBB exposures, as well as reviewing banks’ internal models for IRRBB management, banks’ stress testing process and outcome, and banks’ overall risk management policies and documentation. Yet global effectiveness of banking supervision of IRRBB may still be upgraded because CBI has not performed any on-site banking inspection covering the overall IRRBB management framework of major banks comprehensively nor thoroughly. Given the materiality of IRRBB for the Icelandic banking sector, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. In addition, given that CBI has only one risk specialist of IRRBB, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in IRRBB. Therefore, CBI should develop comprehensive and thorough on-site inspections to directly ensure that major banks’ IRRBB management frameworks and practices are effectively adequate, not only from a quantitative perspective focused on calculating Pillar 2 additional capital adequacy requirements on IRRBB, but also from a qualitative perspective aimed at verifying the adequate implementation of IRRBB management. In addition, the potential source of concern about the adequacy of supervisory human resources on IRRBB should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 24 |
Liquidity Risk The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The CBI/FSA have adopted binding liquidity requirements for credit institutions, including the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR). Although the CBI/FSA is of view that it has adopted Basel III liquidity requirements in the past, with the transposition of the EU framework into Iceland’s banking legislation, however, there exists some deviations from the Basel standards. The EU rules (CRR/CRD) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Please see below an overview of Iceland’s liquidity requirements for credit institutions, with reference to the BIS BCBS’s RCAP assessments which outline the deviations between the EU rules and the Basel standards as well as assessor’s views on the materiality of these deviations/gaps with respect to the specific jurisdiction of Iceland. The CBI/FSA Rules on Credit Institutions’ Liquidity Ratios, no. 266/2017, took effect on 31 March 2017 and superseded the previous CBI/FSA Rules, no. 1031/2014. The EU adopted Rules for liquidity requirements in 2017 (EU Directive no. 2013/36 (CRD VI) and EU regulation no. 575/2013 (CRR)). The adoption of the CBI/FSA Rules in 2017 harmonized the Icelandic regulatory framework with the current EU framework as provided for in the Commission Delegated Regulation (EU) 2015/61. According to the CBI, these EU Rules are based on the liquidity criteria in the Basel III standards, however, the regulatory framework in the EU pertaining to liquidity, which was adopted by Iceland into its legislative framework, is not necessarily fully compliant with Basel III standards (LCR and NSFR requirements). The EU’s LCR framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III LCR regulations in 2017103. The EU framework was found to be overall largely compliant with the Basel LCR standard, reflecting the fact that most but not all provisions of the Basel standard were incorporated in the EU LCR framework. The RCAP found one material deviation and four potentially material deviations. The material deviation, which is considered relevant for Iceland, is driven by the EU’s boarder definition for HQLA. The HQLA component grade is driven mainly by one material finding. The EU LCR regulations permit the inclusion of certain financial instruments that do not fulfil the HQLA requirements stipulated in the Basel LCR standard. Specifically, the EU recognizes high-quality covered bonds and assets issued by certain EU credit institutions as Level 1 HQLA. By contrast, the Basel LCR standard have a strict definition of Level 1 HQLA, which are limited mainly to instruments such as central bank reserves and 0% risk-weighted sovereigns. Iceland includes covered bonds in its calculation for HQLA and this deviation from Basel LCR standard is deemed by assessors as relevant, meaning not material at this time but could become more material in the future. As at Q3 2022, total covered bonds for all credit institutions included in the HQLA calculation in Iceland, amounted to 63.2 billion ISK, up from 9.5 billion ISK in 2019, representing an increase from 2.1 percent to 11 percent of total HQLA (of note the remaining amount of HQLA is mainly represented of central bank and government securities - Q3 2022: 571.4 billion ISK). The treatment of certain inflows is also less stringent than under Basel, while the opposite is true for some outflows. The four potentially material deviations are related to HQLA Level 2B: EU covered bonds and asset backed securities, definition of operational deposits, treatment of operational deposits and LCR disclosure. The BCBS disclosure standards is based on daily observations when calculating average LCR values, while in Iceland it is based on the simple average of month-end observations over the 12 months preceding the end of each quarter. The EU’s NSFR framework was subject to a BCBS RCAP review by the BCBS regarding Basel NSFR regulations in July 2022104. The EU framework was found to be overall largely compliant with the Basel NSFR standard, reflecting the fact that three of the four components of the Basel NSFR standard (scope, minimum requirements, and application issues; available stable funding (ASF); and disclosure requirements) were assessed as compliant. The remaining component, required stable funding (RSF), was assessed as largely compliant (which took into consideration the cumulative impact of nine “not material findings”). The EU regulations state that unencumbered covered bonds included in Level 1 HQLA as per the EU LCR framework are subject to a 7% RSF. These covered bonds are subject to a 15% RSF under the Basel NSFR Standard as they are classified as Level 2A HQLA for LCR purposes. Given the RCAP assessment found that the average impact of this deviation on the NSFR across the sample banks assessed at that was 0.04%, with a maximum impact on the NSFR of 0.81% for the most affected bank, the impact of this deviation is not considered relevant for Iceland. While the Basel LCR105 is required to be met in one single currency, in order to better capture potential currency mismatches, banks and supervisors should also monitor the LCR in significant currencies (e.g., if aggregate liabilities denominated in that currency amount to 5% or more of the bank’s total liabilities). As the foreign currency LCR is not a standard but a monitoring tool, it does not have an internationally defined minimum required threshold. This will allow the bank and the supervisor to track potential currency mismatch issues that could arise. Commission Implementing Regulation (EU) 2016/322 of 10 February 2016 amending Implementing Regulation (EU) no 680/2014 laying down implementing technical standards with regard to supervisory reporting of institutions of the liquidity coverage requirement, following Article 415(2) of Regulation (EU) no 575/2013, requires separate reporting of the LCR items denominated in a significant currency to all institutions at an individual and consolidated level and on a monthly basis - which Iceland abides by. The CBI/FSA adopted the net stable funding requirements for individual currencies above a specified threshold, referred to as significant currencies. National options have been implemented by the CBI/FSA regarding LCR ISK and LCR FX combined (see below), however no national options have been exercised for the NSFR. The Rules on Liquidity Ratios are intended to ensure that credit institutions always have sufficient liquid assets to cover foreseeable and conceivable payment obligations over a specified period. Regulation (EU) No: 2019/876 (CRR 2) and Directive (EU) 2019/878 (CRD V) of the European Parliament and of the Council entered into force 27 June 2019, however, the application of the provisions (main rules) began 29 December 2020 (CRD V) and 28 June 2021 (CRR 2). For CRR 2, this specifies that credit institutions must maintain a net stable funding ratio of at least 100% for all currencies combined. The NSFR rules cover a longer horizon than liquidity rules (LCR) and aim to limit maturity mismatches. CBI/FSA ’s liquidity and funding regime is largely based on the following: 1. Quantitative requirements: A mandatory liquidity reporting scheme (monthly) that allows for the calculation of regulatory LCR, with the minimum requirement in LCR ISK (40 percent106), LCR FX (100 percent) and LCR Total (100 percent) is in effect. Also, a mandatory NSFR reporting scheme (quarterly) used for analyzing medium to long term liquidity risk, with minimum requirement of NSFR 100 percent. In addition to these reports, credit institutions shall submit deposit and funding summaries (additional monitoring metrics reports, or AMM) for informational purposes. Banks also provide all the information that CBI/FSA requires in order to better access and analyze the liquidity position of the credit institution concerned or to conduct stress testing. 2. Qualitative requirements: Guidelines No. 2/2010 on Best Practices for Sound Liquidity Risk Management and Supervision, issued by BCBS in 2008, as well as other requirements in Article78(h) Act No. 161/2002 specify rules on Credit Institutions’ Liquidity Ratios and Rules on Credit Institutions’ Minimum Net Stable Funding Ratios. Article 117(b), paragraph 3, of Act No. 161/2002 states that CBI/FSA is authorized to set rules on credit institutions’ minimum or average liquid assets, in ISK and foreign currencies. These rules may prescribe different provisions for different classes of credit institutions. Furthermore, CBI/FSA is authorized to set rules on financial institutions’ minimum stable funding in ISK and foreign currencies, cf. same article. These rules may prescribe different provisions for different classes of credit institutions. The rules cover a longer horizon than liquidity rules and aim to limit maturity mismatches. According to the Rules on LCR and the Rules on NSFR, banks are required to observe the prescribed liquidity and stable funding requirements daily. If the bank, at any time, is below or can be reasonably expected to fall below the minimum requirements of LCR total, LCR FX, LCR ISK, or the NSFR, the bank shall immediately notify CBI and shall submit without undue delay a plan for the timely restoration of compliance with the minimum requirements. Until the LCR or NSFR has been restored to the appropriate level, the credit institution shall report daily by the end of each business date (COB) unless CBI authorizes lower reporting frequency and a longer reporting delay. Banks can be subject to further supervisory actions if compliance is not restored. This includes but not limited to per diem fines until compliance is restored in accordance with Act No. 87/1998. Administrative fines can also be applied by CBI/FSA, e.g., if non-compliance is ongoing, cf. Art. 110, Paragraph 1, item 67, 74 and 75 of Act No. 161/2002. The FSA issued Guidelines No. 2/2010 on “Best Practices for Sound Liquidity Risk Management and Supervision” with reference to Art. 8, paragraph 2, of Act 87/1998. The Guidelines are based on the Basel Committee’s liquidity principles that were published in September 2008. The Guidelines refer to the Basel Committee’s guidance for further clarification. CBI annually performs a comprehensive assessment of banks overall liquidity risk management framework and positions to determine whether a bank delivers an adequate level of resilience to liquidity stress given the bank’s role in the financial system through SREP, cf. Art. 80 of Act No. 161/2002. The SREP approach is consistent with the EBA Guidelines on SREP, relevant EU Directives provisions as transposed into national laws and rules, as well other relevant EBA guidelines and regulatory technical standards, is periodically updated to ensure alignment with the EBA Guidelines on SREP and to reflect new regulations and is applied in a proportionate manner to financial undertakings, considering the nature, scale, and complexity of their activities. (see CP8 for additional details). CBI/FSA has implemented certain thresholds in the monitoring of liquidity and funding risks. The system is on a 1-4 scale, where green level means “business as usual” and red level is “high risk”. When an indicator is at a yellow level CBI reacts immediately and monitors liquidity and funding risks more frequently e.g., a D-SIB would have to submit liquidity reports on a weekly basis or even daily, if the situation calls for that. The financial undertaking in question is also required to submit a plan on how (and what time is takes) to restore liquidity or funding to the green level. After a dialogue with the banks in recent years, the indicators for liquidity and funding (in Contingency Funding Plan and Recovery Plan) are calibrated in a certain way to ensure banks are above the “green level” or business as usual which is (e.g., 20 percent above the minimum requirements). This is to lower the risk that a financial undertaking would breach the minimum requirements, unless (of course) there would be a stressful tail event, either idiosyncratic or a systemic one. Some of the supervisory powers in relation to the SREP are listed in Article107(a) of Act No. 161/2002 and are in line with the supervisory powers listed in CRD IV. According to Article107 (a), paragraph 1, CBI/FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the financial undertaking does not comply with the provisions of this Act as well as the regulations and rules established based on them e.g., imposing specific requirements for maintaining liquidity, including due to maturity mismatch in the financial undertaking’s assets and liabilities. Article 107(c) covers early intervention measures. The FSA can apply early intervention measures if e.g., it is due to worsening financial situation, including deteriorating liquidity and require that the financial undertaking should act according to the recovery plan or update the recovery plan and conduct actions according to the updated plan. (See CP11 for more detail). All banks must adhere to CBI/FSA’s LCR, NSFR and liquidity risk management requirements. However, as per CBI/FSA’s SREP proportionality approach for lower or medium impact banks, financial supervisors monitor quarterly monitoring for liquidity and take the necessary action, as prescribed, should a bank get close to its minimum liquidity requirements. At this time, smaller banks have reported very high liquidity levels. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The liquidity requirements reflect the economic environment in which they operate, mainly in Iceland, and country specific requirements are in place. Liquidity requirements in Iceland include both on and off-balance sheet risks. See EC1 for additional detail regarding the prescribed liquidity requirements that reflect the liquidity risk profile of banks. The Rules on Credit Institutions’ Liquidity Ratios, no. 266/2017, took effect on 31 March 2017 and superseded the previous Rules, no. 1031/2014. National options have been implemented regarding LCR ISK and LCR FX combined due to markets and macroeconomic conditions. In addition to LCR and NSFR reports, credit institutions shall submit deposit and funding summaries (additional monitoring metrics reports, or AMM) for informational purposes. They shall also provide all the information that CBI/FSA requires to better access and analyze the liquidity position of the credit institution concerned or to conduct stress testing. A forward looking NSFR ratio for 3 years is monitored. Qualitative requirements take account of the risk-based approach used in supervision within CBI and proportionality as well, as required in EBA SREP GL. The CBI/FSA issued Guidelines No. 2/2010 on “Best Practices for Sound Liquidity Risk Management and Supervision” with reference to Article 8, paragraph 2, of Act 87/1998. In addition to the LCR, NSFR and country specific requirements already imposed, banks are closely monitored for liquidity trends and individual banks’ liquidity and funding risk is reviewed in the SREP process at least once a year for D-SIBs and less frequently for less significant institutions. CBI/FSA can impose additional capital, liquidity, or funding requirements depending on market and macro-economic conditions. The Governor of CBI is a member of both the FMEN and FSN. When decisions are taken on the adoption of rules of procedure and on entrusting the DG for Financial Supervision with taking non-major decisions and decisions concerning D-SIBs capital, liquidity, and funding, the Governor takes a seat on the FMEN as chair, and the DG for Financial Supervision serves as vice-chair. The DG for Financial Supervision is also a member of the FMEN, and the Director of the Banking Department participates in FSN meetings as an observer. Micro- and macroprudential functions within the CBI coordinate on a regular basis. The supervision of liquidity and funding risk is a shared responsibility of the CBI Macroprudential and Microprudential functions. Data collection and analysis on for example LCR, AMM and NSFR, is the responsibility of the Financial Stability Department. Microprudential function is responsible for SREP of individual institutions, including e.g., analyzing funding plans (3-5 years), financial statements, internal auditors’ reports, Pillar 3 and asset encumbrance levels and there is a working group between the Financial Stability Department and the Banking Department to discuss inherent liquidity risk. The macroprudential analysis and assessments provide an analysis of financial stability threats that can be used for updating the focus of risk-based supervision so that it remains current and forward-looking. The priorities may result in intensifying supervision of specific institutions or groups of entities designated as D-SIBs, or topics for examination across a broader range of entities. Both macroprudential and microprudential supervision have a common objective of mitigating the sources of systemic risk and therefore collaboration is essential. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Banks are required to operate a sound risk management system as per Article 17 of Act No. 161/2002 and must address liquidity and funding risk in their operations in accordance with Article 78(h) of the same Act. The board of directors (BOD) and managing director of an institution shall regularly assess the institution’s liquidity and funding needs based on its level of risk. This process is carried out via the ILAAP which is approved by the BOD, results of which D-SIBs report annually. The ILAAPs are used as a basis for the review and assessment pertaining to liquidity and funding risk for the SREP process. For less significant banks ILAAP results are assessed less frequently and based on a categorization (low to high impact (1-4)) of that bank. CBI/FSA’s SREP methodology includes an assessment of risks to liquidity and adequacy of liquidity resources to cover these risks. CBI/FSA’s methodology is based on the EBA SREP GL, which specifically provides guidance on the assessment of liquidity and funding risk pertaining to the follow topics: Title 8. Assessing risks to liquidity and funding
Title 9. SREP liquidity assessment
The specific elements of CBI/FSA’s SREP framework are assessed and scored on a scale of 1 to 4. The outcome of the assessments, both individually and considered as a whole, forms the basis for the overall SREP assessment, which represents the up-to-date supervisory view of the institution’s overall viability. It also forms the basis for supervisory measures and dialogue with the bank. Regular monitoring of key quantitative and qualitative indicators supports the SREP by flagging changes in the bank’s financial conditions and risk profile. Should CBI/FSA discover material liquidity/funding issues, the financial supervisor, together with liquidity experts, have the ability to update the SREP elements where it highlights new material information outside of planned supervisory activities. Most of the staff’s time is allocated to the D-SIBs since they pose the most threat to financial stability and given the concentrated banking system in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to comply with guidelines No. 2/2010, for Sound Liquidity Risk Management and Supervision, issued by the BCBS in 2008. In 2014 and 2018 the FSA required all D-SIBs to do a self-assessment based on all the requirements in the Guidelines No. 2/2010. The banks are also required to comply with EBA Guidelines on ILAAP information collected for SREP purposes, issued in 2016. In 2016 the FSA carried out an on-site of all D-SIBs where the bank’s contingency funding plans (CFPs) were assessed. The observations were twofold: assessment of the structure and content of the CFPs and management response to emergencies and their enforcement of the CFP. This was done by submitting a hypothetical scenario that the banks had to respond within a day. Staff of FSA and CBI was present at the exercise. Both projects were very successful and increased the banks’ awareness of liquidity and funding risks. CBI/FSA regularly makes assessments of a bank’s liquidity and funding risk management frameworks (e.g., overall liquidity risk appetite and liquidity and funding risk management practices), including the monitoring of bank’s liquidity positions through the review of internal reports, prudential reports, and market information to determine whether banks are complying with bank’s liquidity risk appetite (also outlined in the ILAAP) . Through its SREP process when reviewing bank’s ILAAP, CBI/FSA annually conducts a comprehensive assessment of banks overall liquidity and funding risk management framework to determine whether the bank delivers an adequate level of resilience to liquidity stress given the bank’s role in the financial system. The ongoing evaluation of the effectiveness of risk management and control for liquidity and funding risk is mainly focused on specific requirements such as stress tests, governance, monitoring systems, reporting, contingency funding plans and public disclosure. Supervisory manuals on liquidity and funding risk assist financial supervisors with guidance on assess the adequacy of bank’s liquidity and funding risk management. Assessors note that an on-site for liquidity risk is planned for late 2022/beginning of 2023 that will assess D-SIBs liquidity and funding risk management policies and practices, strength of IT systems, adequacy of oversight of the Board/senior management. CBI/FSA’s approach to its assessment to bank’s liquidity and funding risk is fairly seasoned, however it is critical from time to time to assure itself of bank’s day to day operational capabilities (e.g., information systems are accurately identifying, aggregating, monitoring and controlling liquidity and funding exposures); and that Board oversight is effective. Carrying out the planned thematic review for the D-SIBs will help accomplish this. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Banks are required to operate a sound risk management system, as per Article 17 of Act No. 161/2002, and must address liquidity and funding risk in their operations in accordance with Article7 (h) of the same Article. Article78(h) states that, a financial undertaking shall develop a methodology to identify, measure, manage and monitor funding sources. The methodology shall consider significant cash flows, current and projected, arising from assets, liabilities, and off-balance sheet items, including contingent liabilities and the potential impact of reputational risk. There is a guidance on funding risk strategy, concentration limits and diversification of funding in the Guidelines, the financial undertakings need to comply with:
Funding strategy, concentration and diversification is monitored monthly within CBI/FSA (e.g., Risk Dashboard) for all banks. CBI/FSA also assesses these issues at least yearly in the SREP dialogue after the D-SIBs submit their ILAAPs; less often for smaller banks. Banks are required to submit monthly prudential reports on LCR, NSFR and AMM, on a consolidated basis and parent of the group as well. The AMM report includes information beyond the 30-day period that is calculated in LCR, as well as information about funding concentration, cost of funding and concentration of liquid assets. Funding risk is evaluated through NSFR reports. In addition, CBI also collects reports on deposit concentrations which credit institutions return to CBI on monthly basis. The main liquidity metrics that are calculated from these reports is LCR ratio, forward looking LCR ratio for the next 3 and 6 months, NSFR ratio and forward looking NSFR ratio for the next 3 years. From the AMM report a survival period for each bank is calculated. There is an “early warning system” in place if a bank’s LCR is less than 120 percent, that bank is required to deliver LCR reports on a weekly basis and explain formally how it is going to resolve the issue. To supplement the prudential reports, market information and other public information is monitored regularly, and internal reports are requested ad hoc if needed (they are part of ILAAP/SREP and dialogues with the banks). At least annually for D-SIBs CBI conducts a comprehensive assessment of overall liquidity and funding risk management framework and whether the bank delivers an adequate level of resilience to liquidity stress give the bank’s role in the financial system. In particular, CBI checks if reports and information within the bank are within best practices as described in the guidelines. During Covid-19 market developments were uncertain and more frequent reporting was requested. At the time (April 2020) all banks were required to submit LCR reports on a weekly basis until the end of 2021. To be able to have a holistic view on liquidity and funding risk, including relevant market information both locally and outside Iceland because of refinancing risk in the foreign exchange market, a risk dashboard is in place and shared at least monthly with the relevant staff within CBI, including top management at CBI. Close collaboration is between the banking division and financial stability division within CBI in monitoring banks’ liquidity and funding position and general conditions in financial markets. The D-SIBs are active in the funding markets in issuing senior unsecured bonds and secured bonds (covered bonds), both locally and abroad, and are therefore able to maintain good relationships with liability holders. The main liquidity assets banks hold are deposits in CBI and government bonds, that are considered by the CBI to be highly liquid. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
According to Article 78.h. on Act No. 161/2002, a financial undertaking must have a CFP in place and test it at least annually and update it considering the results from the scenarios specified in article 78.h. A financial undertaking must also comply with the Guidelines on Principles for Sound Liquidity Risk Management No. 2/2010. A financial undertaking must also have a Recovery Plan in place and the CFP needs to complement the Recovery Plan in the risk management framework. CBI requires the results of testing of CFPs annually, reviews them and comments on them, if needed. CBI has also been invited to some of the exercises as an observer. The managing director of the financial undertaking must approve the CFP and ensure that internal processes are in accordance with the requirements of the provision. The financial undertaking must also take measures to ensure that a CFP can be implemented immediately. The CFPs must be submitted and vetted by the CBI annually in relation to SREP. Banks are informed of any deficiencies and required to make corrections. In SREP 2022 CFPs of all commercial banks were highly rated, or 1, on a 1-4 scale. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires banks to include a variety of short-term and protracted bankspecific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The banks are required to comply with Guidelines on Principles for Sound Liquidity Risk Management No. 2/2010, and EBA Guidelines on institutions’ stress testing (EBA/GL/2018/04). CBI/FSA uses the EBA Guidelines on common procedures and methodologies for the SREP and supervisory stress testing (EBA/GL/2022/03), to assess management and control of liquidity and funding risk and internal manuals as well. Article 78(h) Act No. 161/2002 states that a bank must examine the impact of different scenarios on its liquidity position and risk mitigation, and the assumptions underlying the bank’s funding decisions must be revised at least annually. To that end, the scenarios must consider off-balance sheet items and other uncertain liabilities, including units on special projects in the field of securitization or other units on special projects according to regulation (EU) no. 575/2013 to which the banak acts as an administrative entity or provides significant liquidity support. In the scenarios, a bank must examine the effects of individual companies as well as the market environment, in addition to examining mixed scenarios. Within such scenarios, different periods and different stress situations should be considered by banks. A bank must adapt its plans, policies and limits for liquidity risk and develop an effective contingency plan regarding the results of the scenarios specified in the Act in response to liquidity problems. The plan must state how the bank intends to meet the lack of liquidity, including in branches in other member states where it operates. A bank must test the contingency plan at least annually and update it considering the results from the scenarios specified in the Act. The managing director of a bank must approve the plan and ensure that internal processes are in accordance with the requirements of the provision. A bank must take measures to ensure that a contingency plan can be implemented immediately. Those contingency plans are reviewed at least annually for D-SIBs and less frequently for less significant institutions. CBI/FSA’s comments or suggestions of improvement are submitted to the banks. When evaluating the management and monitoring of liquidity and funding risk, liquidity policy and liquidity tolerance limits, analysis, stress tests, contingency plans and financing plans are reviewed. Annually, CBI/FSA conducts a comprehensive assessment of a bank’s overall liquidity risk management framework through SREP. Stress testing is an important tool of the liquidity planning process. Liquidity stress test means the assessment of the impact of certain developments, including macro- or microeconomic scenarios, from a funding and liquidity perspective and shocks on the overall liquidity position of an institution, including on its minimum or additional requirements. In particular, CBI/FSA monitors how stress tests are used within the bank, if they cover market wide and idiosyncratic stress tests and their assumptions and how the results are communicated within the bank In their ILAAP reports, the banks must submit stress tests on liquidity and funding, as required in EBA Guidelines on ICAPP and ILAAP information collected for SREP purposes (EBA/GL/2016/10). The basis and results of the banks stress tests is part of the dialogue in the SREP. The banks also submit ad hoc stress test scenarios to CBI/FSA if requested. Stress tests of the banks’ liquidity and funding are conducted on a regular basis within CBI/FSA. The tests show, for example, when the banks pay all their foreign-denominated liabilities at maturity in the next 12 months and their largest depositors (large firms, financial institutions, and pension funds) withdrew their deposits, whether the banks would still have ample liquidity and considered as a sustainable and viable bank. Since there is a lot of turmoil in international funding markets (at the time of the BCP assessment) CBI/FSA had frequent discussions with the banks regarding re-financing risk, both in local currency (e.g., covered bonds) and especially in foreign exchange. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or-the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Credit institutions must submit reports and maintain a LCR requirement of 100 percent in all currencies combined and LCR requirement of 100 percent in FX total. Credit institutions must also submit reports and maintain a 100 percent NSFR in all currencies combined. According to both the EU Rules on LCR and NSFR, credit institutions shall monitor the ratios in significant currencies, i.e., individual currencies in which total obligations equal or exceed 5 percent of the institution’s total liabilities. According to both Rules, credit institutions are under a general obligation to ensure that the currency composition of their liquid assets/funding is aligned with the currency composition of their outflow/assets, with consideration given to weights as specified in the Rules. The Rules also authorize CBI to require that credit institutions minimize their currency mismatches by restricting the proportion of liquid assets/required stable funding in specified currencies that may be met with net liquidity outflows/available stable funding in other currencies. Such restrictions apply only to the reporting currency or any currency above the reference limits. No national options have been implemented relating to the NSFR, but CBI requires that credit institutions’ LCR FX combined be always at least 100 percent. Later this year, CBI intends to repeal the LCR FX total requirement and implement a LCR EUR requirement of 80 percent, if aggregate liabilities denominated in that currency amount to 10 percent or more of a bank’s total liabilities, as per Article117(b), paragraph 3 of Act No. 161/2002 and Article 6(8) of the Rules on Liquidity Coverage Ratio. This intention, to better align bank’s liquid assets/funding with the currency composition of their outflow/assets (ISK versus EUR), has been communicated to financial undertakings that fall within the scope of the rules. The credit institutions are required to comply with EBA Guidelines on ICAAP and ILAAP information collected for SREP purposes (EBA/GL/2016/10), and have a policy on funding in foreign currencies, including the most relevant assumptions regarding availability and convertibility of these currencies. Credit institutions are also required to comply with EBA Guidelines on institutions’ stress testing. Institutions’ analysis of risk factors should consider, but should not be limited to, e.g., the currency of assets and liabilities including off-balance-sheet items, to reflect the convertibility risk and possible disruptions in the access to foreign exchange markets. The Rules on Foreign Exchange Balance, no. 784/2018, took effect on 30 August 2018, and are issued in accordance with Article 24 of CBI Act No. 92/2019, which authorizes CBI to set rules on credit undertakings’ foreign exchange balance. Such a balance shall, in addition to exchange rate linked assets and liabilities, cover off-balance sheet exchange rate linked assets and liabilities, such as options and forward contracts. The Rules superseded the previous Rules on Foreign Exchange Balance, no. 950/2010 of 6 December 2010. The purpose of the rules is to limit foreign exchange risk by preventing credit institutions’ foreign exchange balances from exceeding defined limits. The rules apply to consolidated credit institutions and parent companies - i.e., commercial banks, savings banks, and other institutions and associations that have been granted operating licenses pursuant to Act No. 161/2002, with subsequent amendments, and are collectively referred to as financial undertakings in the Rules on Foreign Exchange Balance. Financial undertakings submit monthly reports on their foreign exchange balances; in addition, market makers in the interbank foreign exchange market submit daily reports on their foreign exchange balance. Each financial undertaking’s reporting includes itemized information on the current and forward balances of foreign assets and liabilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 24 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The CBI/FSA have adopted binding liquidity requirements for credit institutions, including LCR and NSFR as well as adequate requirements for liquidity risk management policies, procedures, and practices. Although the CBI/FSA is of view that it has adopted Basel III liquidity requirements in the past, with the transposition of the EU framework into Iceland’s banking legislation, however, there are some deviations from the Basel standards. The EU rules (CRR/CRD) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. The EU’s LCR framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III LCR regulations in 2017107. The EU framework was found to be overall largely compliant with the Basel LCR standard, reflecting the fact that most but not all provisions of the Basel standards were incorporated in the EU LCR framework. The RCAP found one material deviation and four potentially material deviations. The material deviation, which is considered relevant for Iceland, is driven by the EU’s broader definition for HQLA, which includes covered bonds. Although not considered material at this time for Iceland, there is a potential for increased materiality over time. As at Q3 2022, total covered bonds for all credit institutions included in the HQLA calculation in Iceland, amounted to 63.2 billion ISK, up from 9.5 billion ISK in 2019, representing an increase from 2.1 percent to 11 percent of total HQLA. The BCBS disclosure standards is based on daily observations when calculating average LCR values, while in Iceland it is based on the simple average of month-end observations over the 12 months preceding the end of each quarter. The EU’s NSFR framework was subject to a BCBS RCAP review by the BCBS regarding Basel NSFR regulations in July 2022108. The EU framework was found to be overall largely compliant with the Basel NSFR standard, reflecting the fact that three of the four components of the Basel NSFR standard (scope, minimum requirements, and application issues; available stable funding (ASF); and disclosure requirements) were assessed as compliant. The remaining component, required stable funding (RSF), was assessed as largely compliant (which took into consideration the cumulative impact of nine “not material findings”). The CBI/FSA adopted the net stable funding requirements for individual currencies above a specified threshold, referred to as significant currencies. National options have been implemented by the CBI/FSA regarding LCR ISK and LCR FX combined and LCR requirement of 100 percent in FX total109. Credit institutions must maintain 100 percent NSFR in all currencies combined. No national options have been exercised by CBI for the NSFR. CBI annually performs a comprehensive assessment of D-SIB’s overall liquidity risk management framework as part of the review of bank’s ILAAP during SREP. Further, CBI determines whether a bank can deliver an adequate level of resilience to liquidity stress given the bank’s role in the financial system through SREP. The Banking Department works closely with the Financial Stability Department in the assessment of both inherent liquidity risk of banks, but with respect to the assessment of current macro-economic conditions, including undertaking extensive stress testing. CBI is expected to assess D-SIB’s adequacy of risk management practices during the upcoming thematic review on liquidity risk later in 2022/23. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 25 |
Operational Risk The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk110 on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
According to Act No. 161/2002, banks shall operate secure risk management system for all activities and internal processes. Article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including operational risk. In addition, article 78(g) includes concise requirements on operational risk that call for implementation rules set by CBI: “A financial undertaking must have a policy and procedures for assessing and managing operational risk, including due to risk models and rare events that can have serious consequences. For this purpose, a financial undertaking must specify what is considered operational risk. A financial undertaking must have a contingency plan and a plan for continuous operations to ensure its continued operations and to limit losses in the event of a serious disruption to the undertaking’s operations. CBI of Iceland may set rules for the handling of operational risk and to elaborate on the obligations of a financial undertaking according to this Article.” These principles-based provisions constitute the legal base for supervision of banks’ operational risk management policies and frameworks, from a qualitative risk management perspective. Yet legal provisions of Act No. 161/2002 on operational risk are very generic, and not specific enough to cover the large scope of operational risk nor the wide range of qualitative requirements that are expected from banks on operational risk, according to the usual typology of operational risk categories defined in Basel standards, for instance on information and communication technology (ICT) risk management, accounting framework, quality of operations processing, fraud prevention and detection, human resources-related risks, legal risk, and so on. Act No. 161/2002, article 78(g) requires banks to specify what is considered operational risk. Such wording looks inappropriate because prudential regulations should directly define operational risk and provide banks with guidance for appropriate implementation of requirements on operational risk management. For the purpose of regulation and supervision of operational risk, from a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1(c), and articles 117 to 117(b). Banks must adhere to the following EBA guidelines, as well as other relevant EBA guidelines and technical standards on risk assessment and management:
CBI’s supervisory policy stance on operational risk may be summarized as follows. EBA guidelines regarding operational risk cover the 2021 guidelines on “Principles for operational resilience” and the 2005 guidelines on “Outsourcing of financial services”. CBI requires banks to implement BCBS standards No. 239, Principles for effective risk data aggregation and risk reporting. CBI has not adopted any national options regarding operational risk, and plans to use EBA guidelines as main applicable requirements. In addition, the three large banks are required to comply with the NIS directive, but it adds little to the requirements put forward in the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). Therefore, CBI has not tailored regulations on operational risk to Iceland’s specific exposure to operational risk, for instance risks of natural disasters, risks related to the geographical position of Iceland as an island country (involving some potential vulnerabilities around submarine cables, for instance). CBI has not performed a horizontal analytical risk mapping work aimed at summarizing the inherent risk profile of the Icelandic banking sector regarding operational risk, as well as mitigation measures in place and/or remaining sensitive exposures to operational risk that would be classified as high-risk. As of now, CBI has not set regulatory requirements on climate-related financial risks applicable to banks, but this action is envisaged, though not precisely planned yet. CBI has drafted a supervisory handbook manual for operational risk monitoring and assessment of financial institutions, for internal use only. The handbook specifies risk management and control aspects which banking supervisors take into consideration in yearly SREP and quarterly operational risk assessments, notably: operational risk management and tolerance; the organizational framework; policies and procedures; risk identification, measurement, monitoring, and reporting; business resilience and continuity plans; and the internal control framework on operational risk. The risk assessment methodology considers both quantitative and qualitive aspects. The handbook also specifies how a risk rating (1 -4) is calculated; and what typology of supervisory measures may be taken to address identified deficiencies. Off-site supervision of operational risk is mainly implemented by CBI through the SREP and the review of ICAAP reports from banks. Banks provide supervisors with the following information, that is used to assess operational risk management: regular risk reports, yearly ICAAP reports, internal audit reports, reports on incidents and losses due to operational risk events, reports on material changes in the operating environment of the bank or in products or services. Supervisors regularly call banks for the loss database to assess the status of the operating environment. They also call for results of penetration testing exercises and vulnerability scanning. Based on the illustration case of a major bank provided by CBI, the SREP assessment process of operational risk management covers a large range of topics pertaining to operational risk, including legal risk, which demonstrates significant attention paid by off-site supervisors on operational risk when implementing the SREP exercise, yet CBI’s assessment is based on inputs from banks, and it is not supplemented nor cross-checked by direct investigations on site. CBI’s banking supervision teams include only 2 ICT specialists, who have expertise and experience on both ICT and audit, but have many duties to fulfill within financial supervision. Therefore, CBI’s human resources look scarce regarding ICT supervisors, who cannot engage in comprehensive and thorough on-site examinations of ICT risk management frameworks of banks. CBI has performed a limited number of on-site inspections of major banks for the last 5 years. On-site inspections have covered the following topics: “cyber-attacks”, “assessment of digital trends”, “compliance with GL outsourcing”, “TRS/TRS II”. CBI has also included in the list of on-site inspections on operational risk several missions which included a review of operational risk related to the main inspection topic, for instance model risk (main topic: electronic credit assessment system). Yet this extensive typology is far from globally covering full scope of operational risk of major banks. Therefore, considering the rising importance of operational risk in many areas (ICT security, cybersecurity, cloud computing, business continuity planning, data quality, and so on), CBI’s inspection program is not large nor thorough enough to reasonably cover the whole range of essential topics relating to operational risk, from a risk-based perspective, even if the banking sector only comprises 9 banks. At least the 3 major banks should deserve more hands-on on-site inspections on operational risk, including ICT risk as a whole (governance, processing, and security). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
According to Act No. 161/2002, article 54(a), banks’ boards shall approve strategies, policies, processes as well as the risk appetite and the implementation of risk management. Banks’ boards must also ensure that risk management processes, such as risk-taking and mitigation are reviewed at least once a year. Article 77(a) states that banks must have procedures that ensure the exchange of information between their risk management function and their board regarding all major risk factors in the bank’s operations and their evolution. The involvement of banks’ boards of directors in setting and monitoring banks’ operational risk management processes is partly determined when the annual SREP is conducted (on a yearly basis for major banks only). The main objective of ICAAP reports, subject to the SREP process, is to ensure that banks’ boards of directors, as well as senior management, understand banks’ risk profiles, and that there are systems in place to assess, quantify, and monitor banks’ operational risk exposures. CBI regularly requests a copy of the latest operational strategy when performing the SREP or on-site inspections, to assess that it has been reviewed and approved, and that the content of the strategy covers all governance requirements. The boards’ oversight of policy and process implementation on operational risk is verified by examining banks’-internal operational risk reports to board committees, reviewing the content of upper management risk dashboards, and interviewing board members. CBI also reviews banks’ internal risk reports, internal audit reports, and compliance reports to assess how operational risk deficiencies and incidents have been addressed. Data on losses resulting from operational risk events, and incidents databases pertaining to operational risk are also examined by CBI to see if patterns or concentration in operational risk are dealt with properly by banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI refers to EBA Guidelines on SREP and ensures each year that policies and processes on operational risk are implemented effectively by banks and integrated into their overall risk management process. CBI is monitoring operational risk of D-SIBs through the annual SREP. Regarding operational risk, CBI has focused banking supervision during the pandemic on ICT risk, and ensured that resources, policies, and processes are in order. Overall, banks’ organizational framework and business continuity plans have been effective. Elaborating on banks’ exposure to operational risk, CBI has assessed that:
CBI collects information on operational risk losses from the three largest banks. The total amount of operational risk losses for 2021 has reached ISK 218 million, including ISK 175 million losses resulting from operational incidents pertaining to operation processing management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA has enhanced off-site supervision of business continuity planning recently. Banks are required by CBI to comply with EBA Guidelines on ICT and security risk management (EBA/GL/2019/04) which cover business continuity planning and disaster recovery plans. These guidelines were implemented in 2021, and banks are expected to be fully compliant in 2022. Supervisory monitoring of banks’ policies and frameworks on business resilience and continuity plans has been incorporated in the annual SREP. CBI/FSA reviews relevant documentation provided by banks, and discussion with banks on existing frameworks, results of simulation exercises, and other topics pertaining to business continuity is engaged at least annually. The internal supervisory handbook includes to-do tasks in that regard, yet there is not much detail on the processing of concrete implementation of off-site supervision. CBI/FSA has not implemented any on-site inspection of business continuity planning in the banking sector for the last 5 years. When necessary, like during the COVID-19 pandemic, when teleworking disrupted normal operation processing of banks, CBI engages specific discussion with banks to evaluate if operational threats are dealt with properly. Furthermore, CBI intermittently requires banks to perform ad-hoc operational stress tests as a part of the SREP. For example, within the 2022 SREP, the impact of an extensive ransomware attack on business continuity was examined. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI is adopting a similar supervisory approach as the one mentioned in CP25 EC4. Banks are required by CBI to comply with EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). These guidelines were implemented in 2021, and banks are expected to be fully compliant in 2022. This is reviewed in the SREP and through the assessment of banks’ internal audit reports that banks are required to share with CBI annually. Yet the supervisory handbook is not developing supervisory tasks on ICT risk supervision. CBI/FSA mostly rely on EBA guidelines for guiding supervisors on the methodological approach of risk assessment. Off-site supervisors rely on internal information provided by banks, such as internal audit reports. Also, the CBI/FSA banking inspection program has not covered ICT risk, although the supervision of such a risk domain would require implementing onsite inspections to assess the adequacy of banks’ systems and risk management, based on thorough examination in the field. CBI has included cybersecurity as an essential topic to focus on in the 2022-24 supervisory strategy: https://www.cb.is/library/Skraarsafn---EN/Financial-Supervision-Committee/Supervisory%20Strategy%202022-2024-final%20(002).pdf. Cyber-risk management is becoming a priority area of financial supervision globally. Increased focus is on banks’ digital services, partly due to the pandemic that has increased cyber-risk. Payments are almost exclusively made digitally in Iceland, so the market is extremely sensitive to any disruption of internet services and payment systems. Increased use of cloud services outside of Iceland, inside and outside the EU, is also a source of concern for CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have appropriate and effective information systems to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks send regular risk reports to CBI that cover operational risk. These reports are the same that banks’ senior management receive. These reports are reviewed to ensure that risk data exists, metrics are effective, and actions are taken where needed. CBI assesses the adequacy of reporting on operational risk mostly off-site during the SREP, based on information provided by banks. Because there has not been any on-site inspection by CBI/FSA on banks’ information systems dedicated to their oversight of operational risk, the off-site desk review performed during the annual SREP cannot fully achieve the objective of determining in a fully reliable way whether banks have appropriate and effective information systems to monitor operational risk, including compilation of operational risk data and internal reporting on operational risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Financial firms are required to report incidents pertaining to operational risk to CBI, based on CBI guidelines. This reporting framework is based on the PSD2 incident reporting framework issued by EBA. Further information is collected if needed, including from service providers that may have been involved in incidents. CBI has required banks to submit operational risk reporting via EBA’s COREP reporting framework since 2021. A draft risk dashboard with EBA KRIs has been made (OPR-1 to OPR-16) but it has not yet been officially disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:
Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI requires banks to comply with EBA guidelines on outsourcing arrangements (EBA/GL/2019/02). CBI considers that these guidelines are extensive and cover most important items on outsourcing. EBA guidelines were implemented in 2021. CBI has developed banking supervision of operational risk pertaining to outsourcing recently.
Banks are required to register and report all outsourcing arrangements. CBI periodically requests this information to compile a list of banks’ external providers of essential services, and to examine related concentration risk amongst service providers within the financial system. Banks are also required to provide CBI with a checklist for all cloud service arrangements. On-site inspections on outsourcing have been performed in 2022 (ongoing thematic program) to ensure compliance. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 25 |
Materially Non-compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Substantial progress has been made by CBI on supervision of operational risk in the banking sector to move beyond the quantitative Pillar 2 approach of additional capital requirement to develop a more global qualitative assessment of banks’ operational risk management frameworks. Yet supervision of operational risk has not reached optimum level of coverage and thoroughness, even considering proportionality, given the intrinsic complexity of operational risk, and the universal banking model of major banks in Iceland. Prudential regulations on operational risk mostly rely on relevant EBA guidelines. Yet prudential requirements, at least supervisory expectations for proper implementation of EBA guidelines, have not been tailored to the specific risk profile on the Icelandic banking sector regarding operational risk, except 2019 CBI guidelines on information systems operated by banks. CBI should tailor EBA guidelines on operational risk to national specifics, either by setting specific qualitative prudential requirements into national regulations, or, at least, by issuing supervisory guidance to banks for appropriate implementation of EBA guidelines on operational risk management, comprehensively covering the large scope and typology of operational risk in a way that is proportionate and adapted to the country’s specific operational risk environment within the banking sector. CBI should build a global risk-based supervisory strategy on operational risk that would be based on thorough risk mapping and assessment of the banking sector’s exposure to operational risk typologies, causes, threats, and vulnerabilities, at banking system level, and each bank level. So far, despite more detailed and extensive assessments on operational risk performed during the SREP, specific monitoring of the pandemic’s impact on operational resilience of banks, and a few targeted inspections on specific risk domains such as outsourcing, which actions are quite commendable, CBI has not yet structured a strong enough capacity to implement global risk-based supervision of operational risk in major banks effectively, especially, but not only, on ICT risk, notably by conducting hands-on on-site inspections. Further enhancement of risk-based supervision of operational risk would require upgraded off-site supervision processes, as well as more comprehensive, thorough, and intensive on-site inspection of banks, requiring additional resources, notably on ICT risk (combining expertise of ICT systems, management, audit, and banking supervision). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 26 |
Internal Control and Audit The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent111 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Prudential requirements applicable to banks regarding their internal control framework are laid down in various legal and regulatory references that are dispatched in separated sets of norms, thus not easy to grasp. The legal and regulatory framework on internal control in the banking sector mostly relies on EU rules and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1(c), and articles 117 to 117(b). EBA guidelines EBA/GL/2021/05 on internal governance sets out detailed requirements on internal controls, among which banks should have a clear, transparent, and documented decision-making process, and a clear allocation of responsibilities and authority within its internal control framework, including its business lines, internal units, and internal control functions. In addition, EBA guidelines, Title II on role and composition of the management body, set out detailed requirements on the role and responsibility of banks’ boards of directors, including arrangements aimed at ensuring the integrity of the accounting and financial reporting systems, as well as financial and operational controls, and compliance with relevant standards. Also, EBA guidelines, Title V set out detailed requirements on internal controls, requiring banks to have a clear, transparent, and documented decision-making process, as well as a clear allocation of responsibilities and authority within its internal control framework, including its business lines, internal units, and internal control functions. Act No. 161/2002 on Financial Undertakings includes provisions on internal control which are dispatched in various Chapters, notably on (i) corporate governance (Chapter VII on board of directors, corporate governance, and employees), (ii) risk management (Chapter IX on management of risk factors in the operations of a financial undertaking), and (iii) internal audit (article 16 on audit section; Chapter XI on annual financial statements, auditing, and consolidated financial statements). Legal provisions on internal control are quite generic. For instance, article 50 on governance states that banks must have “an adequate internal control system, including sound management and accounting arrangements, and a remuneration policy that are implemented in a manner that is consistent with and contributes to reliable and efficient risk management.” Legal provisions of Act No. 161/2002 don’t develop specific qualitative prudential requirements applicable to banks on internal control, covering the overall internal control framework that is expected to be structured with the usual so-called three lines of defense, that are quite important for banks, especially D-SIBs: (i) internal control units and processes embedded within operational (business and support) workstreams at first level; (ii) independent internal control functions in charge of risk management, compliance, and oversight of most risk-sensitive operational workstreams (checks and balances, and “four-eyes” principle) at second level; and (iii) a global and independent internal audit function at third level. On the role of bank boards in internal control, Iceland has implemented Article 88 of EU Directive 2013/36/EU into Article 54 of Act No. 161/2002 which states that the board is responsible for the company’s operations and strategy, robust governance arrangements, which include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility, risk strategy, adequate internal control mechanisms, including sound administration and accounting procedures. CBI/FSA supplemented Act No. 161/2002 by issuing national guidelines on internal audit in banks (2008): https://www.fme.is/media/leidbeinanditilmaeli/Leidbeinanditilmaeli2008 3.pdf. Yet these CBI/FSA guidelines are outdated and not aligned with latest international standards, not with EBA guidelines that are now enforceable in Iceland. For instance, the internal audit function reports to senior management, not to the board. CBI also applies Act No. 2/1995 on public limited companies, including regular requirements on the board of directors. This law is outdated and not adapted because more recent and specific international standards applicable to banks have been issued afterwards: 2015 BCBS guidelines No. 328 on corporate governance principles for banks; and 2012 BCBS guidelines No. 233 on the internal audit function in banks. The overall assessment of internal control is conducted by CBI via regular monitoring, mostly through off-site supervision, including the following tasks (not comprehensively listed below, for illustration):
CBI/FSA has not supplemented off-site supervision by performing on-site inspection of internal control in the banking sector globally and frequently for the last 5 years, while hands-on and thorough on-site inspection in the field would be the only way to double-check the outcome desk reviews performed through the SREP, and ensure that information provided by banks on internal control is reliable and accurate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding prudential rules on the first level of internal control, CBI essentially applies EBA guidelines. CBI refers to EBA guidelines GL/2021/05 on internal governance about requirements on the first level of internal control. Among requirements referred to by CBI from EBA guidelines:
CBI also refers to EBA guidelines GL/2021/06 on assessment of suitability which set out requirement for the banks’ framework assessment of suitability of key function holders which includes heads of internal control functions. Managers of compliance and risk management functions (second line of defense) report to CEOs but have direct access to banks’ board and committees. Banks’ boards of directors approve their appointment and charters relating to their functions, and boards must be notified in case of dismissal. Internal audit (third line of defense) directly reports to the board of directors. CBI has ensured that heads of internal control functions have direct and frequent access and communication with banks’ boards and board committees in all banks. Regarding the implementation of CBI’s supervisory policy on the first level of internal control, CBI mostly assesses the adequacy of banks’ internal control framework when performic the periodic SREP (yearly for major banks, only twice since 2016 for smaller banks), based on EBA guidelines. Resources of internal control functions are monitored closely and discussed frequently with major banks’ heads of internal control functions and board members. Monitoring includes reviewing annual reports of internal control functions, CVs of employees, meeting minutes of the board and committees. If necessary, CBI requires banks to ensure appropriate resources, either by increasing the number of employees or bringing in external resources. Yet no thematic on-site banking inspection of internal control frameworks has been planned nor completed for the last 5 years by CBI aimed at going beyond off-site supervisory dialogue, and assessing the effective implementation of sound internal control frameworks and practices globally and more thoroughly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have an adequately staffed, permanent and independent compliance function112 that assists senior management in effectively managing the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding prudential rules on the compliance function, which is part of the second level of internal control, CBI also essentially applies EBA guidelines. CBI refers to EBA guidelines GL/2021/05 about requirements on the compliance function. Among requirements referred to by CBI from EBA guidelines, internal control functions, including the head of compliance, should be independent of the business lines and internal units it controls, and it should have sufficient authority, stature, and resources. To this end, heads of compliance should report and be directly accountable to banks’ CEOs and/or boards, and their performance should be reviewed by boards. Boards shall approve their appointment and compliance function’s charters, and they must be notified in case of dismissal. Compliance officers should possess sufficient knowledge, skills, and experience in relation to compliance and relevant procedures, and they should have access to regular training. Banks are not required to set up independent compliance committees reporting to boards of directors, as it is required for internal audit and risk management. Therefore, Icelandic banks don’t have any compliance committees. Regarding the implementation of CBI’s supervisory policy on the compliance function at second level of internal control, CBI mostly assess banks’ compliance during the SREP, based on EBA guidelines. CBI has provided explicit illustration of specific supervisory focus on the compliance function on AML/CFT (which is out of scope of CP26, but within the scope of CP29) when performing SREP tasks. On other topical aspects of compliance, CBI reviews annual reports of bank’s compliance officers, which content is discussed. CBI mentions that it had an issue with the competence of a compliance officer of a systemically important bank, which compliance reports and interviews indicated lack of capabilities in certain areas; this issue was discussed with board members and the CEO, and it resulted in the bank hiring a new compliance officer. No thematic on-site inspection of banks on compliance (except AML/CFT) has been planned nor completed for the last 5 years by CBI to go beyond supervisory dialogue involving off-site supervisors, and assess more thoroughly the effective structuration of a full-fledged compliance function, as well as the effective implementation of compliance processes (including whistleblowing and related protection of employees). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have an independent, permanent and effective internal audit function113 charged with:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding prudential rules on the internal audit function, which is the third level of internal control, CBI applies two sets of norms:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that the internal audit function:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the implementation of CBI’s supervisory policy on the internal audit function at third level of internal control, CBI mostly assess banks’ internal audit during the SREP, based on EBA guidelines. That includes reviewing reports and findings of banks’ internal audit, regular interviews and communication with banks’ internal auditors, boards, and in particular board members participating on audit and risk committees. More specifically, the scope of CBI’s supervision of banks’ internal audit covers the following tasks, referring to EC5 list of items:
In the past, CBI required improvements, mostly regarding bank boards’ and/or management’s lack of focus on closing unimplemented recommendations of internal audit reports. That issue was related to insufficient risk culture and risk awareness of the first line of defense which has been somewhat improving in banks, from CBI’s viewpoint. CBI mentions that supervisory action taken in recent years has increased awareness of the importance and value of internal control and the role of internal audit in ensuring sound banks’ operations, at least on major banks. For savings banks, the SREP is much less frequently implemented (2021, after 2016), impacting the coverage of their internal control frameworks by banking supervisors. Yet no thematic on-site inspection of banks on the internal audit function has been planned nor completed for the last 5 years by CBI to go beyond supervisory dialogue involving off-site supervisors, and assess more thoroughly the adequacy of the internal audit framework, as well as the effective and appropriate coverage of most risk-sensitive workstreams by internal audit. In that regard, the opinion provided by CBI in the BCP selfassessment on the overall quality of banks’ internal control is quite high-level. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 26 |
Largely-compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision annually reviews major banks’ internal control frameworks (including internal audit) during the SREP. Much commendable progress has been done since 2014 on concrete supervision of internal control through more intense supervisory dialogue and more thorough off-site reviews. Nevertheless, various specific weaknesses remain which may still undermine the overall CBI’s supervisory approach on banks’ internal control frameworks at some point, notably the lack of effective implementation of on-site inspections covering banks’ internal control frameworks globally for the last 5 years, and a much less frequent review of nonmajor banks. Scarce human resources within CBI allocated on internal control may be an issue. Also, national guidelines issued by CBI/FSA in 2008 on internal audit in banks are outdated. The lack of global coverage of internal control frameworks through regular onsite inspections is a significant weakness which should be addressed by CBI/FSA to supplement off-site supervision, which cannot by itself alone achieve the expected level of adequacy and effectiveness of supervision required in CP26. Building on the recent dynamic upgrade of off-site supervision in that regard would be key to fully comply with CP26. In all, a more globally structured supervisory strategy, as well as more thorough direct controls, would be expected from CBI regarding banks’ adequate implementation of prudential regulations, while supervisory expectations should usefully be tailored beyond the regular set of applicable EBA guidelines. Such supervisory strategy should aim at assessing the adequacy of banks’ internal control frameworks globally, covering the three lines of defense: (i) internal control units and processes embedded within operational (business and support) workstreams at first level; (ii) independent internal control functions in charge of risk management, compliance, as well as oversight of most risksensitive operational workstreams (checks and balances, and “four-eyes” principle) at second level; and (iii) a global and independent internal audit function at third level. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 27 |
Financial Reporting and External Audit The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor114 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regarding the responsibility of banks’ boards of publishing banks’ financial statements, CBI refers to the general legislation on limited liability companies:
Act No. 161/2002 on financial undertakings, articles 87-92 adds specific requirements applicable to banks:
Act No. 87/1998 on official supervision of financial activities, article 10 states that if a regulated entity does not comply with laws or other rules governing their activities, CBI shall require corrective action within a reasonable period, especially if bank’s record keeping and data are not reliable, and if required reports are not submitted on a timely and accurate basis. For this purpose, CBI can apply fines and per diem fines (article 11). CBI holds banks’ senior management responsible and may demand corrective action. Major Icelandic banks have implemented IFRS, while smaller banks have not. According to Act. No. 3/2006, certain companies are obliged to apply IFRS whereas other companies are allowed to apply the generally accepted accounting standards (Icelandic GAAP). If a bank has securities registered on a regulated market in the European Economic Area, they are bound to use IFRS. Other banks are otherwise bound by provisions of the Act on annual accounts, as well as CBI Rules No. 834/2003 on the financial statements of credit institutions (https://en.fme.is/media/utgefid-efni/rules 834 2003.pdf), and Rules No. 102/2004 on the financial statements of securities companies and securities brokerages. CBI has not implemented any specific transposition of international standards on banks’ external audit function (2012 BCBS guidelines No. 280 on external audits of banks) into Icelandic legislation and regulation. Applicable to banks. CBI Rules No. 532/2003 on auditing of financial undertakings are much older: https://en.fme.is/media/utgefid-efni/rules-532 2003.pdf. Act No. 161/2002, article 88 states that CBI has power to issue specific accounting rules applicable to regulated financial institutions, including valuation and public disclosure requirements, in consultation with the Icelandic Accountancy Council. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding the requested opinion of external auditors on banks’ published financial statements, the legal and regulatory framework is well in place in Iceland. CBI refers to the following national legislation:
Major banks issue their audited annual financial statements on their website (webpages for investor relations), together with additional material like quarterly interim reports and presentation slides for investors:
Banks are obliged to return their audited annual statements through CBI’s report delivery system. CBI monitors the banks delivery within the required time limit. A warning is issued if the accounts are not delivered within the required time limit and penalties levied if the situation is not rectified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding rules on banks’ valuation practices, as mentioned under CP27 EC1, banks that compile their annual accounts in accordance with IFRS shall comply with the valuation methods described in IFRS, while other regulated financial institutions shall comply with valuation methods described in Act No. 3/2006 on annual accounts as well as CBI’s Rules No. 834/2003 on the financial statements of credit institutions. According to Act No. 161/2002, article 107(a), CBI may require a bank to take corrective action in a timely manner to comply with regulations, in view of publishing fair and accurate financial statements, including, for instance, depreciation of assets. CBI/FSA relies on opinions of banks’ external auditors, their reports, meetings with external auditors as well as on-site inspections to determine that banks use valuation practices consistent with accounting standards widely accepted internationally, for example: valuation of loans, valuation of collateral, application of IFRS 9, and loan forbearance. CBI/FSA also relies on banks’ internal audit reports that may cover accounting and valuation topics. No significant issue regarding banks’ valuation practices has been reported from external auditors to CBI/FSA, as indicated during the BCP assessment. CBI/FSA does not perform regular on-site inspection of banks’ accounting frameworks, methodologies, and practices to directly assess their valuation practices. As highlighted in many other risk domains for which off-site supervision is not adequately supplemented by on-site inspection, CBI/FSA should perform on-site investigations to directly ensure that valuation practices are adequate, at least on most sensitive bank accounts, notably credit exposures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality-based approach in planning and performing the external audit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding the scope and standards of external audits performed by banks’ external auditors, CBI does not have legal power to decide the scope of external audit. But CBI Rules No. 532/2003 on the auditing of financial undertakings lay down detailed provisions on external audit of annual accounts of banks, and duties of banks’ external auditors: https://en.fme.is/media/utgefid-efni/rules-532 2003.pdf. Though rather old, these CBI rules clearly expect external auditors to perform risk-based checks on accounts that are most sensitive to valuation. In that regard, Article 8 states that: “In deciding on the execution and scope of surveys in relation to the auditing and endorsement of annual accounts, the auditor shall consider the importance of individual elements and risk. While conducting his survey, the auditor shall focus primarily on the most important items in the annual accounts and the elements of internal control where there is greatest danger of deviation.” Act No. 161/2002, article 94 enables CBI to require that a “special audit” of a bank be carried out if CBI sees any reason to expect audited accounts do not provide a clear picture of the bank’s financial position and operating results. CBI holds regular meetings with external auditors to get information on the outcome of their auditing work, in accordance with CBI guidelines No. 7/2015 on relationship between the supervisory Authority and the external auditors of regulated entities that are also entities of public interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the topical coverage of external audits performed by banks’ external auditors, CBI refers to general laws and regulations applicable to external audit of banks’ financial statements. Per applicable rules, external auditors shall cover risk-related topics mentioned in CP27 EC5, especially classification and valuation of assets and liabilities and off-balance sheet items. There are no Icelandic-specific auditing standards. External auditors conduct their auditing and review in accordance with International Standards of Auditing (ISA). In that regard, CBI refers to the following norms:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Regarding the supervisor’s ability to refuse the appointment of banks’ external auditors, CBI/FSA has been provided with legal power that may be further increased in view of providing CBI/FSA with full prudential oversight of external auditors, as explained below. CBI does not oversee external auditors nor have any legal power to bring legal action against auditors. The Auditors’ Council is the public body, which is responsible for supervision of certified public accountants (CPAs), as stated in Act No. 79/2019, article 35. If CBI is aware of any inadequate expertise or independence of auditors, CBI should inform the Auditors Council in view of taking appropriate action. In that regard, CBI does have the power to refer suspected violations of Acts that fall under the regulatory scope of CBI for criminal investigation. Therefore, if an external auditor is considered to have demonstrated negligence in his duties, the case can be referred to the Audit Council, which handles disputes relating to the duties of auditors, according to Act No. 94/2019 on auditors, Chapter VIII. Then the Audit Counsel can refer a case for criminal investigation which should be supported by a reasoned opinion. CBI has no legal power to directly reject and rescind the appointment of an external auditor. CBI is not in charge of licensing external auditors, nor can it disagree on licensing applications of external auditors. CBI doesn’t review letters of engagement and contracts of external auditors. It has not done any modification of the terms of engagement or rejected the appointment of an external auditor. Yet CBI mentions that it has not faced any issue regarding banks’ external auditors. The above-mentioned assessment that CBI has no direct power to object to the appointment of a bank’s external auditor is based on the following information: (i) the BCP self-assessment shared by CBI which mentions that “CBI does not have the direct power to reject and rescind the appointment of an external auditor”; and (ii) existing legal and regulatory provisions applicable to external auditors in the banking sector, notably Act No. 161/2002, article 92, and CBI Rules No. 532/2003, which don’t mention anything about this topic. Yet CBI has challenged BCP assessors on this point in a follow-up discussion during the BCP assessment mission:
On external auditors’ independence, CBI mentions that an external auditor in charge of auditing a bank’s financial statements may not be a member of the bank’s board or a bank’s employee, nor work on behalf of the bank in any respect except auditing, nor be a debtor to the bank, neither as a principal debtor nor as a loan guarantor. Such requirements are included in Rules No. 532/2003. Furthermore, the external auditor may not work on behalf of the bank on matters that may impair his independence towards the bank. Act No. 94/2019 on auditors, article 3 states that banks’ external auditors must have unblemished reputation and be CPAs. Article 9 states that the CPA is subject to continuous education. Article 14 states that an external auditor shall follow the code of conduct adopted by the Institute of State Authorized Public Accountants in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Regarding the rotation of banks’ external auditors, CBI has no legal power to request that banks rotate their external auditors. Banks are required to rotate their external auditors in accordance with Act No. 94/2019 on auditing and auditors, article 46, and regulation (ESB) 537/2014, article 17: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0537&qid = 1669979290420&from = EN. Per EU rules, neither the initial engagement of a particular statutory auditor or audit firm, nor this in combination with any renewed engagements therewith shall exceed a maximum duration of 10 years, or 20 years where a public tendering process for the statutory audit is conducted, or 24 years if more than one accounting firm is employed at the same bank. Such low frequency of rotation may not be recommendable as a legal provision. More frequent rotation should reasonably be required by laws or regulations, and enforced by CBI, if need be, to ensure that sound external audit of banks is supported by periodic turn-over of their external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Regular meetings are held on a bilateral basis by CBI with banks’ external auditors, in accordance with CBI guidelines No. 4/2015 on “meetings between external auditing of financial undertakings and the FME”. Meetings are held every year with external auditors for the three biggest banks before and after their auditing work regarding the annual financial statements. Additional meetings can be held if deemed necessary, as well as for other banks. CBI does not meet periodically with the whole community of banks’ external auditors to discuss issues of common interest relating to banks’ operations, valuation policies, and external audit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Regarding the duty of whistleblowing of banks’ external auditors to CBI, the law has laid down explicit provisions. Act No. 161/2002, article 92 states that if a bank’s external auditor becomes aware of substantial deficiencies in operations or matters concerning internal control, collateral loans, or other matters that weaken the financial position of the bank, or aspects that result in a refusal to certify financial accounts or endorse them with reservations, or if the auditor has any reason to believe that laws, regulations or rules that apply to the bank have been violated, the auditor must notify the board of directors and CBI. This applies also to comparable issues that come to the knowledge of the auditor in the course of auditing for a company with close links to the bank. Such notification made by the external auditor pursuant to article 92 does not constitute a breach of confidentiality. The person notifying shall not be subject to any liability with respect to the notification. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 27 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Prudential regulation specific to banks’ external auditors follows EU rules and national laws applicable to publicly listed companies. Banking legislation lays down some important principles, such as the independence of external auditors, the duty of external auditors to alert CBI, as well as bank boards’ accountability regarding the publication of financial statements. The 2014 ROSC pointed out that CBI lacked some important supervisory powers on banks’ external auditors, among which the definition of a risk-based scope of audit, the right of objection against the nomination or continuation of the mandate of external auditors that are not deemed suitable, as well as limitation of the duration of external auditors’ mandate. In that regard, despite amendments made to Act No. 161/2002 in 2019 and 2022, CBI still lacks fully adequate powers on banks’ external auditors as required by CP27 EC6 and EC7 on the two following points:
Therefore, Act No. 161/2002 and CBI’s application regulation should give CBI additional power to oversee banks’ external auditors, so that (i) CBI may have effective power of early objection against the appointment of an external auditor, and (ii) more frequent rotation of banks’ external auditors is required. Such further reform would enable CBI to implement an enhanced risk-based approach of banking supervision which scope would fully include external auditors., while more frequent rotation would ensure that sound external audit of banks is supported by periodic turn-over of their external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 28 |
Disclosure and Transparency The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require periodic public disclosures115 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regarding legal, regulatory, and supervisory requirements on public disclosure of information by banks, the Icelandic framework supports transparency. CBI refers to the following set of norms in that regard:
Major banks disclose quarterly financial statements, on a consolidated and solo basis. Their annual and half year financial statements are reviewed by external auditors. Other credit institutions shall submit annual financial statements audited by external auditors. Additionally, financial statements are presented in the FINREP report. Banks are also required to disclose Pillar 3 reports that include risk-based information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided, and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding the risk-based scope and content of information subject to disclosure by banks, from a supervisory perspective, CBI refers to EU rules and EBA guidelines on Pillar 3 requirements on financial disclosure which specifies expected public information relating to banking risks: EU regulation No. 575/2013 (CRR), Part Eight, and EBA guidelines No. 2016/11 on disclosure requirements. CBI has not introduced countryspecific norms in that regard. Banks are required to publicly disclose Pillar 3 regulatory reports, which templates are aligned with EBA requirements, and not tailored with any additional Icelandic requirements. In 2019, CBI made a thematic assessment of the quality of major banks’ Pillar 3 reports against EU rules and EBA guidelines on financial disclosure. Results highlighted large compliance but several kinds of gaps, requiring more detailed information, for example on risk management policies, use of external credit assessment institutions (ECAI), remuneration policies, capital adequacy, market risk on equities, IRRBB, counterparty credit risk, credit risk adjustments, and credit mitigation techniques. Major banks publish on their website annual reports on Pillar 3 disclosure, including information on risk management, capital management, credit risk, market risk, liquidity risk, operational risk, and other material risk, as well as remuneration. For illustration, major banks’ most recent reports on Pillar 3 risk disclosure for 2021 are accessible as follows:
In addition, since 2018 D-SIBs have participated to the EU-wide transparency exercise. Main indicators for Iceland can be viewed on the EBA’s website (latest year is 2021): https://tools.eba.europa.eu/interactive-tools/2021/powerbi/tr21 visualisation page.html. These indicators are quite useful for highlighting key prudential indicators on major Icelandic banks (D-SIBs) and benchmarking with other EEA jurisdictions accordingly. Financial disclosure of other banks, mostly savings banks, is in Icelandic only, and looks quite less detailed. It could not be assessed thoroughly during the mission. Therefore, though non-major banks represent a non-material part of the banking sector, their financial disclosure should be enhanced to facilitate external assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding the disclosure of the consolidation perimeter based on which banks’ consolidated financial statements are disclosed, CBI relies on Act No. 3/2006, articles 4041 and Chapter V, as well as IFRS. Banking groups must therefore include all material subsidiaries in their consolidated financial disclosure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding the role of CBI on reviewing and enforcing disclosure standards applicable to banks, CBI confirms that banking supervisors monitor adherence to Act No. 3/2006 on annual accounts. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding information disclosed on the banking system and banking supervision by CBI, acting as the Authority in charge of banking supervision, practices have been gradually upgraded. More materials with updated translation in English can now be found on CBI’s website, which were not disclosed comprehensively enough until quite recently. According to Act No. 92/2019, CBI shall compile economic and monetary data, provide opinions, and advise the Government on all foreign exchange and monetary issues. Main CBI publications pertaining to banking supervision may be summarized as follows:
There is much more specific information pertaining to the banking sector and banking supervision on CBI’s website, yet mainly in Icelandic, for instance on AML/CFT. CBI also discloses sensitive information on specific banks, such as SREP decisions on capital requirements, and sanctions (in Icelandic only). Besides, Statistics Iceland, a governmental institution, handles official statistics under the aegis of the minister. One role of Statistics Iceland, with other competent State institutions, is data collection for the generation of statistics on the Icelandic economy and society, the processing of these data, and the dissemination of statistical information to the public, businesses, institutions, and public authorities. Yet no specific database on the financial sector is disclosed by Statistics Iceland on its website: https://statice.is/. CBI’s disclosure of documentation in English on banking regulations is being progressively upgraded and updated: https://en.fme.is/about-us/supervisory-disclosure/. Yet specific CBI webpages in English on financial supervision are not fully intuitive: https://en.fme.is/. More detailed and updated documentation may be found directly on CBI’s webpages, which is not fully convenient nor reliable: https://www.cb.is/about-the-bank/central-bank-of-iceland/laws-and-rules/. Completion of upgrading CBI’s English website would be welcome in order to enhance transparency reasonably and proportionately, in view of ensuring more comprehensive and reliable information to foreign stakeholders on the framework of banking regulation and supervision implemented in Iceland. This project is under progress. CBI has disclosed a transparency policy (in Icelandic only): https://www.fme.is/um-okkur/gagnsaei-i-eftirliti/. The policy on the implementation of public publication of results in cases and observations, based on article 9 a of law No. 87/1998 on public supervision of financial activities, includes public publication of results in cases and observations, which purpose is to increase the credibility of CBI and the preventive effect of CBI’s actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 28 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Major banks disclose detailed information, including Pillar 3 reports and ESG reports on their websites, in both Icelandic and English. Though non-major banks represent a nonmaterial part of the banking sector, their financial disclosure in Icelandic only should be enhanced to facilitate external assessment. Financial disclosure of D-SIBs’ financial statements is made annually with quarterly updates in Icelandic and English. Financial disclosure is less accessible and detailed for savings banks (Icelandic only). Supervisory disclosure by CBI looks quite rich in Icelandic, including regulation, guidance, general information, reports, even decisions on individual banks (for instance, Pillar 2 decisions, and sanctions). The recent disclosure of the financial supervision strategy for 2022-24 is a commendable achievement towards better transparency from CBI. Yet the quality of English-translated supervisory disclosure may still be enhanced for the benefit of foreign stakeholders, notably on the regulatory and supervisory framework and policies. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 29 |
Abuse of Financial Services The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.116 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Icelandic banks are subject to a numerous and complex legal framework and guidelines, both at the national level and with respect to the EU requirements. Below is an overview of the various laws, regulations that establish the duties, responsibilities and powers of CBI. Legislation Act. No. 140/2018 on Measures Against Money Laundering and Terrorist Financing (the AML/CFT Act) covers AML/CFT requirements in Iceland, see in annexAML.CFTAct, and the referred Articles below refer to the Act, unless otherwise is stated. The Act is based on previous legislation regarding AML/CFT and was revised in its entirety in 2018. Since then, it has been updated several times in accordance with European legislation and FATF standards. According to paragraph 1 of Article 38, the FSA is responsible for supervising that the obliged entities referred to in subsections (a)-(k) in the first paragraph of Article 2 comply with the provisions of the Act and regulations and rules issued hereunder. The supervision shall be subject to the Act on Official Supervision of Financial Activities and the sectorial law governing the operations of obliged entities. Paragraphs 3-7 of Article 38 stipulates the following:
See further information on CBI’s powers with regards to coercive measures and sanctions in EC8. In addition, the Act on Freezing, listing and PF No. 64/2019, see annex Act on freezing, listing and PF 64-2019, is in force and covers obliged entities requirements with regard to targeted financial sanctions monitoring and CBI ’s supervisory role in that regard. Regulation The following regulation has been set by the Minister of Justice, based on the AML/CFT Act:
The regulations are further expansions of the AML/CFT Act and provide further guidance to obliged entities on how to comply with the relevant requirements. Rules The following rules have been set by CBI:
Guidelines from the European Banking Authority (EBA) CBI has implemented the following guidelines:
Guidance Material Domestic guidance material (besides guidelines from the ESA’s is generally twofold
In addition, the part of CBI’s website dedicated to AML/CFT, https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/, has detailed information on regulatory requirements and expectations set by CBI. See specifically information on the cycle of obliged entities’ risk-based measures, https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/adgerdir-tilkynningarskyldra-adila/. Each aspect of the measures is described in further detail on the website. Domestic Coordination of AML/CFT Issues Steering Group on AML/CFT CBI is part of the Ministry of Justice’s steering group on anti-money laundering and terrorist financing measures according to Article 39 of the AML/CFT Act, with two representative (one from Compliance and Inspections and one from Financial Stability). Members of the steering group are representatives of the following parties, including CBI:
The steering group’s role is furthermore, as follows:
The steering group has monthly meetings at the minimum. As is explained in further detail in EC12, there are requirements for cooperation and information exchange that takes place between meetings, on behalf of members of the steering group. National Risk Assessment According to paragraph 1 of Article 4 of the AML/CFT Act, the National Commissioner of the Icelandic Police shall conduct a risk assessment that includes the analysis and assessment of the risk of money laundering and terrorist financing activities and identify means of mitigating the identified risk. The risk assessment shall be updated every two years, or more frequently if appropriate. All public authorities are obliged to provide the national commissioner with information necessary for the preparation of the risk assessment. A risk assessment based on this requirement has been conducted two times, in 2019 and the latest one in 2021, see here Ahaettumat-2021-lokautgafa.pdf (logreglan.is) Paragraph 3 and 4 of Article 4 states that the risk assessment shall take into account the risk assessment carried out by the European Commission, be based on comprehensive information, both from public authorities and other relevant sources in possession of information, and take into account other appropriate factors. The risk assessment under the first paragraph shall:
AML/CFT as a Supervisory Priority AML/CFT supervision has been a priority within CBI and formerly within the FSA (before the merger) for the last 5 years. CBI/FSA publishes its supervisory strategy every 3 to 4 years (link to the latest one is here: https://www.cb.is/libra ry/Skraarsafn---EN/Financial-Supervision-Committee/Supervisory Strategy 2022-2024-final (002).pdf). Based on the supervisory strategies, priorities of European Banking Authority (EBA)and more factors the Deputy governor of financial supervision as well as the Governor of the Central Bank decide on yearly priorities every year. In yearly priorities for 2022 emphasis was put on cooperation between the AML team and the prudential supervision as well as obliged entities IT systems used for AML/CFT purposes. Based on the yearly priorities, risk assessments of the market as well as risk assessment of each obliged entities and supervisory engagement model a yearly working plan is made. The AML/CFT work schedule is reviewed quarterly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has implemented a risk-based approach to AML/CFT supervision based on EBA’s GL on risk-based AML/CFT supervision, see further in Policy on risk based AMLCFT supervision.doc. CBI’s approach is also influenced by the FATF Guidance on Risk-based supervision, see https://www.fatf-gafi.org/media/fatf/documents/Guidance-Risk-Based-Supervision.pdf. In addition CBI follows the EBA’s work on the subject, an example of that is the following report: CBI reports suspected activities to the appropriate authorities (as described under EC1). The policy is supported with processes and procedures, including:
CBI’s risk-based approach is based on a methodology that entails assessing the risk of money laundering and terrorist financing in the financial market and prioritizing supervisory measures in accordance with the results of that assessment. To this end, CBI conducts on the one hand a sectoral risk assessment of the financial market and on the other hand individual risk assessments of all obliged entities. Sectoral Risk Assessment CBI has divided the financial market into the following sub-markets:
The risk associated with the above categories is assessed every two years; furthermore, an assessment is made of whether the information in the National Commissioner of the Police’s risk assessment (NRA) is sufficient for CBI to use in its risk assessment, or whether CBI should carry out its own risk assessment of the type of entity concerned. CBI has determined that the NRA suffices in all instances, except with regard to commercial banks, savings banks, and payment service providers, in which CBI has carried out specific risk assessments. Individual Risk Assessment Annually a risk assessment is carried out on all obliged entities in order to determine the likelihood that their operations will be used for money laundering or terrorist financing. The risk assessment is divided into two parts:
In order to be able to assess the aforementioned aspects of obliged entities’ activities, all obliged entities provide an annual AML/CFT questionnaire (irrespective of their risk rating) to CBI/FSA. The questionnaire, which has been collected since 2018, contains both quantitative and qualitative information regarding the bank’s activities of which CBI utilizes as part of its off-site risk based assessment that assists with determining if further on-site inspection work is needed, including:
This information on the entity’s operations provided in the questionnaire, including the risk classification of its customers and any business the entity conducts with customers engaged in high-risk activities. Obliged entities’ responses give indications of the risks each entity faces and how it defends itself against them. The risk assessment also takes into account the results of supervisory measures that have been carried out towards the obliged entity, including on-site inspections and other proactive checks, and interviews with money laundering reporting officers (MLRO). Finally, consideration is given to information from prudential supervisors; i.e., changes to the business plan and information on governance practices. On the basis of the risk assessment results - i.e., the risk assessment score - CBI divides obliged entities into four risk categories: high, medium-high, medium-low, and low. A high score (4) indicates that there is significant risk that the entity’s activities will be used for money laundering and terrorist financing, whereas a low score (1) indicates limited risk. Further information on how the risk assessment is conducted can be found in Work procedures for risk assessment on obliged entities. In order to determine the frequency and scope of supervisory actions, based on obliged entities’ risk score, CBI has developed and implemented the following minimum supervisory engagement model:
As the model shows, the intensity and intrusiveness of supervision is decided based on the risk category of each obliged entity. The higher the ML/TF risk is identified, the more likely it is that the intensity and the intrusiveness of the supervision will be greater. The exact intensity and intrusiveness are determined on a case-by-case basis and can depend on underlying information on the obliged entity, the previously identified deficiencies and information from external counterparts, such as the FIU. As stipulated in the above risk assessment model, Assessors noted that CBI/FSA has undertaken additional supervisory work with higher intensity and intrusiveness depending on the risk category. In addition, CBI has carried out extensive on-site inspection work for the D-SIBs, given the systemic importance of these banks. Further, see the assessors’ views at the end of this section, wherein it is recommended that the minimum engagement model go beyond contact with “only the MLRO” to include the senior management of the bank (e.g., CEO/CRO) as well at members of the Board. Following is further information on CBI’s supervisory measures, based on the aforementioned engagement model:
Information from risk assessments of obliged entities also give CBI indications on further supervisory engagement necessary in the following year, such as whether inquiries shall be made, educational meetings or seminars held, and circulars or other information sent to obliged entities. Following are examples of such actions on behalf of CBI:
Further information about the connection between the EU supranational risk assessment, NRA, and CBIs risk assessment, both individual and on the financial sectors: The EU publishes the Supranational risk assessment as required by the 4th Anti-Money laundering Directive and is supposed to update the assessment every two years. In October 2022 the assessment was updated, and it can be found here. As stated in the Policy on Risk Based Supervision (CP29 EC2) the NRA is based on the EU risk assessment and CBI risk assessments, both on financial market and individual risk assessment are based on the NRA. See picture below from the Policy on risk-based Supervision. When an updated Supranational risk assessment is published it can have effect on CBI’s risk assessments.
One of the updates that were made concerning the financial market was a higher risk score for crypto assets. Since the individual risk assessment is still underway at CBI it will take the updated assessment into consideration regarding the service providers. The NRA will be updated in the Q2 of 2023 and that work will reflect the most recent EU Supranational Risk assessment. An updated EU Supranational risk assessment is not information that CBI considers it is obliged to introduce to the market due to the fact that the market should be aware of this information. Assessors noted that beyond carrying out off-site risk assessments of each of the DSIBs on an annual basis (savings banks, self-assessment collected annually and reviewed), the AML/CFT on-site inspectors carried out approximately 9 on-site inspections beginning in 2018, but a very focused effort after the AML Act came into force. Therefore, an in-depth review of all three D-SIBs in 2020 together with several follow-up inspections was undertaken to ensure that banks addressed all deficiencies on a timely basis. For savings banks, an inspection was carried out in 2019/2020 and there is one currently on-going. Part of the FATF Mutual Evaluation Report for Iceland (2018) report highlighted the need for the FME (previous to the merger between CBI and the FSA) to improve its risk identification techniques, analysis, and assessment across all market sectors entities that it regulated reflected in the “non-compliant” rating. Since this observation, the FATF MER updated the ratings in 2029 and 2020 to “partially compliant”. Assessors note that for banks, FME and post-merger with the CBI, the FSA has implemented its risk based supervisory model for AML/CFT risk, introduced the annual collection from all banks of critical data to support its analysis (questionnaire), undertaken several on-site inspections of the high impact banks (DSIBs) plus the 4th commercial bank as well as undertaken 2 on-site inspections, conducted individual bank risk assessments on the DSIBs, an assessment on all commercial banks, an assessment on all savings banks and a sectoral assessment (partially based on the individual assessments) that included not only all banks, but other critical market participants (e.g. payments entities) - all of which CBI now regulates. It was noted that the CBI utilizes a minimum engagement model, wherein it is possible that the low impact banks would not be afforded the same scrutiny or level of supervisory work annually, but up to every three years. Given Iceland has only a total of 9 banks, it is recommended that an on-site review be conducted at each of the savings’ banks to ensure CBI has an in-depth view of each of the savings banks’ compliance with the legal and supervisory requirements. Further, it is noted that when CBI undertakes an on-site inspection, the results of which are only discussed with the Compliance Officer and the MLRO. CBI need to change the level of contact with the Board, and senior management (CEO and CRO) with respect to results of on-site inspections and the follow-up of any outstanding deficiencies noted as part of the supervisory review. Assessors recommend that CBI re-assess how long it takes to communicate findings to the bank post inspection. In a few cases, assessors noted that although inspection reports are provided to the management of banks upon completion of the on-site review, CBI delayed issuing the formal letters that included remedial/corrective actions to the Board of Directors as it was deemed unwise to do so prior to having completed all three on-site inspections involved in the thematic review. Specifically, management receives the inspection report at the exit meeting, with a formal letter that goes to bank’s Board outlining requirements/recommendations (tied to legal requirements) at a much later date. CBI should provide not only discuss the results with the CEO and CRO, it should meet with the Board as well as ensure reports are directly to the Board to ensure immediate awareness of findings. CBI’s risk assessment program for AML/CFT results in a risk score that should be rolled into the overall SREP assessment for banking supervision. This is in line with the EBA draft guidelines that will come into force January 2023: BoS 2018 xx Revised SREP GL including amendment for reference.docx (europa.eu) Specifically, the EBA has taken an integrated approach to incorporating ML/TF risks into the SREP, rather than creating a separate risk category with a separate risk score. In that respect, there will only be an impact on the SREP scores in so far as there is a prudential impact of the AML/CFT risks on the related banking risks. With regard to the proposed hybrid solution, the EBA notes the point and wishes to clarify that the integrated approach has been taken in order to avoid overlaps with the AML/CFT supervisory function that is responsible for the supervision, assessment and scoring of ML/TF risks. Assessors note that AML experts have already begun discussion with the Banking Department with respect to implementing the draft EBA guidelines. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.121 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
In Article 25 of the AML Act states that supervisors shall have in place mechanisms to receive and follow up on reports on violations, possible violations and attempted violations of the AML Act and of regulations and rules issued hereunder, and reports of suspicions of money laundering and terrorist financing. Mechanisms under this provision shall:
On CBI’s website there is a mechanism for anonymous reporting of suspicious activity, other violations, possible violations and attempted violations. (see Uppljostrun | Fjarmalaeftirlitid (fme.is) and Hafa samband | Fjarmalaeftirlitid (fme.is). for the direct reporting channel. The banks are not legally obliged to report suspicious activities reports (SAR/STR) to CBI, only to the FIU. However, CBI has close cooperation with the FIU and discusses the reports sent by the banks, for example the quality of STR’s and if there is some specific risk that the FIU has encountered based on the reports. Besides regular and ad hoc meetings with the FIU, the onsite team has meetings with the FIU before each onsite where the STR reports are discussed. Furthermore, the banks are required to set a risk appetite regarding operational risk and serious incidents stemming, for example from fraud. The banks are required to have in place policies and procedures in that regard and notify CBI of activities/incidents that are material to the safety, soundness or reputation to the bank, cf. Article 77 a and 78 g of Act No. 161/2002 on financial undertaking. Thera are also more specific requirement in relation to activities stemming from payment service based on Act No 114/2021 on payment service, guidelines 1/2019 and following EBA guidelines; Final-Report-on-EBA-Guidelines-on-fraud-reporting-Consolidated-version.pdf (fme.is) and EBA BS 2021 xx (Final revised GL on major incident reporting under PSD2).docx (fme.is). Guidance on notification can be found here for unfortunately only in Icelandic: SI 4.1.13 Leidbeiningar umtilkynningu fravika.indd (fme.is). The AML/CFT team is notified by the prudential supervisors in instances where fraud and suspicious activity could have impacted materially to the safety, soundness or reputation of the banks. Furthermore, there is a special policy with regard to cooperation and exchange of information between AML/CFT supervision and the banking department. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
In accordance to Article 23 CBI shall if, in course of their work, they become aware of transactions that may be related to money laundering or terrorist financing, or if CBI receives information on such transactions, inform the FIU immediately. On the basis of Article 23 CBI informs the FIU of suspicious transactions stemming from on-site inspections. For example, in 2020, CBI reported 2 cases following an inspection at savings bank and in 2021, CBI reported 5 cases following one inspection at a creditor and one inspection at a payment institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
See response to EC 2 regarding CBI ’s risk-based supervision of obliged entities. Regarding the requirements stated in EC5 on CDD policies and processes, reference is made to Article 5 a., paragraph 2, point a, of the AML Act 140/2018 where it is stipulated that obliged entities shall have policies, controls and processes on CDD. In paragraph 3 of the same Article, it says that the policies shall be approved by the board and that processes shall be approved by senior management. It then states that senior management shall supervise the implementation of the policies, controls and processes and shall require additional controls if necessary. Article 5 of the AML Act requires obliged entities to conduct a business-wide risk assessment. The business-wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing based on the main weaknesses of the activity and threat to it. According to Article 5, the business-wide risk assessment shall include a complete analysis and shall take account of, among other things, risk factors relating to customers, countries or regions, products, services, transactions, technology, and delivery channels. The business-wide risk assessment shall be updated every two years, and more frequently if appropriate. According to Article 5 a. of the AML Act, policies, controls, and procedures shall be based on the risk assessment under Article 5. (a) As stipulated above the findings from the business-wide risk assessment should inform their AML/CFT policies, controls, and procedures, according to Article 5 a. of the AML Act. The policies of the obliged entities, approved by the board, should include the customer acceptance policy or the risk appetite of the obliged entities. This is further elaborated on in the ML/TF Risk Factor Guidelines EBA/GL/2021/02 (Article 4.7. (Point g) and Article 1.18). (b) The detailed requirements on CDD are put forth in chapter III, including requirements to identify and verify customers on an ongoing basis. Article 10, paragraph 2, specifically, states that the obliged entities shall at all times obtain information on the customer and the beneficial owner and take appropriate actions to verify information. It then says that the obliged entity shall make an independent assessment of whether the information about the beneficial owner is accurate and adequate and must understand the ownership, operations and administrative structure of those customers that are legal persons, trusts or other similar arrangements. Article 10, paragraph 4, point e, states that obliged entities shall update their customer information regularly and obtain further information in accordance with the Act as necessary. The requirements on CDD are further stipulated in regulation 745/2019 on customer due diligence. In paragraph 5 of Article 20 of the regulation it states that in the risk assessment or policies of the obliged entities shall say how frequent the updates of CDD of a customer shall be in relation to the risk assessment of the customer. (c) Article 10, paragraph 4, point a, specifies that obliged entities shall conduct on-going monitoring of their business relationships. Requirement regarding on going monitoring is further explained in Article 20 of Regulation 745/2019 on customer due diligence. The Article specifies that obliged entities shall have automated monitoring systems that flag transactions and/or processes and methods to identify unusual or suspicious transactions. (d) Requirements for enhanced due diligence on high-risk accounts are stipulated in Article 13, paragraph 1, point c) and d) of the AML Act. This includes cases where the risk assessment shows increased risk or where the risk is in other ways increased. Article 14 includes a requirement to conduct enhanced due diligence where there are transactions or a business relationship relating to high-risk third countries. In that case an EDD includes getting an approval from senior manager before establishing the business relationship. (e) Requirement on enhanced due diligence on politically exposed persons are stipulated in Article 13 and 17 of the AML Act. In Article 17, Paragraph 2, Point a, obliged entities must get approval from senior management before entering or continuing a business relationship or transaction with politically exposed persons. (f) Article 28 requires obliged entities to retain data and information for at least five years from the end of a business relationship or the date of an occasional transaction. This includes documents and information relating to customer due diligence. Article 5 a, paragraph 2, point a. of the AML Act includes a requirement for obliged entities to include a provision on data retentions in their written processes. CBI has thoroughly inspected the fulfillment of these requirements at banks in the past and in recent years, see Reviews of credit institutions_15.9.2019 to 15.10.2022. Even if the scope of these inspections did not specifically point to each of these requirements, the findings during this period covered all points a.-f. in EC 5. In 2018-2020 CBI conducted inspections in the four large banks, and one savings bank (and other obliged entities), with a focus on CDD, specifically the ultimate beneficial owner, and the requirement to obtain verification of the information on the beneficial owner and make an independent assessment of the information, AML/CFT training of staff, politically exposed persons, investigation, and reporting of suspicious transactions, as well as international sanctions. Findings of the inspections included insufficient information on the beneficial owners, insufficient processes on customer due diligence, information on customers not updated regularly and insufficient investigations of suspicious transactions. It should be noted that at the time the AML Act of 64/2006 did not give the FSA powers to impose administrative sanctions based on breaches of the Act. The findings of the onsite inspections were published after each onsite on the website of the FSA in a transparency report. One of these inspections, the savings bank SparisjoSur Strandamanna, severe breaches were found, and CBI made a settlement with the savings banks (see further in EC8). The detailed settlement was published on the website of CBI. The thematic inspections on the risk-based approach from 2020-2022, based on the new AML Act nr. 140/2018, focused on the risk assessment (Article 5 - A) and policies, controls, and procedures. It also focused on risk assessment of business relationships and occasional transactions (Article 5 - B) and a risk-based approach to CDD and ongoing monitoring. The findings included insufficient risk assessment, inadequate risk classification of customers, insufficient enhanced due diligence, and unsatisfactory ongoing monitoring and weaknesses in the transaction monitoring system. The findings were published in a report after each inspection presented to each obliged entity. A decision was made not to publish a transparency report after each onsite inspection, but to publish a Best Practice Report on the risk-based approach based on these onsite inspections, where the findings were presented (but anonymized) (see annex Best Practice Report April 2022). Because of the decision to publish the Best Practice Report and to include a more detailed guidance in each inspection report and the new requirements in AML Act 140/2018, it was decided that CBI would not impose sanctions unless there were serious and strategic breaches of the AML Act. In a few banks, because of the severity of the findings, CBI assessed in a Memorandum, whether there were grounds to impose sanctions, see annex Memorandum following the on-site inspection of Islandsbanki. In the Memorandum CBI compares the findings to previous findings in similar institutions, whether the findings are repeated and of a systematic nature and assesses the severity of the findings. Following one inspection of a credit undertaking, Salt Pay llB hf., where severe breaches had been found, that were deemed to be strategic and where previous two onsite reports at the same institutions had also included findings of a serious nature, CBI made a settlement (see further in EC8). In all inspections CBI has demanded corrective actions before a certain date and has demanded that the banks provide an action plan where it is clearly stated what the bank intends to do and when it intends to complete the corrective action. CBI has followed up on the action Plan with meetings with the banks. CBI also demands that the corrective actions are reviewed by the internal auditor of the bank. In one bank, where there were severe breaches of the AML Act, CBI followed up on the report from the internal auditor with an off-site inspection. The findings, however, were of the nature that they needed to be followed up on with follow-up onsite inspection. As stated above, because of the severity of the findings, CBI decided to immediately follow up with an inspection in all the banks. The scope of the inspection was to examine issues related to previous on-site inspections of the bank’s risk assessment and mitigation methods, as part of a follow-up. But also, to examine the registration and traceability of information relating to, among other cash transactions and international bank transfers. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections. The focus of the onsite inspection was in part, in response to a memorandum from the FIU, on weaknesses within the large commercial banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
See response to EC 2 with regard to the basis of CBI’s AML/CFT supervision. Article 15 describes requirements with regard to transactions with correspondent banks and states the following: In cross-border correspondent relationships with institutions in non-member states, obliged entities referred to in subsections (a)-(k) of the first paragraph of Article 2 shall, in addition to the customer due diligence measures required under Article 10, meet all the following conditions when establishing business relationships:
Article 16 states a prohibition of transactions with shell banks and banks that is in relationship with shell banks and states the following: Obliged entities referred to in subsections (a)-(k) of the first paragraph of Article 2 may not enter into, or continue, correspondent relationships with shell banks. They are moreover not permitted to have business relationships with respondents who permit shell banks to make use of their accounts. If business relationships have been established with such respondents or shell banks, they shall be terminated immediately. CBI is currently conducting on-site inspections at the four commercial banks (one after the other). The first inspection commenced on 12 April 2022 with an initial letter. The onsite inspection took place from 17 May 2022 to 15 June 2022. The scope of the inspection was to examine the registration and traceability of information, in addition to examining issues related to previous on-site inspection of the bank’s risk assessment and mitigation methods, as part of a follow-up. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections The on-site inspection was finalized with a report on 12 October 2022. The following observations were made with regard to correspondent banking:
The report is currently being examined by off-site supervisors in the Compliance team, with regard to the next steps in the case. With regard to the other three banks, a draft report is being finalized for the second bank, the on-site inspection in finalized and a draft report is being written for the third bank and in the case of the fourth bank, the on-site inspection will commence in the beginning of 2023. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
See also response to EC 2 and EC 5. CBI assesses whether banks have sufficient controls and systems mainly through onsite inspections. During the onsite the control and systems are assessed by walkthroughs, sample testing and interviews with key employees like the MLROs and front-line employees. The annex Reviews of credit institutions_15.9.2019 to 15.10.2022 covers all on-site and off-site inspections conducted during the time period and included in the document is the scope of each inspection. It is evident that all onsite inspections during this time have covered controls and systems. Furthermore, the assessment of controls and systems is part of some off-site inspections in addition to them being part of the application process of an operating license as a bank. Checklists for review of policies, controls and processes, Checklist for review of risk-based measures and Template of questions in on-site inspections were all provided to the Assessors as part of the on-site BCP assessment. Risk-based sample testing During an inspection the on-site team takes risk-based samples according to the procedure here below:
Supervision of transaction monitoring systems and flags: The on-site team has investigated transaction monitoring and flags in the following manner:
Supervision of suspicious transaction reporting: CBI files a STR related to transactions if CBI deems it suspicious. As noted in EC4 CBI reported 5 cases in 2021 and 2 cases in 2020. None of the reports were related to the commercial banks. However, in most cases CBI does not have sufficient information to decide whether there are reasonable grounds to report or not since the obliged entities have not investigated flags adequately. Under such circumstances the on-site team points out in the report that flags have not been investigated sufficiently which can than result in a STR. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Regarding the requirements stated in EC5 on CDD policies and processes, reference is made to Article 5 a., paragraph 2, point a, of the AML Act 140/2018 where it is stipulated that obliged entities shall have policies, controls and processes on CDD. In paragraph 3 of the same Article, it says that the policies shall be approved by the board and that processes shall be approved by senior management. It then states that senior management shall supervise the implementation of the policies, controls and processes and shall require additional controls if necessary. Article 5 of the AML Act requires obliged entities to conduct a business-wide risk assessment. The business-wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing based on the main weaknesses of the activity and threat to it. According to Article 5, the business-wide risk assessment shall include a complete analysis and shall take account of, among other things, risk factors relating to customers, countries or regions, products, services, transactions, technology, and delivery channels. The business-wide risk assessment shall be updated every two years, and more frequently if appropriate. According to Article 5 a. of the AML Act, policies, controls, and procedures shall be based on the risk assessment under Article 5. (a) As stipulated above the findings from the business-wide risk assessment should inform their AML/CFT policies, controls, and procedures, according to Article 5 a. of the AML Act. The policies of the obliged entities, approved by the board, should include the customer acceptance policy or the risk appetite of the obliged entities. This is further elaborated on in the ML/TF Risk Factor Guidelines EBA/GL/2021/02 (Article 4.7. (Point g) and Article 1.18). (b) The detailed requirements on CDD are put forth in chapter III, including requirements to identify and verify customers on an ongoing basis. Article 10, paragraph 2, specifically, states that the obliged entities shall at all times obtain information on the customer and the beneficial owner and take appropriate actions to verify information. It then says that the obliged entity shall make an independent assessment of whether the information about the beneficial owner is accurate and adequate and must understand the ownership, operations and administrative structure of those customers that are legal persons, trusts or other similar arrangements. Article 10, paragraph 4, point e, states that obliged entities shall update their customer information regularly and obtain further information in accordance with the Act as necessary. The requirements on CDD are further stipulated in regulation 745/2019 on customer due diligence. In paragraph 5 of Article 20 of the regulation it states that in the risk assessment or policies of the obliged entities shall say how frequent the updates of CDD of a customer shall be in relation to the risk assessment of the customer. (C) Article 10, paragraph 4, point a, specifies that obliged entities shall conduct on-going monitoring of their business relationships. Requirement regarding on going monitoring is further explained in Article 20 of Regulation 745/2019 on customer due diligence. The Article specifies that obliged entities shall have automated monitoring systems that flag transactions and/or processes and methods to identify unusual or suspicious transactions. (d) Requirements for enhanced due diligence on high-risk accounts are stipulated in Article 13, paragraph 1, point c) and d) of the AML Act. This includes cases where the risk assessment shows increased risk or where the risk is in other ways increased. Article 14 includes a requirement to conduct enhanced due diligence where there are transactions or a business relationship relating to high-risk third countries. In that case an EDD includes getting an approval from senior manager before establishing the business relationship. (e) Requirement on enhanced due diligence on politically exposed persons are stipulated in Article 13 and 17 of the AML Act. In Article 17, Paragraph 2, Point a, obliged entities must get approval from senior management before entering or continuing a business relationship or transaction with politically exposed persons. (f) Article 28 requires obliged entities to retain data and information for at least five years from the end of a business relationship or the date of an occasional transaction. This includes documents and information relating to customer due diligence. Article 5 a, paragraph 2, point a. of the AML Act includes a requirement for obliged entities to include a provision on data retentions in their written processes. CBI has thoroughly inspected the fulfillment of these requirements at banks in the past and in recent years, see Reviews of credit institutions_15.9.2019 to 15.10.2022. Even if the scope of these inspections did not specifically point to each of these requirements, the findings during this period covered all points a.-f. in EC 5. In 2018-2020 CBI conducted inspections in the four large banks, and one savings bank (and other obliged entities), with a focus on CDD, specifically the ultimate beneficial owner, and the requirement to obtain verification of the information on the beneficial owner and make an independent assessment of the information, AML/CFT training of staff, politically exposed persons, investigation, and reporting of suspicious transactions, as well as international sanctions. Findings of the inspections included insufficient information on the beneficial owners, insufficient processes on customer due diligence, information on customers not updated regularly and insufficient investigations of suspicious transactions. It should be noted that at the time the AML Act of 64/2006 did not give the FSA powers to impose administrative sanctions based on breaches of the Act. The findings of the onsite inspections were published after each onsite on the website of the FSA in a transparency report. One of these inspections, the savings bank SparisjoSur Strandamanna, severe breaches were found, and CBI made a settlement with the savings banks (see further in EC8). The detailed settlement was published on the website of CBI. The thematic inspections on the risk-based approach from 2020-2022, based on the new AML Act nr. 140/2018, focused on the risk assessment (Article 5 - A) and policies, controls, and procedures. It also focused on risk assessment of business relationships and occasional transactions (Article 5 - B) and a risk-based approach to CDD and ongoing monitoring. The findings included insufficient risk assessment, inadequate risk classification of customers, insufficient enhanced due diligence, and unsatisfactory ongoing monitoring and weaknesses in the transaction monitoring system. The findings were published in a report after each inspection presented to each obliged entity. A decision was made not to publish a transparency report after each onsite inspection, but to publish a Best Practice Report on the risk-based approach based on these onsite inspections, where the findings were presented (but anonymized) (see annex Best practice report April 2022). Because of the decision to publish the Best Practice Report and to include a more detailed guidance in each inspection report and the new requirements in AML Act 140/2018, it was decided that CBI would not impose sanctions unless there were serious and strategic breaches of the AML Act. In a few banks, because of the severity of the findings, CBI assessed in a Memorandum, whether there were grounds to impose sanctions, see annex Memorandum following the on-site inspection of Islandsbanki. In the Memorandum CBI compares the findings to previous findings in similar institutions, whether the findings are repeated and of a systematic nature and assesses the severity of the findings. Following one inspection of a credit undertaking, Salt Pay llB hf., where severe breaches had been found, that were deemed to be strategic and where previous two onsite reports at the same institutions had also included findings of a serious nature, CBI made a settlement (see further in EC8). In all inspections CBI has demanded corrective actions before a certain date and has demanded that the banks provide an action plan where it is clearly stated what the bank intends to do and when it intends to complete the corrective action. CBI has followed up on the action Plan with meetings with the banks. CBI also demands that the corrective actions are reviewed by the internal auditor of the bank. In one bank, where there were severe breaches of the AML Act, CBI followed up on the report from the internal auditor with an off-site inspection. The findings, however, were of the nature that they needed to be followed up on with follow-up onsite inspection. As stated above, because of the severity of the findings, CBI decided to immediately follow up with an inspection in all the banks. The scope of the inspection was to examine issues related to previous on-site inspection of the bank’s risk assessment and mitigation methods, as part of a follow-up. But also to examine the registration and traceability of information relating to, among other cash transactions and international bank transfers. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections. The focus of the onsite inspection was in part, in response to a memorandum from the FIU, on weaknesses within the large commercial banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor determines that banks have:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
AML on-site inspectors review the due diligence practices of banks when on-site to specifically review correspondent banking practices. Additionally, see further information regarding each point:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Supervisors determines that obliged entities shall have in place a policy, controls, and procedures for suspicious transaction reporting in accordance with Art. 5. a. of the AML act nr. 140/2018. It states that obliged entities shall have in place policies, controls, and procedure on suspicious transaction reporting among other. In addition to the legal requirement to have in place internal policies on suspicious transaction reporting there is a legal requirement in article 25 of the AML act nr. 140/2018 for Obliged entities to have in place documented procedures, to encourage their employees or individuals in comparable positions to report violations of this Act and of regulations and rules issued hereunder. Iceland has a two-tier board structure. The management board which is the CEO according to Icelandic legislation is responsible for the day-to-day management of the bank and the board which has a supervisory role/supervises the management of the banks as well as setting policies and take major decisions, cf. Article 68 of Act on 2/1995 on Public Limited Companies and Article 1 b and Article 54 of Act No. 161/2002 on Financial Undertakings. In accordance to the interpretative notes to article 34 of the AML act 140/2018 the MLRO shall among other tasks receive notifications of suspected money laundering or terrorist financing from employees, record them and store them together with other data in an adequate manner, take measures to obtain the necessary information in connection with notifications from employees, submit an annual report to the supervisory board of directors. Additionally, he is tasked with the responsibility to ensure that the supervisory board is sufficiently informed about risks in relation to anti-money laundering and terrorist financing measures and that the board is actively involved in reducing and managing such risks. Before conducting the annual MLRO interviews CBI requests a copy of the annual MLRO report to the board of directors and other AML audit reports either conducted by the internal or external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
According to Article 26 an individual which, in good faith, reports suspicion of money laundering or terrorist financing, whether this is done to the FIU, a supervisor or within the obliged entity of his employment, shall be protected against retaliatory actions. The same applies regarding reports of violations of the Act. Furthermore, the Article stipulates that, amongst other things, the first paragraph shall entail that the person in question shall enjoy anonymity, in addition to which his employer may not abridge his rights and entitlements, terminate, or cancel his contract of employment or take any other retaliatory actions against him for having reported a suspicion of money laundering or terrorist financing. If the circumstances in the second paragraph arise after an individual has reported a suspicion under the first paragraph, the employer shall demonstrate that the decision is based on grounds other than the reporting by the individual of a suspicion of money laundering or terrorist financing. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
Domestic Cooperation Reference is made to point 2 on Domestic coordination of AML/CFT issues in EC1. The legal framework for domestic cooperation with regard to AML/CFT issues can be found in chapter XI, Coordination and cooperation, of the AML/CFT Act. Furthermore, paragraph 1 of Article 40 states that supervisors (including CBI) and other competent authorities (members of the steering group), including the tax authorities and the police who, due to their duties, have responsibilities related to anti-money laundering and terrorist financing, are obliged, on their own initiative or upon a request, to share information and data which fall within the scope of the act with each other, if the matter concerned involves information or data that may fall under the competence of the authority they are shared with. Authorities shall in the same manner, provide mutual assistance related to anti-money laundering and terrorist financing. Further stipulation of the obligations with regard to domestic cooperation can be found in paragraphs 2-6 of Article 40. Additionally, Article 42 of the AML/CFT Act, stipulates cooperation and dissemination of information by the FIU. Based on the cooperation that is stipulated in the AML/CFT Act, the steering group has two sub-groups which CBI is a member of: 1) a cooperation platform with the supervisor for DNFBP’s, Iceland Revenue and Customs and the FIU. The supervisors meet monthly to discuss supervisory matters such as risk assessments, guidance and feedback, administrative sanctions cases, international cooperation, and legislative issues. In at least every other meeting, the FIU joins the meeting to discuss typologies, trends and methods that have been observed. 2) a cooperation platform with the supervisor for DNFBP’s, Iceland Revenue and Customs and the Ministry of Foreign Affairs. The group meets at least bi-annually to discuss issues regarding Act No. 64/2019 on freezing of assets. Therefore, the main topics are targeted financial sanctions and supervision of the requirements in that regard. Due to the recent sanctions in relation to the war on Ukraine, the group has met more frequently. Both platforms are based on MoU’s that have been signed between the relevant parties. The agreements were initially made in 2019, however one of them was materially updated recently and is yet to be formally signed. Reference is made to MoU btw FSA, Internal Revenue and FIU, Annex to MoU btw FSA, Skattur and FIU and MoU btw FSA, Skattur and MoFa. In addition, CBI has very frequent communications with the FIU, both through e-mail communications, meetings, phone calls and other informal communications. The FIU also regularly sends CBI memorandums which highlight issues at obliged entities that need to be brought to the attention of CBI. This type of information from the FIU has in some cases triggered inspections, which is the case with the current thematic inspections at banks. An overview of the main cooperation with the FIU since 2019 can be found in the document Cooperation with FIU. Unfortunately, CBI does not have detailed information on cooperation with the FIU, before that time. In addition to the previous information, CBI meets with the FIU before each on-site inspection to discuss specific issues and concerns regarding the inspected entity. Lastly CBI meets annually with the FIU before completing the authorities risk assessment. Foreign Cooperation Article 41 states without prejudice to non-disclosure obligations, parties involved in supervision under this Act and other competent authorities, e.g., tax authorities, which in the course of their activities have obligations related to measures against money laundering and terrorist financing, shall provide their sister institutions in Member States with the assistance they request unless the circumstances described in the third paragraph of Article 42 are applicable. Such information may only be provided it is subject to a non-disclosure obligation in the state in question or within the institute involved. Subject to the same conditions, supervisors and competent authorities may, on their own initiative, disseminate information to their sister institutions in other Member States if the information concern the Member State in question. The presence of branches and agents of foreign obliged entities is limited in Iceland and no branch in Iceland from foreign banks. Branches and agents are obliged entities according to Article 2 of the AML/CFT Act, cf. point f and g and supervision of these entities is conducted based on a risk-based approach. Based on that, the most extensive supervision is of the agent of Western Union Payment Services Ireland Limited (WUPSIL), as the services provided by the agent are high-risk according to CBI’s risk assessment. In that regard, CBI is part of the WUPSIL AML college123, led by the Central bank of Ireland and has signed a MoU to that extent. See annex MoU with regard to WUPSIL. Otherwise, cooperation with competent authorities in other EU Member States is of a general nature, mainly through the AMLSC at the EBA124 and the Nordic Baltic Working Group. In addition, there are instances in which CBI sends specific queries to other competent authorities in relation to certain cases. Last, the UK branch of the 4th commercial bank, is subject to an MOU between the CBI/FSA and the UK banking supervisory authorities, where in general, the supervisory cooperation and information sharing is formalized. The MOU covers among other tasks, AML/CFT supervision. The UK branch is part of CBI’s consolidated supervision and CBI can therefore request information and documentation regarding the UK branch from either the commercial bank or from the UK branch directly, according to Article 9 of Act No. 87/1998 and Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC13 |
Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC13 |
Expertise of Resources All employees that are involved in AML/CFT tasks have considerable work experience in the field and have enhanced their knowledge to a greater extent in the last few years. Following are some examples of training and knowledge seeking on behalf of CBI employees:
Information on Risk CBI uses a range of tools to provide banks with information on risks, mainly the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 29 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Since 2018, the CBI/FSA has implemented a risk based supervisory model for AML/CFT risk, introduced the annual collection, from all banks of critical quantitative and qualitative data to support its analysis (questionnaire), undertaken several on-site inspections of the high impact banks (DSIBs) plus the 4th commercial bank as well as undertaken 2 on-site inspections of savings banks, conducted individual bank risk assessments on the DSIBs, a risk assessment on all commercial banks, a risk assessment on all savings banks and a sectoral assessment (partially based on the individual assessments) that included not only all banks, but other critical market participants (e.g. payments entities) - all of which CBI now regulates. CBI has made great efforts to build up the area of expertise in AML/CFT (9 FTEs) to implement a risk based supervisory assessment model for banks and has carried out deep on-site inspections to assure itself of the effectiveness of bank’s risk management practices regarding compliance with applicable AML/CFT legislative and supervisory requirements. CBI has released a “lessons learned” paper, engaged the banking industry through conferences and has built a very detailed website outlining applicable laws, regulations, guidelines, etc. Given the extent of various requirements, guidance, legislation, etc. applicable to banks, CBI needs to develop AML/CFT guidance to ensure that banks know, understand and comply with the extensive CBI AML/CFT regulatory and supervisory requirements for banks. CBI’s minimum engagement model focuses on the bank’s MLRO and Compliance Officer, when it needs to meet with Board members and senior management (CEO/CRO) as well as provide the results of inspection reports directly to not only management but to the Board, to ensure adequate bank accountabilities are in place with respect to this key risk. Further, it is noted that based on the current minimum engagement model, the frequency of on-site supervisory work occurs only every 2 years for high impact banks and every 3 years for low/medium impact banks. Although CBI is currently engaged with DSIBs, the 4th commercial banks and the savings banks in practice well beyond what this model indicates, it is critical that CBI updates its model to reflect the continued need to have adequate supervisory coverage. CBI needs to incorporate the results of the AML/CFT risk assessment (adequacy of bank’s compliance with AML/CFT regulatory and supervisory requirements) into the bank’s overall SREP score of the bank. A bank should not have a positive (e.g., low SREP score) if material deficiencies have been identified with a bank’s compliance with AML/CFT requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Supervisory Powers, Responsibilities, and Functions |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 1 |
Responsibilities, Objectives, and Powers An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.26 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.27 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The responsibilities and objectives of each of the authorities involved in banking supervision28 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI of Iceland (CBI) is the primary banking supervisory authority in Iceland. CBI is an independent institution owned by the State and operating under the auspices of the Prime Minister. Further, two of the three areas of responsibility of the CBI, financial supervision and financial stability are administrative matters of the MoFEA according to the presidential decree. Act No. 92/2019 on CBI of Iceland (Act No. 92/2019) Article 2 states that CBI shall promote price stability, financial stability and sound and secure financial activities. CBI shall also undertake such tasks as are consistent with its role as a Central Bank, such as maintaining international reserves and promoting a safe, effective financial system, including domestic and cross-border payment intermediation. The Financial Supervisory Authority (previously known as the FME) was merged with CBI beginning 2020, now referred to as “The Financial Supervisory Authority of CBI of Iceland” (CBI/FSA) wherein CBI administers all functions previously entrusted to the FME by law and Governmental directive. CBI/FSA is an integrated supervisor with both a prudential and a regulatory role overseeing supervisory activities, including banking. CBI/FSA ensures that the activities of supervised entities are in compliance with the laws, regulations, rules, or company statutes governing such activities, including banking. The application of CBI’s policy instruments and powers are in the hands of three committees: Monetary Policy Committee, FSN and FMEN. The Central Office of CBI oversees all activities of the bank and support the functioning of the three main committees. See more details on the two Committees pertinent to banking in CP2 EC1. Article 2(4) of the Act No. 92/2019 states that CBI shall undertake those tasks that are entrusted by law and Governmental directives to the FSA, and the FSA shall be part of CBI. The Bank shall monitor supervised entities to ensure that their activities are in compliance with the law and with Governmental directives, and that they are in other respects consistent with sound and appropriate business practice; the Act No. 87/1998 on the Official Supervision of Financial Activities (Act No. 87/1998). Description of the Resolution Authority With the adoption of Act no. 70/2020 on Resolution of Credit Institutions and Investment Firms (the Resolution Act), the Resolution Authority within CBI was entrusted with powers of resolution. This provides the Governor/CBI with the authorization to take decisions on resolution procedures and apply resolution measures in the case of credit institutions and investment firms that are failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so). According to Article 4 of the Act, CBI’s Resolution Authority shall be separate from other activities within the Bank’s organizational structure. CBI’s Resolution Authority formally commenced operation in November 2020, and it has issued rules on the practice of the Resolution Authority no. 1733/2021 in accordance with Article 4 of the Resolution Act. The rules outline the requirements for the separation of the Resolution Authority from the other activities of CBI and the decision-making regarding resolution. According to the first paragraph of the rules the office of the Resolution Authority reports directly to the Governor. Role of the Ministry of Finance and Economic Affairs (MoFEA) The MoFEA administers matters relating to financial stability and financial markets. It has regulatory but no direct supervisory powers with regard to the supervision of banks. The MoFEA oversees the enacting of the banking legislative process, based on recommendations from CBI/FSA where applicable. In addition, the Prime Minister appoints members to the FMEN and the FSN, of which has government representatives on each of the Committees (see CP2 EC1 for more detail). The MoFEA appoints the external members of the FMEN and FSN. The Prime Minister appoints the DGs of Financial Stability and Financial Supervision based on nominations from the MoFEA (DGs are members of the FMEN and FSN). For the FMEN the Prime Minister chooses which official to appoint from the MoFEA to the FMEN (this is not mandated by law). Moreover, as prescribed in the CBI Act, the MoFEA representative on the FSN is only an observer. The MoFEA implements regulations regarding various matters, for example, among other things:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC 2 |
The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has separate objectives, but they do not conflict with its primary banking supervisory role. These separate objectives are: to promote price stability, financial stability and sound and secure financial activities. CBI shall also undertake such tasks as are consistent with its role as a Central Bank, such as maintaining international reserves and promoting a safe, effective financial system, including domestic and cross-border payment intermediation. CBI/FSA, as an integrated supervisor, is also responsible for conduct of business supervision, insurance companies, other credit undertakings and payment services entities. The relevant sections of Article 1(1) and (2) of Act 87/1998 states that the aim of this Act is that regulated entities act in accordance with laws and rules and that the activities are in accordance with sound and proper business practices...and that the aim of the supervision of financial activities is to promote a sound and safe financial market and to reduce the likelihood that the activities of regulated entities will lead to damage to the public. Article 8 of the same Act specifies that the FSA “shall monitor the compliance of the activities of the regulated entities with laws, regulations, rules or resolutions concerning such activities, and their consistency in other respects with sound and proper business practices.” Article 1 of Act 161/2002 establishes that the purpose of the law is to ensure that financial undertakings are operated in a sound and normal manner in the interests of customers, shareholders, guarantee capital owners and the entire economy. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile29 and systemic importance.30 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As part of SREP, CBI/FSA regularly assesses D-SIB’s total capital adequacy based on the ICAAP submitted to CBI. In practice, CBI has raised prudential requirements on a bank for individual banks and banking groups when a risk is assessed throughout the supervisory cycle. Further, CBI/FSA uses the provisions of Article 107 (a) of Act 161/2002 which establishes that the supervisor shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it. The FSA is authorized to prescribe: 1) a higher total capital ratio, 2) better internal processes, 3) that a financial undertaking present a special plan on how the undertaking will fulfil the requirements and set deadlines for improvements, 4) write-down of assets, 5) restrictions or limits to activities, 6) reduction of the risk, 7) limit bonuses, 8) use of net profit to strengthen the own funds, 9) limit or prohibit dividend, 10) impose special liquidity requirements, 11) increase data submission and 12) special disclosure to the market. The FSA has imposed Pillar 2 add-ons according to results of Supervisory Review and Evaluation process (SREP) and the new individual capital adequacy ratio (CAR) is then considered the regulatory minimum for that bank. The CBI has effectively and actively used the Article to impose Pillar 2 requirements to banks according to their risk profile and systemic importance. Assessors were able to verify evidence of this type of action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Acts No. 87/1998 and No. 161/2002 have been amended several times, mostly to reflect EU legislation and after 2008 to allow for crisis-related measures. As a member of the European Economic Area (EEA), Iceland has the obligation to transpose into national legislation the EU Directives and Regulation regarding prudential requirements for banks that have been incorporated into the EEA Agreement. Extensive changes were also made to Act No. 161/2002 due to the merger of CBI and the FSA and finalized implementation of the CRD IV package (CRD IV, CRD V and CRR I and CRR II). Assessors recommend that CBI/FSA implement in prudential guidance in the material risk areas to ensure that banks know and understand all the recently transposed EU legislation and that the guidance is tailored to the Icelandic jurisdiction. It is noted that CBI participates in the working groups responsible for drafting legislation, but it does not have the power to initiate and propose legislation regarding banking supervision, that power lies with the MoFEA. CBI can issue rules (called “rules”) when explicitly authorized to do so by legislation, and on a specific topic (Article 78(a-i) of Act 161/2002). CBI is generally authorized to issue and publish guidelines on the activities of regulated entities, if their substance concerns a group of regulated entities, according to Article 8 (2) of Act 87/1998. These are called “Guidelines,” and they generally reflect CBI/FSA’s interpretation of laws and regulations and are not legally binding. All changes to or introduction of legislation or guidelines is subject to public consultation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor has the power to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
A) CBI has full access to banks and banking group board, management, staff and records in order to review compliance with internal and external rules. According to Paragraph one of Article 9 of Act No. 87/1998 on Act on Official Supervision of Financial Activities supervised entities are required to grant CBI access to all their accounts, minutes, documents and other material in their possession regarding their activities, which CBI considers necessary. According to Paragraph three CBI can in connection with its supervision and investigations under the provisions of special legislation e.g., Act No. 161/2002 on financial undertaking, require natural and legal persons to supply the FSA with any information and material the Authority considers necessary. In this context it is of no relevance whether the information concerns the party to which the request is directed or transactions with other parties on which the party is able to supply information which concerns the investigation and supervision of the FSA. In addition, CBI has extensive powers to request information based on Article 107 of Act no. 161/2002. FSA can impose a sanction, according to Article 11 of Act No. 87/1198, if obliged entity doesn’t deliver requested data. B) CBI can review the overall activities of a banking group, both domestic and crossborder, cf. Article 107 of Act No.161/2002. If the activities are cross-border CBI would contact relevant authorities for cooperation. C) There are no foreign banks incorporated in Iceland. If a foreign bank that has headquarters outside the EEA CBI can grant the bank special authorization to incorporate in Iceland, cf. requirements stated in Article 33 of Act. 161/2002. The process for passport notification for banks within the EEA is a specific dialogue between the home and host supervisors according to Articles in the Banking Directive (CRD IV). CBI has extensive powers to supervise foreign bank incorporated in Iceland according to Article 34 of Act. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
A) According to Article 10 of Act No. 87/1998 CBI can take action if a supervised entity is not complying with law or other rules governing their activities as well as require corrective actions. According to Paragraph one and two of Article 107 a of Act No. 161/2002 CBI can insist that supervised entity takes corrective actions if it does not comply, or it is likely that the bank will not comply with Act No. 161/2002 or regulations based on the Act. The timely corrective actions, but limited to, that CBI can:
Furthermore, according to Article 107 (c) of Act No. 161/2002 CBI can use early intervention measures if the supervised entity is not complying with law and rules or it is likely that the entity will not comply with law and rules, including CRR. The early intervention measures, but not limited to, stipulate that CBI can:
Finally, Article 107 (g) and (h) state that when supervised entities operate cross border within the EEA the supervisory authorities shall cooperate in their supervisory measures. B) CBI can impose a range of sanctions e.g.:
C) Article 9 of Act No. 161/2002 on financial undertakings indicates that CBI can revoke a banking license. D) According to Article 107 a in Act No. 161/2002 the FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it, or if data or information in its possession, the FSA considers it likely that a financial undertaking will not be able to comply with the provisions of this Act within the next 12 months. According to Article 107 c in Act No. 161/2002 The FSA can apply early interventions against a credit institution or investment firm with guarantee capital. In the circumstances referred to in point (a) or (b) of the first paragraph of Article 107 c, a credit institution or investment firm is obliged to provide the Financial Supervisory Authority with all the information deemed necessary to be able to update the resolution plan and assess the assets and liabilities of the relevant undertaking and its possible resolution procedure according to the Act on Resolution of Credit Institutions and Investment Firms. The resolution authority shall have access to that information. The FSA shall immediately inform the resolution authority of a credit institution or investment firm if the circumstances are such that an early intervention is permitted pursuant to the first paragraph. According to Article 34 in Act No. 70/2020 on Resolution of Credit Institutions and Investment Firms the FSA decides, after consultation with the resolution authority, whether an undertaking or entity pursuant to points (b) to (d) of the first paragraph of Article 2 is failing or likely to fail and the relevant parties shall be notified of the result without delay. According to Article 34 of the same Act The FMEN decides upon receipt of a notification of a failing bank whether it is necessary to take resolution actions against it in order to achieve the objectives of Act No. 70/2020. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group according to Paragraph 2 in Article 107 in Act No. 161/2002. CBI/FSA supervises the activities of financial holding companies, mixed holding companies and mixed financial holding companies that are established or operate in Iceland. The supervision of the FSA as a supervisory body on a consolidated basis covers the activities of financial holding companies, mixed holding companies and mixed financial holding companies, the parent company of such companies and their subsidiaries, when they are located in another country, and the supervision can therefore be conducted in cooperation and consultation [with the competent authorities in the relevant Member State in accordance with Section C in the chapter. According to paragraph 4 in Article 107 in Act 161/2002 the FSA may demand any sort of data or information from [the financial holding companies, mixed holding companies and subsidiaries of such companies] provided the FSA deems such information to be necessary for its supervision of financial undertakings which are subsidiaries of these holding companies. Article 107(c) outlines early interventions by the Financial Supervisory Authority. Article 107 (g) states the same for with respect to a parent company. Article 109 outlines the Prudential requirements on a consolidated basis. The provisions of Chapters VII, IX and IX A of the Act shall apply to groups where the parent company is a financial undertaking, mixed financial holding company or financial holding company. The parent company shall be responsible for implementation of this provision within the group. The provisions of Article 52 and 52(a) on the eligibility requirements of board members and managing directors and other duties of board members and provisions Chapter VII Section C on remuneration also apply to financial holding companies. According to paragraph 4 of the Article the Financial Supervisory Authority may decide that the provisions of the first paragraph of this Article and [the ninth and tenth paragraphs of Art.97]3) shall also apply in other instances involving a financial undertaking which alone or jointly with another party has such ownership links to an undertaking that it is deemed necessary to apply these provisions. According to paragraph 5 the FSA may decide that an undertaking shall be considered part of a consolidated financial undertaking when the financial undertaking has a decisive influence on the company. In addition, FSA also assesses the suitability of qualified holders, both when they become qualified holders and also on an ongoing basis, cf. Article 49 of the Act. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 1 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI is the primary regulator of the banks, which came into effect when it merged with the FSA beginning of 2020. Although CBI has separate objectives (e.g., to promote price stability, financial stability and sound and secure financial activities), they do not conflict with its primary banking supervisory role. Iceland has a suitable legal framework for banking supervision wherein the supervisory authority has the necessary powers to conduct ongoing supervision, including the use of corrective actions on a timely basis. The EU regulatory framework for banks has been transposed into law over several years (CRDIV package (with CRDV and CRR II amendments completed last year); however, CBI has not issued guidelines to banks in the key risks that would provide clarity of CBI’s expectations to the banking industry and to ensure the EU rules are tailored to the Icelandic environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 2 |
Independence, accountability, resourcing, and legal protection for supervisors The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
There are several factors discussed below that speak to CBI’s operational independence, accountability and governance as a supervisor of banks. CBI’s independence may be compromised with government (MoFEA) representation sitting on the FMEN as this Committee makes decisions on micro prudential banking supervisory matters. Further, there is an issue with both accountabilities, but also with operational effectiveness (see EC4) given the lack of a formal legal delegation framework in place from the Governor to others. Please see assessors’ comments at the end of EC4. CBI is an independent institution owned by the State and operates under the auspices of the Prime Minister, cf. Art. (1) of Act no. 92/2019 on the Central Bank of Iceland (hereafter “CBI Act”). The Governor of the Central Bank directs and is responsible for the Bank’s operations and is authorized to take decisions on all matters not entrusted to others by law according to Art. 3 of CBI Act. Article 8 of CBI Act describes the role of CBI’s Supervisory Board. The Supervisory Board monitors the Bank’s compliance with the statutory provisions applying to its activities. Note that the monitoring by the Supervisory board of CBI does not include case handling or decisions on specific banking supervisory matters. One Deputy Governor (DG) oversees matters relating to monetary policy, another oversees matters relating to financial stability, and the third oversees matters relating to financial supervision. The FMEN takes decisions entrusted to the FSA by law or Governmental directives. The Committee may assign to the DG for Financial Supervision its authority to take non-major decisions, cf. A 15(1) of CBI Act. Article 15(2) of CBI Act states that the FMEN shall comprise the DG for Financial Supervision, the DG for Financial Stability, and three experts in financial market affairs who shall be appointed by the Minister responsible for the financial market, for a term of five years. The composition of the FMEN shall be such that the Committee collectively possesses sufficient expertise, qualifications, and experience to carry out the tasks entrusted to it. According to Article 4 of CBI Act, the Prime Minister appoints the Governor for a term of five years. The three Deputy Governors are also appointed by the Prime Minister (nominated by MoFEA) for a term of five years. For further information on the appointment of the Governor, Deputy Governors, and the members of the Financial Supervision Committees, we refer to CP2-EC2. Representation on the FMEN: The composition of the FMEN shall be such that the Committee collectively possesses sufficient expertise, qualifications, and experience to carry out the tasks entrusted to it, cf. Article 15(2) of CBI Act states that the Minister may only appoint the same person to the FMEN twice. The DG for Financial Supervision shall chair the FMEN, and the DG for Financial Stability shall be vice-chair. When decisions are taken on the adoption of rules of procedure pursuant to Article (16)(2) and on entrusting the DG for Financial Supervision with taking non-major decisions and decisions concerning systemically important financial institutions’ equity, liquidity, and funding; the Governor shall take a seat on the FMEN as its Chairman, and the DG for Financial Supervision shall be vicechair. FMEN members appointed by the Minister shall appear before the Parliamentary committee of the Speaker’s choosing before the appointment takes effect, or as soon as possible. They shall be legally competent to manage their own affairs and shall have no record of deprivation of control of their estate. They must have a good reputation and may not, in connection with business operations, have been convicted of a punishable offence under the General Penal Code; acts of law on public limited companies, private limited companies, accounting, financial statements, or bankruptcy; or other special legislation applying to regulated entities. Furthermore, they may not undertake work outside the Bank that could cast doubt on their impartiality. Should a dispute arise concerning the application of this provision, the Minister shall decide the issue. The Minister may, in a Regulation, set more detailed provisions on the qualifications of FMEN members, cf. A 15(3) of CBI Act. The Minister has not issued such a Regulation. Currently the FMEN has a MoFEA representative on the Committee (DG, Department of Financial Services).. The Governor and DGs may not sit on the board of directors of an institution or commercial enterprise outside the Bank, nor otherwise participate in commercial operations except as required by law or in the case of an institution or commercial enterprise in which the Bank is involved. Should a dispute arise concerning the application of this provision, the Minister shall decide the issue. Employees of CBI of Iceland may not serve as executives, employees, auditors, attorneys, or actuaries of regulated entities. Provisions on Central Bank employees’ participation in the boards of directors of institutions and commercial enterprises shall be laid down in rules on the Bank’s activities set by the Governor and DGs. The Minister shall set rules on business transactions conducted with supervised entities by the Governor; DGs; external members of the Monetary Policy Committee, FSN, and FMEN; and Bank employees. These rules shall, among other things, provide for restrictions on their authorization to undertake financial obligations towards regulated entities or to own holdings in them, cf. Article. 5(4-6) of CBI Act. The FMEN shall meet ten times a year on average. According to the Committee’s Rules of Procedure, Art. 3.4., when decisions are taken in major matters pursuant to Articles 5.1 and 5.2 of the Rules of Procedure, a memorandum describing the circumstances of the case, the case handling, and a reasoned proposal for a decision shall be made available, together with relevant documentation. The secretary of the FMEN prepares the agenda for each meeting, upon prior consultation with the DG for Financial Supervision or, in those instances when the Governor chairs the Committee, with the Governor. In general, the agenda and other materials necessary for the meeting shall be sent to Committee members or made accessible to them at least five days before the meeting. Decisions by the FMEN shall be taken by a simple majority of votes; in the case of a tie, the chair shall cast the deciding vote. A record of minutes shall be maintained, containing all that transpires at meetings of the FMEN, and shall be signed by those in attendance. CBI has no input into the matter of who is appointed as an external expert on the Committee. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The process and minimum term of appointment for the Governor and DGs is clearly outlined in Article 4 of Act no. 92/2019 as follows (please note “Minister” refers to the Prime Minister):
According to work processes of CBI, an announcement is published on CBI’s website when Governors or DGs are appointed, or their appointed time is over. The same applies when managers are recruited, or they do resign. Process for the appointment of a member of the Supervisory Board is as follows: According to Article 6 of the CBI Act and Article 1.1 of the Rules of Procedure pertaining to the CBI Supervisory Board state that: “The Supervisory Board is elected following Parliamentary elections. The Board comprises seven representatives and an equal number of alternates who are elected by proportional vote in Parliament. It is prohibited to elect board members or employees of supervised entities, or owners of qualifying holdings in supervised entities, to sit on the Supervisory Board. The same applies to members of Parliament, alternate members of Parliament, and Cabinet ministers. Supervisory Board members shall possess sound knowledge of administration and of the statutory and regulatory instruments that apply to the Central Bank. The aim shall be to ensure that Supervisory Board members have broadbased knowledge of the Icelandic economy, the financial market, management, and commercial operations. The mandate of the Supervisory Board remains in place until a new Board is elected. If a principal member of the Supervisory Board vacates the position, an alternate shall assume this seat until Parliament has elected a new principal member for the remainder of the term of the Supervisory Board.” The process and reasons for appointment of both the governing head (e.g., the Governor of CBI) and members of the governing body (e.g., the Supervisory Board) is clear in Act 92/2019 (as indicated above). However, the process and reasons for dismissal for the Governor or a member of the Supervisory Board is not clear in this same legislation. Other Icelandic legislation from an administrative perspective is utilized, if needed, as follows:
Assessors note that CBI or the Prime Minister would not necessarily publicly disclose the reasons for removal of the head of the banking supervisor. Although the alternative legislation (as listed above) does outline the person responsible for dismissal of a government employee, the process and reasons for dismissal of both the Governor and supervisory board members are not explicitly outlined in Act 92/2019. Assessors therefore recommend that Act 92/2019 be amended to ensure the transparency of the process and reasons for dismissal for both the Governor and members of the Supervisory Board. It is important for the public to made aware, on a timely basis, if the Governor and or member of the supervisory board has been removed from office. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives.31 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
There is an annual Financial Supervision report published with the following purpose:
In publishing this report, CBI also attempts to ensure an appropriate level of transparency about FSA Iceland’s work and priorities and to foster informed discourse about the financial system. The last Report is available here: Financial supervision_2022__.pdf (cb.is) CBI’s accountability is demonstrated in its extensive publishing activities and reports, the statements and minutes of meetings of standing committees and regular communications with parliamentary committees, CBI’s Supervisory Board, ministers, supervisory institutions, the media and others whom CBI’s matters concern. CBI strives to be transparent, credible and responsible in its relations with all stakeholders. For instance, the decisions of the FSA/CBI maybe made public as provided for by law (Article 9(a) of Act No. 87/1998 for example SREP results), together with explanations of their assumptions and assessment of the situation. Decisions of the FMEN are published as provided for by law and CBI’s policy on the publication of case results. The FSN and FMEN submit a report on their work to Parliament (Althingi) once a year as provided for by law. Their reports are discussed in the parliamentary committee decided on by the Speaker of the parliament. CBI also interacts with and has obligations towards foreign supervisory bodies, particularly in connection with EEA internal market co-operation, in which Iceland participates. Most significant among them are the European supervisory bodies in the financial market. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Central Bank of Iceland — organisational chart
Please see the organization structure of CBI above32. There are several factors that could impact CBI’s internal governance and supervisory decision making processes pertaining to banking supervision and regulation. For example, the role of the FMEN in CBI/FSA’s decision making processes for the prudential supervision of banks and whether or not there is a need to deal with perceived or real conflicts of interest with government representation on FMEN and last, to ensure ongoing clarity of roles and responsibilities with CBI, a formal delegation of authority should be considered to ensure greater operational effectiveness. Article 3 of the Act No. 92/2019 states that the Governor of CBI directs and is responsible for the Bank’s operations and is authorized to take decisions on all matters not entrusted to others by law. Furthermore, decisions entrusted to the FSA by law or Governmental directives shall be under the auspices of the FMEN (Article 15). The Rules of Procedure of the FMEN are published on CBI’s website33, govern the decision making process. There are weekly meetings with the Governor of CBI, the DG of Financial Supervision as well as the directors of the supervisory divisions and the director of the General Secretariat, where matters of supervision are discussed, and decisions taken regarding the procedure. Following that (e.g., both the DG of Financial Supervision and the General Secretariat sign off on all material prior to be provided to the FMEN) the case is placed before the FMEN for a final decision, if it is a decision that is to be taken by the Committee. See organizational chart about for post-merger structure of CBI. Please see EC2 for greater detail on the operational set up of the FMEN. As previously stated, The FMEN takes decisions entrusted to CBI/FSA by law or Governmental directives. The Committee, if deemed appropriate, may assign to the DG for Financial Supervision its authority to take non-major decisions. The FMEN has adopted Rules of Procedure which are published on the FSA website, and they lay out which decisions are to be taken by the Committee. Decisions of the FMEN vs. the DG for Financial Supervision. The FMEN’s Rules of Procedure outlines what decisions the Committee can/will take. Regarding all other decisions, the authority to take decisions has been assigned to the DG for Financial Supervision. CBI/FSA has adopted Rules of Signature which accompany its Rules of Procedures that outline what decisions have been assigned to the Directors by the DG for the implementation of financial supervision of banks. The following are examples of decisions that the DG signs:
The Directors, each in their respective areas of responsibility, sign, apart from the abovementioned decisions, the following decisions:
In the rules there is also an article on what the Heads of units may sign, however there is lacking a formal delegation of authority with respect to which levels within the CBI may approve certain decisions, beyond the Governor’s authority and that decisions that are assigned to the FMEN with respect to banking supervision. This current structure is up for discussion/potential change (see draft bill of legislation below). Draft Bill of Legislation The Prime Minister’s office put forth a draft bill of legislation on the “on-line public consultation portal” 34for consideration regarding the amendments on CBI Act No. 92/219 regarding FMEN. The draft bill of legislation proposes to make the following changes:
Reasons provided by the Prime Minister’s office indicated that the assessment committee pointed out that CBI itself should be taking decisions in the field of financial supervision in a manner similar to other authorities, leaving FMEN to deal with the remaining tasks of an administrative nature pertaining to financial supervision, such as decisions that would principally include the application of administrative sanctions and coercive measures, such as the application of per diem fines to press for improvements and the revocation of operating licenses and registering of violations and the FSN to deal with financial stability matters. Assessor’s Comments: Since the merger, CBI/FSA’s operational effectiveness and overall accountability framework is somewhat weak as it has yet to develop and implement a legal delegation of authority framework which would set out what powers, duties and functions for the administration of the various banking supervision legislation, regulations, guidelines, etc. have been or should be delegated by the head of the institution (e.g., in this case the Governor) and to whom (DG, Directors, FMEN, etc.). It is noted that FMEN’s “Rules of Procedures list out certain decisions that will be passed or delegated from the FMEN and to whom. It is critical that CBI put in place, its own internal delegation of authority, beyond its internal “signatory document”, to ensure operational effectiveness is clear as decisions pertaining to prudential supervision of banks should not be unnecessarily impeded nor the level of sign off be questioned legally, especially when issues and timely decisions need to be taken in case of an emergency situation or the prompt corrective measures being utilized (e.g., dealing with a problem bank). Further, as some members of the FMEN represent the MoFEA, and cases where their impartiality may be doubted are to be decided by the Minister, there is the potential of a real and/or perceived conflict of interest for the members that represent the MoFEA to be overseeing prudential decisions on the D-SIB, in particular when two of the D-SIBs are either state owned or have a substantial government interest in the bank. Although the MoFEA representatives have adequate qualifications to fulfill their roles, as well as appearing before a Parliamentary committee prior to appointment, having MoFEA representatives makes micro-prudential decisions from a bank “regulator” viewpoint with respect to banks lacks the necessary “independence” that a bank regulator is requ ired to have when making prudential and at times necessary decisions pertaining to safe and sound banking system. Assessors recommend that CBI, MoFEA and the Prime Minister ensure the independence of representatives to fulfill the respective roles on the FMEN. It is acknowledged that the Minister of Finance sits on the Financial Stability Council, which is appropriate and necessary, especially in dealing with banking sector wide/ financial stability issues. Assessors acknowledge that some of these suggested amendments would require legislative amendments to put in place. It is noted that the FMEN also currently oversees all decisions regarding all supervised entities inherited from the FME. This makes the FMEN quit laborious35 (e.g., decisions pertaining to the prudential regulation of banks is carried out by a committee of peers rather than simply the bank regulator) resulting in decisions regarding banking supervision taking longer than expected resulting in delayed communication with the banks on key issues (requirements banks need to address). Further, Basel Standards require the banking supervisor to demonstrate independence when making decisions that are free from real or perceived conflicts of interest. “The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision” (as stated in EC1 criteria). The current structure of the FMEN, CBI does not have the full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision as all micro prudential decisions are taken by a majority vote of the FMEN (a group of external representatives (three members) versus CBI as the bank regulator (two members or if the Governor joins three members). CBI, as the primary regulator of banks/banking groups, should have the full (e.g., “sole”) discretion to make micro-prudential supervisory decisions on a timely basis, without consulting a committee with external representatives, as this lacks the necessary independence if such decisions are to be taken by “vote” on the FMEN. Given the Draft Bill of Legislation has not passed Parliament, assessors comments are with respect to the current operational structure. However, if such an amendment is enacted, with the substantial shift of power, duties and responsibilities to the Governor, a formal delegation of power and decision making from the Governor to other individuals or to the Committee would be considered critical to put in place. This delegation of authorities should have been put in place beginning 2020 at the time of the merger with CBI and the former FME to ensure on-going clarity of roles and responsibilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Rules No. 303/2020 on Business Transactions conducted by the Governor, DGs, External Committee Members, and Employees of CBI with Supervised Entities provide appropriate measures to identify and prevent, or to address, conflicts of interest in connection with CBI employees’ business transactions with supervised entities. These rules are issued on the basis of A 5(6) of CBI Act. CBI also has a Code of Ethics that applies to all staff. The Code of Ethics of CBI of Iceland is based on the Bank’s core values and lays down in detail the ethical principles which its employees are to adopt and be guided by in their work. Article 4 of the Code of Ethics further lays down rules on conflicts of interests. Additionally, A 41 of CBI Act regards confidentiality requirements of CBI’s employees. The Article states that supervisory Board members; the Governor; Deputy Governors; members of the Monetary Policy Committee, FSN, and FMEN; and other employees of CBI of Iceland are obliged to observe confidentiality concerning the affairs of the Bank’s customers; transactions and operations of supervised entities, related parties, or others; and the affairs of the Bank itself; as well as other matters of which they may become aware in the course of their work and which should remain secret in accordance with law or the nature of the case, unless a judge rules that information must be disclosed in court or to law enforcement officers, or there is a legal obligation to provide the information. The same applies to experts, contractors, and others who work for or on behalf of the Bank. The obligation to observe confidentiality remains in effect after employment ceases. According to A 41 (2) of CBI Act, prohibits Supervisory Board members; the Governor; Deputy Governors; members of the Monetary Policy Committee, FSN, and FMEN; and other employees of CBI to use, confidential information that they acquire through their employment with the Bank, including using it for financial gain or to avoid financial loss in business transactions. A violation of CBI Act shall be punishable by fines or imprisonment for up to one year unless more severe penalties are provided for under other legislation. Attempted violations of this Act or participation in such violations shall be punishable according to the General Penal Code of Iceland, No. 19/1940. Finally, Act No. 70/1996 on Government Employees, states the appropriate procedures for a termination of employment and other disciplinary actions applicable when a government employee violates his duties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI’s funding mechanism for the portion of budget needed to fund banking supervision for the FSA, is overly complicated (suitable for when FME operated as a separate entity), dependent upon the MoFEA to submit request for Parliamentary approval (Part A -involves remitting bank supervisory fees to the Treasury), and differs substantially from the funding of CBI (Part C not subject to a fiscal authority or for example, CBI’s income and expenses are excluded from government revenue and expenditure.). This current funding mechanism could undermine CBI’s ability to adequate fund banking resources on a timely basis. A remedy (e.g., change the funding mechanism of banking supervision to Part C to align with CBI’s overall funding mechanism) is needed to ensure CBI, as the banking supervisory authority, has the necessary operational independence and autonomy to ensure it has adequate resourcing to deliver on its mandate as the banking supervisory authority. See comments by the Assessors at the end of this EC for additional information. Further background information includes: According to Art. 1-3 of Act No. 99/1999 on Payment of Cost for Official Supervision of Financial Activities and Resolution Authority, supervised entities and other parties subject to fees shall pay the cost for Official Supervision of Financial Activities in accordance with the provisions of the Act. CBI collects the supervision fee from the supervised entities. The supervision fee is defined as state revenue and is returned to the Treasury. The MoFEA shall, based on a fund appropriation in the budget, determine the allocation of funds for the operation of the FSA which amounts to at least the budget’s estimate of revenue from supervisory fees and payments for special measures under the Act. CBI shall, in its accounting, ensure the financial separation of the official supervision of financial activities from other activities of the Bank and revenues from financial supervision shall only be used to finance the official supervision of financial activities. The Act states also that CBI shall, no later than 1 February each year, submit a report to the MFEA on the estimated operational cost of the FSA for the next year. The report shall, furthermore, assess the development of the FSA’s operations over the next three years, having regard for the time which can be estimated to have been spent on the different classes of parties subject to Article 5. The report of CBI shall be accompanied by an opinion from the Consultative Committee of supervised entities concerning the estimated scope of the operations of the FSA for the coming year together with the reaction of the FMEN (the FMEN also discusses the report itself) on the opinion. If the conclusion of the report gives reason to change the percentage rate of the supervision fee, the MoFEA shall submit a bill there upon to the Althingi (Parliament). If the FSA appears likely to have an operating surplus or loss for the current year, when the report for the next year is prepared, it shall be taken into consideration in determining the supervision fee for the following year. CBI Act provides for the Bank’s independence in Article 1 of the Act. Act on Public Finances no. 123/2015 (point 3. Para. 1 Art. 50) that states that the activities of CBI shall be included in Part C of the State budget together with companies’ majority owned by the state. This classification in the State budget means that CBI is not subject to the state’s fiscal authority, e.g., the bank’s income and expenses are excluded from government revenue and expenditure. CBI/FSA, however, falls under Part A of the State budget where the supervision fee is defined as state revenue and the fee is returned to the Treasury and its disposal is subject to the Minister’s budget based on budget appropriations. CBI stated that it may not maintain its status as an independent entity in accordance with CBI Act given the Part A funding for the FSA. Further, CBI has also stated that its financial independence may have been reduced as CBI does not have the legal authority, according to Act No. 99/1999, to reserve funds for the operation of FSA functions, including banking, should there be a sudden need for an increase in banking supervisory resources occur (e.g., before the parliamentary budget cycle). In this regard it should be noted that CBI is not allowed to lend money to the “state” according to Article 26 of CBI Act and can therefore not assist its own operations of CBI/FSA run out of funding for supervision mid cycle. If a state entity, like the CBI, does exceed its spending caps defined by the Parliament to fund expenditures that are temporary, unforeseeable and unavoidable, the MoFEA has indicated that the Organic Budget Law does provide for different options for securing the necessary appropriation, such as: a) the Minister of MoFEA can authorize a transfer of necessary appropriations from the General Contingency Reserve or b) necessary appropriations can be authorized by Parliament in the Supplementary Budget. Further, it is possible that remaining deficit can be deducted from the following year’s budget appropriation. If necessary, the following year’s appropriation can be adjusted to cover any such deficit through the adjustment of the Supervision Fee charged to banks for the subsequent year. Assessors however are of the view that although there is an ability to adjust the “budget appropriation” mechanism and that this process has been in place for the past 20 years regarding the operation of the FSA, that it is important for the CBI to have the ability to fund/finance banking supervision resources in a manner that does not undermine its autonomy (e.g., self-sufficiency) or operational independence. This suggestion is related to the “funding” of banking supervision, not additional liquidity needs or the “printing of money” (as per Article 29 of the CBI Act). The current process to finance banking supervision is cumbersome and overly complicated and not unlike other Central Banks, who also have the responsibility of banking supervision, the funding of the resources for banking supervision should form part of the overall budget for the Central Bank (e.g., in this case Part C for CBI). This suggestion comes with the obvious accountabilities that CBI should have in reporting to parliament against its funding/resource objectives/responsibilities. (b) salary scales that allow it to attract and retain qualified staff; CBI participates regularly in a market comparison for salaries. The findings show that specialists undertaking FSA tasks receive salaries that are comparable to the financial market. Managers of the FSA, however, receive comparably lower salaries than managers at the same level in the financial market. Article 5 (1-3) of Act No. 92/2019 states the Governor’s and the DG’s remuneration. The Governor’s salary shall be 1,936,202 ISK. per month and the DG’s salary shall be 1,742,581 ISK. per month. The salaries shall change each year on 1 July. Before 1 June, Statistics Iceland calculates and publishes the percentage change in Government employees’ average regular salary for the following calendar year. CBI adheres to an equal rights policy in accordance with the Act on Gender Equality, no. 150/2020, and the Act on Equal Treatment in the Labor Market, no. 86/2018. In March 2021, the Bank renewed its equal rights policy, which states, among other things, that employees shall be treated equally in terms of hiring and professional advancement. CBI’s equal pay policy was approved during the year 2021. According to the policy, all employees shall receive equal pay and enjoy equal terms of employment and rights for the same jobs or jobs of equal value, so that there is no gender-based pay gap within the Bank. The Bank’s equal pay certification was renewed in the autumn. For the second year in a row, an equal pay analysis showed that there was no unexplained wage gap between the sexes at the time. In addition, the Bank adheres to a special transportation policy that encourages employees to use eco-friendly, economical, and healthy modes of transport and supports them in that endeavor. At the end of 2021, a total of 86 transportation agreements between employees and the Bank were in effect.
CBI can hire outside experts to work on extraordinary projects, or to deal with special situations and has done so in various project in recent years. According to Article 9 (2) of Act no. 89/1998 the FSA may appoint an expert to investigate certain aspects of the activities or operations of a supervised entity, or to undertake other specific supervision of such an entity. The expert shall be appointed for a specified period of no longer than four weeks at a time. The expert shall be provided with working facilities on the premises of the supervised entity and given access to all requested accounts, minutes, documents and other material kept by the supervised entity. The expert shall be entitled to attend meetings of the Board of the supervised entity as an observer with the right to speak. The expert’s obligation of confidentiality shall be as provided for in Chapter IV of the Act. (d) a budget and program for the regular training of staff: CBI annually uses about 3.5 percent of salary and salary-related expenditure, for educational purposes. The Bank has issued a strategy on staff training. The training includes different methods for regular training such as in-house knowledge sharing, training opportunities both locally and abroad. Furthermore, the use of on-line training has increased. A career plan is discussed for each employee in an annual performance interview, however there is no structured general career path for supervisors. During the year 2021, the Bank’s senior officers received management training aimed at strengthening the management team and formulating the Bank’s vision and values in the wake of the merger between the Bank and the FSA in 2020. All supervisors have access to the BIS’s e-learning platform, FSI connect. New supervisors follow defined learning paths for bank risks, BCP, risk-based supervision etc., others use the platform and specific modules when needed and for revision. However, given the extensive roll-out of the EU legislation, financial supervisors as well as risk specialists should be afforded specialized training to ensure adequate transfer of knowledge. Regular performance reviews and feedback conversations aim to capture specific learning needs for each individual, based on their supervision and project plan. It can be challenging to find appropriate learning opportunities for such specific training, but conferences and events organized by EBA, Bank of England, BIS, ECB, Florence School of Banking and Finance etc. have been useful. During Covid-19, most events were also available on-line, allowing more supervisors to attend since on-line events are both cheaper and less time consuming than on-site ones. Each manager has an ample budget for employees training and makes decisions about what events or conferences supervisors attend according to their training needs and the FSA’s supervision plan.
CBI is equipped internally with hardware (servers, clients, and network infrastructure) for all daily operations of Financial Supervision and the budget is sufficient to maintain necessary databases and analysis tools for the supervision.
Most supervised entities are located in the capital area. The required travelling budget for on-site work in Iceland is therefore low. Cross-border cooperation for overseas operations of supervised entities is very limited. CBI participates in international meetings, especially within the EEA i.e., EBA, ESMA and EIOPA meetings. The travel budget covers the cost for all domestic and international cooperation and meetings. Assessor’s Comments: The function of banking supervision is complicated somewhat as it is spread out amongst three departments as follows (see table below). Assessors noted areas of key person risk (Op Risk (ICT/Cyber); Market Risk/IRRB) wherein additional risk expertise is needed. Further, although the Banking Department is approved for 23 FTEs, it was noted that only 18 are currently staffed. There was discussion of turnover regarding banking financial supervisors overseeing the DSIBs further to the merger of the FSA/CBI leaving the largest DBIS without a lead supervisor. CBI needs to assess whether overall banking structure as well as key risk areas are adequate to support its mandate.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisor’s review and implement measures to bridge any gaps in numbers and/or skill sets identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
As a part of the annual supervisory planning process, particularly when deciding on onsite and off-site inspections, directors allocate their resources based on the skillset of current employees. If a need for a specific skillset or extra resources emerges during the planning process action is taken to address the issue involving the human resources department and the Governor. As a part of the annual budget planning directors are asked to plan resources for the next 3-5 years. This resource planning is based on the medium-term supervisory strategy and priorities in addition to the regular on-going supervisory tasks. The largest part of the budget cost is staffing. Directors are involved in the budget planning. Budget planning is thus closely tied with changes in legislation and needed staff, based on risk assessment and supervisory priorities. If Directors believe they need more staff, they need to have a bilateral discussion with the Governor and send a memo to him and the Director of Human Resources. The Governor takes a decision on new hires. Further, HR and finance meet with every manager annually, to re-evaluate the resources needed (e.g., manpower, training budget and IT) to fulfil the supervisory planning. The HR manager and manager of operations then meets with the DG of Financial Supervision in October/November each year to go through and discuss the whole budget plan. The budget plan is then introduced to the Supervisory Board of CBI and accepted if there are no comments. The basic rule for the 3-5 years plan is to estimate 5 to7 percent budget increase. If annual meetings with managers reveal change in projects or plan, the plan is updated accordingly. Assessors recommend that the overall supervisory plan, should first be established to ensure that adequate coverage, especially for the DSIBs, of the material or key risks are covered/assessed on a multi-year risk-based cycle. Given that the supervisory function is spread out between three different departments within CBI, it is critical that the managers work together and present a joint request to the Governor and not necessarily on a bilateral basis. Then resource needs should be discussed and agreed. Added considerations such as how the supervision program should be tweaked/changed based on emerging risk issues is best discussion first with the three department managers together. Given the extensive roll-out of the EU legislation, financial supervisors as well as risk specialists should be afforded specialized training. In addition, the Supervisory Handbook needs to be updated to reflect these new and extensive set of guidelines. See EC 6 for a deeper discussion on key person risk issues, level of vacancies and turnover that has occurred since the merger of CBI/FSA. Assessors recommend a more holistic approach is needed by the managers as a group, working with the HR specialists, to ensure resourcing, skills development and overall supervisory planning is effective to deliver on the mandate of banking supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
In determining supervisory programmes and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
In line with the EBA SREP guidelines and CBI/FSA’s supervisory methodology for a high impact bank (categorized as a DSIB), and according to the Minimum Engagement Model, CBI/FSA, substantially more resources are allocated to the DSIBs rather than to the low or medium low impact banks (e.g., 4th Commercial bank and the 4 savings banks). For high impact banks (D-SIBs), CBI/FSA undertakes an annual SREP assessment, with a deep dive on ICAAP/ILAAP, Business Model Analysis (BMA) together with several on-site examinations covering various topics of concern. There are two financial supervisors assigned to each of the DSIBs and two financial supervisors who oversee 5 savings banks (one of these banks has an issued license but it is not operational yet). DSIB banks had approximately eight on-site examinations over the past 5 years; savings banks had one. The low to medium low impact banks are allocated less supervisory time and resources as the minimum engagement model does not call for the same depth of supervisory assessment (e.g., ICAAP/ILAAP carried out every two years) and are not afforded the same kind of attention or review based on the minimum engagement model that is in place. For example, CBI/FSA does not necessarily have to engage key control function representatives of the banks along the same frequency). Supervisory tasks based on the outcome of the risk assessment are scheduled to mitigate the risk identified using the most appropriate measures available (off-site or on-site inspections, follow-up meetings etc.) Note that banks with higher risk profiles are allocated additional resources when needed in accordance with CBI/FSA’s SREP methodology. See CP8 EC1 for more details on the overview of CBI/FSA’s SREP program. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
The legal protection for supervisors is not addressed in legislation. In Iceland, there is a well-established “rule of employers’ liability” based on case law by the Icelandic Supreme Court in the mid-1930s. The rule provides that an employer can be liable for damage caused by his employee’s negligent action in the course of the employment. Such strict liability for the employer means that his liability is independent from any culpa on his behalf. If the employee has acted outside his normal scope of conduct, the employer may not be liable for the employee’s actions. A contract for employment is a prerequisite for the application of the employers’ liability rule and that the employee is acting under the actual instruction, supervision and control of the employer. According to Article 23 of the Tort Act, an employer’s claim for recourse for damages paid as a result of the employee’s negligent conduct is limited to what is considered reasonable, taking account of the employee’s position and degree of negligence, based upon the circumstances of the case. The same rule applies for claims against an employee for loss caused by him in the course of his employment. Further, an employee may benefit from the general rule of reduction or exemption from liability in cases where it is deemed reasonable depending on the circumstances, taking account of the interests of the claimant. The rule of employer’s liability for the employees’ negligence can be applied to the public sector as well as the private sector. It covers liability for loss or damage caused by negligent conduct of employees of the state, municipalities and public institutions in the course of their employment. Assessors recommend that the legislation be changed to provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff need to have adequate protection against the costs of defending their actions and/or omissions made while discharging their duties in good faith. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 2 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Basel requires that “The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision”. The workings of the FMEN appear very laborious resulting in decisions regarding banking supervision taking longer than expected resulting in delayed communication with the banks on key issues (requirements banks need to address). With the current structure of the FMEN, CBI does not have the full discretion to take supervisory actions or decisions on banks and banking groups under its supervision on a timely basis and without the interference/vote of the FMEN. Further, as the FMEN has representatives from the MoFEA, there is the potential of a real and/or perceived conflict of interest for the members that represent the MoFEA to be overseeing prudential decisions on banks, in particular when three of the D-SIBs are either state owned or have a substantial government interest. Assessors recommend the independence of FMEN members should be ensured as there should be no government or industry interference that compromises the operational independence of the supervisor. Since the merger, CBI/FSA’s operational effectiveness and overall accountability framework is somewhat weak as it has yet to develop and implement a legal delegation of authority framework which would set out what powers, duties and functions for the administration of the various banking supervision legislation, regulations, guidelines, etc. have been or should be delegated by the head of the institution (e.g., in this case the Governor) and to whom (DG, Directors, FMEN, etc.). Therefore, it is critical that CBI put in place its own internal formal delegation of authority to ensure operational effectiveness is clear, as decisions pertaining to the prudential supervision of banks should not be unnecessarily impeded nor the level of sign off be questioned legally, especially when issues and timely decisions need to be taken in case of an emergency situation or the prompt corrective measures being utilized (e.g., dealing with a problem bank). The CBI Act needs to be amended to clearly indicate the process and reasons for dismissal of the Governor and/or a member of the supervisory Board as there is a lack of clarity/transparency in the alternative legislation for the dismissal of a government employee. Further, the Act should be amended to provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. Last, CBI’s current funding mechanism needs to be changed to ensure that it has an adequate ability to fund banking resources on a timely basis. CBI also needs to reassess its current banking staff complement to ensure that it is adequately staffed to effectively deliver on its mandate of banking supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 3 |
Cooperation and Collaboration Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.37 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The cooperation framework with domestic authorities responsible for the safety and soundness of banks has been made more simple to manage since January 1, 2020 when all tasks of the Financial Supervisory Authority (FSA - FME in Icelandic) were transferred to CBI of Iceland (CBI), by Act No. 92/2019 on CBI of Iceland (so-called CBI Act), article 47: https://www.cb.is/library/Skraarsafn---EN/Central-Bank/Central Bank Act 92 2019. The FSA is now embedded into CBI. Though the term “FSA” has been maintained in applicable legislation, the FSA does not legally exist as an official authority in charge of financial supervision anymore. Yet the term “FSA” continues to be used in practice. The CBI (referred to as “CBI/FSA” in this report) is now the prudential supervisor as well as the supervisor of conduct of business. Based on this institutional framework, internal cooperation and external cooperation are both relevant for CBI. 1°/ Internal cooperation The merging of the two authorities (CBI and FSA) was effective as of January 1, 2020. It has resulted in increased efficiency of financial supervision, resulting from better and more transparent flows of information, greater possibilities for analytical work, additional synergies, and a clearer division of power internally when it comes to making decisions regarding financial supervision. In all, integration of the FSA into CBI has enhanced internal cooperation on banking supervision. Internal cooperation within CBI is formally structured around the FSN (FSC) and the FMEN (FMEN). Act No. 92/2019 on CBI defines respective roles and responsibilities of the FSN (Chapter IV) and the FMEN (Chapter V). CBI departments supporting CBI committees (at the time of the mission, they were: Financial Stability Department, Banking Department, Compliance and Inspections Department) cooperate among themselves on a daily basis through regular supervisory processes. In addition, public rules of procedures are disclosed for each committee: (i) https://www.cb.is/library/Skraarsafn---EN/FinancialStability/FSC/FSC Rules of Procedures.pdf for the FSN; and (ii) https://www.cb.is/library/Skraarsafn---EN/Financial-Supervision-Committee/Rules Of Procedure FinancialSupervision Committee.pdf for the FMEN. Tasks of the FSN are specified in Act No. 92/2019 (article 13), while tasks of the FMEN are not specified as such in a dedicated article. Yet the mandate of the FMEN is made clear through articles 13 and 15. Article 13 mentions that: “The tasks of the FSN are to: a) Assess the current situation of and outlook for the financial system, systemic risk, and financial stability. b) Discuss and define the actions deemed necessary at any given time in order to affect the financial system so as to strengthen and preserve financial stability, and to this end, direct comments to the appropriate Governmental authorities when warranted. c) Approve Governmental directives and take the decisions entrusted to the Committee by law. d) Decide which supervised entities, infrastructure, and markets shall be considered systemically important and of a nature that their activities could affect financial stability.” Article 15 mentions that: “The FMEN shall take decisions entrusted to the Financial Supervisory Authority by law or Governmental directives.” In practice, the FSN has adopted an extensive scope of duties that goes beyond financial stability and covers topics pertaining to microprudential supervision that would intuitively fall into the scope of the FMEN, based on usual practices observed among foreign banking supervision authorities. The rationale of such extensive scope may be explained by the systemic importance of major banks. The main illustration of joint involvement of both FSN and FMEN is microprudential supervision of liquidity risk of the three domestic systemically important banks (D-SIBs):
Documentation and information provided during the mission have demonstrated a close monitoring of major banks’ liquidity and have not highlighted any evidence of poor internal cooperation nor significant gap resulting from such a segregation of duties within CBI regarding the supervision of liquidity risk. Yet, from an organizational working perspective, it would make sense that microprudential banking supervisors cover the whole range of risk domains and supervisory tasks, including liquidity risk (a major risk domain indeed), to have full control of the implementation of prudential regulations the supervision of which the FSA is legally in charge. 2°/ External cooperation At national level, CBI is an active member of the Financial Stability Council (FSC): https://www.government.is/topics/economic-affairs-and-public-finances/financial-stability-council/. The FSC assesses the effectiveness of macroprudential policy tools. Based on CBI staff’s propositions, the FSN of CBI has the power to decide macroprudential measures applicable to banks aimed at ensuring financial stability which may impact banking supervision. The FSN is competent for setting the countercyclical capital buffer (CCyB), limits on mortgage loans, and other policy measures including the bank liquidity coverage ratio in national currency (ISK) and foreign currencies, as well as bank funding ratios in foreign currencies. At national level, CBI is cooperating with the Ministry of Finance and Economic Affairs (MoFEA) on banking supervision matters.
A MoU on cooperation regarding actions against money laundering, terrorist financing, and proliferation financing of weapons of mass destruction has been signed between the Ministry for Foreign Affairs, the Iceland Revenue and Customs, and CBI of Iceland in 2020, under review in 2022. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
A structured cooperation framework is in place between CBI and foreign supervisory authorities both (i) on a bilateral basis, and (ii) for multilateral cooperation. CBI has the legal power to engage into bilateral and multilateral cooperation in banking supervision, notably for the purpose of consolidated supervision of banking groups, as stated by Act No. 87/1998 on Official Supervision of Financial Activities, articles 14 and following (https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%2087%201998%20on%20Official%20Supervision%20of%20Financial%20Activites.pdf), as well as by Act No. 161/2002 on Financial Undertakings (that is, the so-called banking law), inter alia articles 109 and following (https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%20161%202002%20on%20Financial%20Undertakings.pdf). International cooperation of CBI applies within the Euro Economic Area (EEA) which Iceland is a member of, and beyond the EEA. 1°/ Bilateral cooperation The need is quite low for bilateral cooperation between CBI and foreign banking supervision authorities for the purpose of consolidated supervision of banking groups, because (i) there are no foreign banks operating branches or subsidiaries in Iceland; and (ii) there is a very limited number of Icelandic banks with cross-border establishments (no bank branch is licensed abroad, and only one subsidiary of a non-major bank has recently been licensed in the United Kingdom). In the past, CBI had signed several of bilateral cooperation agreements with foreign banking supervision authorities, in the form of memoranda of understanding (MoUs), which purpose was mostly to facilitate information sharing on Icelandic banks’ shareholders that were incorporated as legal entities in foreign jurisdictions. These MoUs are still valid, though barely used in practice for banking supervision. The list of bilateral MoUs is not disclosed on CBI’s website (source: CBI):
Many jurisdictions of this list are international financial centers, or offshore financial centers, with which international cooperation may potentially be challenging for consolidated banking supervision, supervision of parent companies of regulated banks, or AML/CFT, given the intrinsic nature of these centers. CBI has not reported any issue regarding effective cooperation from such jurisdictions on requests asked by CBI (very low need, in practice). 2°/ Multilateral cooperation CBI is much more concretely engaged into multilateral cooperation with foreign authorities involved in banking supervision, especially Nordic countries, and EEA/EU countries and institutions. The list of multilateral MoUs is not disclosed on CBI’s website (source: CBI):
Regarding multilateral cooperation, interaction between CBI and foreign regulators mostly focuses on coordinated development of supervisory policies and regulations, and development of best supervisory practices in Iceland. CBI is an observer in the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA). CBI is also a member of a European Free Trade Association (EFTA) working group on financial services. In addition, CBI takes part in regular cooperation with regulators of Nordic countries on various issues concerning developments in financial activities and harmonization of supervision. Iceland has implemented EU CRD/CRR, and further amendments to them, relating to the taking up and pursuit of the business of credit institutions. The EU Directive lays down rules regarding information requests between competent authorities in member States. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Icelandic law ensures explicit protection of confidentiality of sensitive information foreign authorities are provided with by CBI for the purpose of banking supervision. According to Act No. 87/1998, article 14, CBI of Iceland may disclose information, which is to be treated confidentially in accordance with CBI Act, article 41, to supervisory authorities of other EEA Member States, provided that this constitutes an act of cooperation between those States involving supervision of the activities of parties subject to supervision, and furthermore that such an exchange of information is beneficial for conducting such supervision as prescribed by law. Such information can only be disclosed on the condition that it is subject to the obligation of secrecy in the State concerned. According to Act No. 87/1998, article 14, agreements may also be made with supervisory authorities in countries outside the EEA for the purpose of exchange of information, under the condition that the obligation to observe secrecy applies. Also, according to Act No. 87/1998, article 14, CBI may provide regulatory authorities of other EEA member States with confidential information as provided for in CBI Act, article 41, if such disclosure is part of cooperation between States in the supervision of activities of regulated entities and such disclosure is useful in permitting the conduct of the supervision prescribed by law. Such information may only be disclosed on the condition that it is subject to obligation of confidentiality in the State concerned. On July 1, 2022, a new article was added to Act No. 161/2002 regarding sharing of information and collaboration with other authorities. Article 109(aa) grants CBI permission to provide confidential information to other authorities within the EEA, granted that the receiving authority has equivalent confidentiality rules regarding such information. This new article allows for CBI to provide information (with the forementioned conditions) to institutions of the European Free Trading Area (EFTA) and other financial supervisory authorities within the EEA (EU, plus Iceland, Liechtenstein, and Norway), in charge of supervision of financial undertakings, security trading undertakings, and payment services undertakings. It also allows for information exchange with authorities dealing with monetary policies as well as AML/CFT authorities. Information subject to obligation of confidentiality in accordance with special legislation or other legislation shall be subject to similar obligation of confidentiality after being delivered to CBI. MoUs signed by CBI include a clause of protection of confidential information shared with foreign authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
In addition to developments under CP3 EC3, Icelandic law also ensures explicit protection of confidentiality of sensitive information received by CBI from foreign authorities for the purpose of banking supervision, according to Act No. 161/2002, Article 109(aa), Para 5. The obligation to observe secrecy according to CBI Act, article 41, applies to comparable information received by CBI from supervisory authorities of other EEA member States. MoUs signed by CBI include a clause of protection of confidential information received. CBI has not faced any situation in which disclosure of confidential information received from a foreign authority in application of cooperation arrangements was requested by an order of a national court or Parliament. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and findings re EC5 |
Cooperation with national authorities in charge of banking resolution has been facilitated by setting up an official resolution authority integrated within CBI in September 2020, using a similar institutional approach as for the Financial Supervisory Authority regarding banking supervision in January 2020 (except that decisions of the RA are made by the CBI Governor while major decisions of the FSA are made by the FMEN). The Resolution Authority has a specific legal framework, that is Act No. 70/2020: https://www.cb.is/library/Skraarsafn---EN/Laws/Act%20No.%2070%202020%20on%20Resolution%20of%20Credit%20Insitutions%20and%20Investment%20Firms.pdf. Leveraging on this integrated institutional framework, CBI legally and operationally ensures coordination between inner authorities in charge of banking supervision (the FSA) and banking resolution (the Resolution Authority). During the first two years of operation of the Resolution Authority, CBI banking supervisors have supported the Resolution Authority in order to complete resolution plans for banks. The Resolution Authority is provided with information on SREP outcomes and Pillar 2 decisions directly from the Financial Supervision department, which the Resolution Authority uses for making MREL decisions. Both authorities use integrated channels in order to collect data from banks. Processes are in place for this support. Moreover, both the FSA and the Resolution Authority are developing integrated operational guidance serving as a manual for how CBI will deal with the deteriorating financial situation of a bank unto its failure (under progress). In Iceland, neither the Resolution Authority nor the FSA undertakes recovery planning. Banks make their own recovery plans. However, both the Resolution Authority and the FSA review these plans in order to assess resolvability, to prepare resolution plans (Resolution Authority), and to assess timely intervention (FSA). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 3 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Cooperation and collaboration are not critical for Iceland, given that the banking system is largely domestic-oriented, and cross-border banking activities through entities are very limited in both ways. Even so, cooperation arrangements have been developed by CBI of Iceland for banking supervision. CBI has signed bilateral MoUs, which are not much used in practice, because there is no need. CBI is quite more engaged into multilateral cooperation; notably with Nordic countries, to share global information and best practices. At domestic level, CBI is part of a national cooperation arrangement for AML/CFT, and it maintains continuous interaction with the Ministry of Finance and Economic Affairs (MoFEA) informally. Confidentiality of information shared through cooperation arrangements is ensured. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 4 |
Permissible activities The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The term “bank” is clearly defined in laws or regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The term “credit institution” is defined in Act No. 161/2002 on Financial Undertakings, article 1(b) item 2 (glossary), as “an undertaking that operates by accepting deposits or other repayable funds from the public and provides loans for its own account”. The term “credit institution” is used in the Icelandic law referring to the EU framework (CRD) which uses this definition of “credit institution” that is broader than “bank”. Thus, the term “bank” is not explicitly defined in the glossary of the law. Yet that does not create any ambiguity, because a definition of a “bank” may indirectly result from Act No. 161/2002, article 12: “Only credit institutions may use in their firm name or as clarification of their activities the words “credit institution”, “bank”, “commercial bank”, “investment bank”, “savings bank” and “credit undertaking” either alone or linked to other words, in accordance with their operating license.” In addition, article 4 specifies the various kinds of financial undertakings that are included in the legal definition of “credit institution”: “A credit institution can obtain an operating license as a commercial bank, savings bank or credit undertaking.” Therefore, banks are a category of credit institutions, including two sub-categories: commercial banks (to which major banks belong), and savings banks. Ideally, the law should explicitly and directly define the term “bank”, as well as “commercial bank” and “savings bank”, for example in article 1(b) on definitions. But it is clear in the law that banks are credit institutions which are regulated and supervised as such by CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The definition of permissible activities of credit institutions (among which “banks”, as derived from CP4 EC1) is mentioned in Act No. 161/2002, article 3 on activities subject to operating licenses, and Chapter IV on authorized activities. The Icelandic definition of permissible activities refers to the EU framework (CRD). Article 3 states that: “Only legal entities that are licensed as credit institutions may operate by collecting deposits or other repayable funds from the public.” Chapter IV (mostly article 20) mainly states that: “The activities of commercial banks and savings banks may include the following: 1. Acceptance of deposits and other repayable funds from the public. 2. Lending activities, including: a. consumer credit, b. mortgages, c. factoring and purchase of debt instruments and d. commercial credit. 3. Financial leasing. 4. The provision of payment services as provided for in the Act on Payment Services. 5. Issuing and administering payment documents such as travelers’ cheques and bills of exchange. 6. Providing guarantees and commitments. 7. Trading for own account or for the accounts of customers in: a. money market instruments (cheques, bills, other comparable payment instruments etc.), b. foreign exchange, c. standard forward contracts and swaps (options), d. exchange rate and interest rate instruments and e. securities. 8. Participation in securities issues and provision of services related to such issues. 9. Providing advice to undertakings on financial organization, strategy and related issues, and advice as well as services related to mergers and acquisitions. 10. Money brokering. 11. Asset management and advisory. 12. Custody and administration of securities. 13. Credit reference (credit rating) services. 14. Rental of safety deposit boxes. 15. Issue of electronic money.” Consequently, the definition of permissible activities for banks in Iceland is quite large, referring to the EU extensive approach of bank licensing, including financial activities that may be left out of the scope of licensing in some non-EU jurisdictions, for instance factoring, consumer credit, or financial leasing. Such extensive approach of permitted activities is consistent with the universal banking model of major banks in Iceland, which enables large coverage of banking regulation and supervision by CBI. It should be noted that prior approval of CBI is requested for each single activity listed in above-mentioned article 20, in case an existing bank would envisage extending the scope of activities beyond the existing list of activities for which a license has been granted by CBI. Such activity-by-activity approach of licensing enables CBI to have close scrutiny of development strategies of banks extending beyond their usual business model into new kinds of financial services. In addition, the definition of other services and ancillary activities that are permitted to credit institutions (among which “banks”) is developed in Act No. 161/2002, article 21. Ancillary activities are permitted to banks, provided that they are a normal extension of their financial services, subject to prior approval of CBI. There is no list of ancillary activities, approval being examined on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
The use of the term “bank” is restricted in Act No. 161/2002, article 12: “Only credit institutions may use in their firm name or as clarification of their activities the words “credit institution”, “bank”, “commercial bank”, “investment bank”, “savings bank” and “credit undertaking” either alone or linked to other words, in accordance with their operating license.” |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks.38 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Act No. 161/2002 on Financial Undertakings indirectly states that only banks (commercial banks, and savings banks) can collect deposits:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Act No. 161/2002, article 8, states that: “The Financial Supervisory Authority shall keep a register of credit institutions and their branches, including all the principal details of the undertakings concerned.” CBI discloses and updates a nominative list of licensed banks on its official website: https://en.fme.is/supervision/supervised-entities/. Regulated financial institutions, including banks, are dispatched by categories. Last update before the BCP assessment mission was done on October 24, 2022. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 4 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The Icelandic legal and regulatory framework is aligned with the extensive EU definition of the scope of permitted activities, covering a large range of banking and payment services. The legal definition of banks is included into the broader category of credit institutions, derived from EU rules. There are two categories of banks in Iceland: commercial banks, and savings banks. Only banks may collect deposits. Such large scope of regulation and supervision provides CBI with strong legal capacity to effectively control banks, and credit institutions more globally. This approach is relevant for Iceland, since major banks have adopted a so-called universal banking business model, requiring close supervisory scrutiny from CBI No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 5 |
Licensing Criteria The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management)39 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition-(including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI, acting in its official capacity as the Financial Supervisory Authority (FSA, FME in Icelandic), has the legal power to review applications for a license as a credit institution (therefore, as a bank), and to issue banking licenses (as a commercial bank, or a savings bank). CBI’s legal mandate for licensing banks is laid down in Act No. 161/2002 on Financial Undertakings, Chapter II, articles 2 and following. CBI can impose prudential conditions or limitations on a newly licensed bank. Article 10(a) states that: “The Financial Supervisory Authority may restrict the activities of individual establishments [credit institutions] if it sees specific reason to do so.” This Article 10(a) has general application beyond the licensing stage. CBI applies EBA Guidelines EBA/GL/2021/12 on a common assessment methodology for granting authorization as a credit institution under Article 8(5) of EU Directive 2013/36/EU: When evaluating the application of a new bank, CBI makes a rigorous analysis of the business plan, focusing on the applicant’s business model, strategy, and risk profile, to form a view on the viability and sustainability of the applicant bank’s business model. Applicants are aware that EBA guidelines apply for that purpose. Documentation requests and questionnaire for interviews have been disclosed. Internal procedures have been specified for supervisors in charge of examination of licensing applications. The applicant’s risk profile will impact capital requirements and other prudential conditions set by CBI if the license is granted. Furthermore, the planned activities of the bank can impact the requirements decided by CBI. For example, there are stricter requirements concerning conflict of interest if the bank intends to provide investment services. All major decisions on licensing, such as granting an operating license for a bank, rejecting an application for an operating license or registration, rejecting an authorization to acquire a qualifying holding, and adverse decisions regarding fitness and propriety of board members and senior management, are taken by the Financial Supervisory Committee of CBI. Preparation of decisions on licensing involves all related CBI departments, including legal experts and banking supervisors, to ensure efficient synergies leading to a complete, thorough, and reliable assessment of applications. While CBI Compliance and Inspections department oversees the licensing process, banking supervisors from the Banking department (which manages off-site supervision of credit institutions and investment firms) oversee the financial examination of the application (for instance, business plan analysis, financial information on shareholders with a qualifying holding), and risk specialists from the Banking department oversee relevant risk domains. Input is also gained from the Financial Stability department. Concretely, since the post-crisis restructuration of the banking sector, the licensing activity has been very limited for banks. CBI has only received two applications for a license as a credit institution, including one application for a license as a savings bank. CBI accepted both applications after thorough review and extensive dialogue with the applicant and within CBI. In both cases, the application came from a domestic entity. During the same period, CBI has not revoked or withdrawn any license of a credit institution. CBI mentions that it has not faced any special issue regarding applications for a license as a credit institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has legal powers to set criteria for licensing banks. Information requirements relating to applications for a banking license are set out in Act No. 161/2002, article 5. The list of items defined in the law is concise, yet the FSA has legal power to request “other relevant information”. Article 5 states that (the following excerpt is streamlined): “An application for an operating license must be made in writing and shall be accompanied by: 1. Information on the type of operating license applied for, on activities subject to authorization, and other proposed activities. 2. The company’s Articles of Association. 3. Information on the structure of the organization, including information, inter alia, on how the proposed activities are to be pursued. 4. Information on the internal organization of the undertaking, including rules on supervision and work procedures. 5. A business plan and budget, indicating inter alia the expected growth and composition of own funds. 6. Information on founders, shareholders or guarantee capital owners, who directly or indirectly control qualifying holdings and the proportional holdings of all parties. If no one has a qualifying holding, information on the 20 largest shareholders or guarantee capital owners must be provided. 7. Information on the board of directors, managing director and other managers. 8. Auditor’s confirmation that share capital or guarantee capital has been paid up. 9. Information about the group to which the company belongs, including parent companies, financial holding companies and mixed financial holding companies in the group. 10. Information on close links between the undertaking and individuals or legal entities. 11. Other relevant information as determined by the Financial Supervisory Authority.” Therefore, the examination process of applications for a banking license covers not only data, but also the set-up of governance, internal control, and risk management frameworks, in view of ensuring that newly licensed banks may be run properly as of day one. Regarding the methodology used for assessing applications, CBI has disclosed on its website an extensive checklist of information and documentation that must be submitted with the application. This document (updated in August 2022) is only available in Icelandic: https://www.fme.is/media/eydublod/Starfsleyfi-fjarmalafyrirtaekis agust-2022.pdf. According to Act No. 161/2002, article 7, CBI has the power to reject applications that do not meet standards, “including the risk control system and the eligibility of board members, managing directors and owners of qualifying holdings, in the opinion of the Financial Supervisory Authority.” CBI has mentioned that it has used this power as a preventive action power in order to push applicants to reconsider proposed arrangements that were not deemed satisfactory after preliminary examination of the application. CBI can revoke a banking license afterwards, if it was based on false information, according to Act No. 161/2002, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The criteria for issuing licenses are consistent with those applied in ongoing supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has introduced risk-based criteria for collecting information and documentation supporting applications for a banking license, as it is mentioned in the above-mentioned legal provisions and check-list (see references under CP5 EC2). The risk-based approach for examination of licensing applications, and the issuance of banking licenses are not explicitly mentioned in the banking law or CBI application regulations, though it is advocated in above-mentioned EBA guidelines that are enforced in Iceland. It came out of BCP assessment meetings that CBI does implement a risk-based and comprehensive approach of licensing in that regard. The licensing activity for new banks has been very limited for many years in Iceland. For illustration and a high-level review of the licensing process, CBI shared with BCP assessors two application cases relating to a savings bank and a credit undertaking. Summary documentation shared by CBI highlights that thorough examination is implemented, covering a broad range of risk-related topics, including on governance, compliance, internal control, and risk management frameworks. To ensure that applicants will be able to meet prudential requirements from day one, banking supervisors as well as risk specialists of the Banking department are involved in the assessment of application, in addition to legal experts within the same department. Thus, banking supervisors are aware of the necessity to implement a risk-based approach of licensing, considering all relevant quantitative and qualitative aspects of risk management frameworks set up by applicants, beyond just checking formal legal compliance of applications. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis.40 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
At the licensing stage, CBI has legal power to ensure that the proposed ownership structure of a bank would not undermine effective consolidated supervision and corrective action. Act No. 161/2002, article 7 paragraph 3, states that: “An operating license shall not be granted if close links between an applicant and individuals or legal entities obstruct supervision of the undertaking by the Financial Supervisory Authority. The same applies if laws or regulations of a state outside the European Economic Area which apply to such connected parties or problems related to their implementation hinder supervision.” Legal provisions are less explicit on the legal power granted to CBI, at the licensing stage, to ensure that the proposed legal, managerial, and operational structures of a bank would not undermine effective consolidated supervision and corrective action. In that regard, CBI refers to EBA guidelines that are legally inserted into Act No. 161/2002. The licensing approach followed by CBI clearly covers the assessment of appropriateness of legal, managerial, and operational structures of the applicant bank. There are no legal restrictions on characteristics of ownership of banks. CBI has not defined any specific strategy for licensing that may restrict the typology of bank ownership structures in addition to the regular EU/EBA framework. Non-banks, including natural persons, are allowed to control banks if they fulfill assessment criteria for owning qualifying holdings, including financial soundness and capacity to provide banks with financial support. CBI asks for a declaration by the home supervisor stating that there are no obstacles to, or limitations on, disclosure to CBI of the information necessary for supervision of the target undertaking. If the assessment reveals that there are grounds to believe that the ownership will impede adequate supervision of the regulated bank, the prospective acquirer will not meet the prudential assessment criteria (Act No. 161/2002, article 42). CBI has used this legal power to oblige credit institutions (not banks, because no application has been received from banks) to upgrade their proposed ownership structure towards less complexity. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the assessment of eligibility and suitability of banks’ major shareholders at the licensing stage, CBI has legal power laid out in Act No. 161/2002, Chapter VI on holdings and treatment of holdings. Eligibility criteria are set out in article 42(a) on eligibility assessment in a general way, including, among others, the owner’s financial soundness (point 3), and how ownership might impact the credit institution’s ability to comply and continue to comply with prudential requirements (point 4). Act No. 161/2002 does not explicitly mention “transparency of the ownership structure” as a legal requirement for licensing, among above-mentioned eligibility criteria. Yet CBI refers to EBA guidelines in that regard. Other legal provisions give power to CBI to assess the eligibility of beneficial owners of a qualified holding in a bank, for instance article 49(a) on beneficial owners. CBI has not issued specific regulatory requirements on the ownership structure in view of ensuring transparency, because it found no need to do so, considering applicable EBA guidelines on this topic. No further national criteria have been specified regarding shareholders’ jurisdictions or legal structures. CBI assesses transparency of banks’ ownership structure, at the licensing stage and at any occurrence of a change of ownership, on a case-by-case basis. The suitability assessment of owners of qualifying holdings is headed by supervisors of the Compliance and Inspections department. Financial evaluation of shareholders is carried out by banking supervisors. CBI’s AML/CFT team within this department conducts an AML/CFT analysis and verifies the source of funds used for acquiring significant banks’ shareholdings (as well as minimum capital), with input from the Financial Stability department. The legal definition of an ultimate beneficial owner (UBO) is included in Act No. 140/2018 on measures against Money Laundering and Terrorist Financing, article 3, referred to in Act No 161/2002, article 1 (b), as one or more natural persons who ultimately own or control the customer, legal entity, or natural person on whose behalf a transaction or activity is being conducted or carried out. A beneficial owner is, in the case of a legal person, the natural person who in fact owns or controls the legal person through the direct or indirect ownership of a share of more than 25 percent in the legal person, or controls more than 25 percent of the voting rights, or is regarded as having control of the legal person in another manner. Applicants for a banking license are required to disclose the full list of their shareholders. Further to this, all owners of a qualifying holding (10 percent, or more, of equity, or voting rights) are subject to additional disclosure requirements. CBI has issued guidelines on information requirements: https://www.fme.is/media/eydublod/SI5.1.20 Information-disclosure-for-notification-of-a-qualifying-holding.pdf. Among the extensive list of questions within CBI questionnaire are questions pertaining to the ultimate economic beneficiaries of the transaction and whether the proposed acquirer has eventually entered into derivatives contracts using shares issued by the targeted undertaking as underlying assets (see questions 5.11-5.12). Indirect ownership situations are evaluated using the two-steps approach recommended in EBA Joint Guidelines JC/GL/2016/01 on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector: https://www.esma.europa.eu/system/files force/library/jc gl2016 01 joint guidelines on prudential assessment of acquisitions and increases of qualifying holdings - final.pdf?download = 1. The first step (“control-criterion”) envisages the application of the notion of control. Accordingly, all natural or legal persons (i) who acquires, directly or indirectly, control over an existing holder of a qualifying holding in a target undertaking, or (ii) who, directly or indirectly, controls the proposed direct acquirer of a qualifying holding in a target undertaking, should be considered as indirect acquirers of a qualifying holding. The second step (“multiplication criterium”) applies where the application of the control criterion does not determine that a qualifying holding was acquired indirectly. According to Act No. 161/2002, article 49(a), if there is any doubt in the opinion of CBI, about who is or will be the beneficial owner of a qualifying holding, CBI shall notify the party who sent the notification, or the financial undertaking itself if the former cannot be reached, that CBI does not consider the party in question eligible to exercise the holding. Regarding CBI’s control of source of funds to be used as banks’ capital, explicit questions are asked by CBI in the above-mentioned questionnaire (Section 7). As a bare minimum, CBI asks for a description of the source of the financing and documentation, in view of verifying that no money laundering is being attempted through the proposed acquisition (for example, a copy of a wire or bank transfer from a bank account in the name of the proposed acquirer to the seller, or a signed letter from a public accountant detailing the source of the financing). CBI’s AML/CFT team evaluates the submittals and verifies if further documentation is needed. CBI reports that it has not faced any issue regarding the source of funds used as capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
A minimum initial capital amount is stipulated for all banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
The legal minimum capital amount required for banks is specified in Act No. 161/2002, article 14: the minimum initial capital shall not be lower than the equivalent in ISK of EUR 5 million for credit institutions, including banks, except EUR 1 million for savings banks (only if savings banks do not operate cross-border activities and do not engage in activities on securities and asset management). In each case, the minimum capital requirement shall not be less than 8 percent of the projected risk base. In both cases, the initial disbursement shall be in the form of cash, premium account, retained earnings, or reserve fund. Prior to licensing, an external auditor shall issue a formal confirmation that the initial share capital has been paid in full up to the minimum capital requirement (article 5). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank.41 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Regarding the licensing rules of banks’ board members and senior management, CBI is provided with legal powers by Act No. 161/2002, Chapter VII on board of directors, corporate governance, and employees, in particular article 52 which sets eligibility requirements, such as skills and experience, good reputation including the absence of criminal record. A legal requirement for the credit institution’s board to have a collective adequate knowledge and experience also is set out in article 52. To implement the licensing process of board members and senior management in line with EBA guidelines, CBI has developed a questionnaire for interviewing candidates to managing director positions. This review is carried out by the Compliance and Inspections department and based on information submitted on behalf of the CEO and each board member. The CEO and all board members have to pass an oral examination, headed by this department. Details on the evaluation of the suitability of proposed board members and senior management are specified in CBI rules No. 150/2017 on the implementation of the qualification assessment of managing directors and directors of financial companies (in Icelandic only): https://www.stjornartidindi.is/PdfVersions.aspx?recordId=cb215e5a-7ee4-4ea4-8613-5549793ab127. Credit institutions must notify CBI as soon as possible, preferably beforehand, about appointments of a new CEO and new board members. The CEO and board members must submit information according to CBI questionnaire within four weeks. This questionnaire is currently being updated (November 2022). The questionnaire is reviewed, and additional information is collected if needed. For CEOs and board members of significant banks, and if there is any doubt about the fitness of a board member of any other kind of credit institution, an oral assessment is held by CBI, using a questionnaire. This questionnaire is also being updated. The oral assessment takes around 3-4 hours and covers the main points that CBI deems relevant for CEO’s and board members of credit institutions. The fit and proper process is the same for all credit institutions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank.42 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI is aware that the licensing process should go beyond formal legal compliance checks and review of estimated performance data, but also incorporate a risk-based qualitative assessment of banks’ capacity to operate sound risk policies and management. CBI ensures that all important aspects of applications for a bank license which may be risk sensitive are reviewed by CBI’s risk specialists, notably: (i) a draft organization chart; (ii) governance, internal control, and risk management frameworks; (iii) ethics, compliance, and financial integrity frameworks, including AML/CFT; (iv) operational risk management, including ICT systems and security, business continuity planning, and outsourcing; (v) environmental, social, and governance (ESG) policies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI follows EBA guidelines on the authorization of credit institutions regarding financial analysis of banks’ business strategy and estimated financial projections. CBI reviews the proposed banks’ business plans, tentative financial statements (balance sheet, profit & loss), estimated prudential ratios, as well as the financial soundness of major shareholders, including natural persons if need be. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
CBI has legal power to request a no-objection statement from the home supervisory authority of any bank that would establish a branch in Iceland. As an EEA member country, Iceland also implements the EU passporting rules applicable to EEA countries. Domestic banks that wish to open a cross-border branch within the European Economic Area may do so with a so-called “passport notification” to CBI, according to Act No. 161/2002, article 36. The information in the passport notification shall follow applicable EU regulation (EU) 926/2014 and (EU) 1151/2014. CBI will pass the notification on to the competent authority in the host country. If the branch is deemed a systemically important branch, further information shall be sent to the host country. No Icelandic bank has opened any branch abroad within the European Economic Area. CBI can authorize domestic banks to open a branch in a country that is not a member of the European Economic Area, according to Act No. 161/2002, article 38, which lists information that CBI needs to be provided with before such authorization. So far, no Icelandic bank has opened any branch abroad outside of the European Economic Area. Foreign banks within the European Economic Area can be authorized to open a branch in Iceland according to Act No. 161/2002, article 31 of after a “passport notification” has been received from the home member State. The information provided in the “passport notification” follows above-mentioned EU implemented regulation. If the branch is deemed a systemically important branch, further information shall be sent by the home country according to Article 31(a). Supervisory powers of CBI are laid down in article 34. No EEA foreign bank has opened any branch in Iceland so far. Foreign banks that are domiciled outside of the European Economic Area can be authorized to open a branch in Iceland according to Act No. 161/2002, article 33, which lists detailed information that CBI needs to be provided with. No Non-EEA foreign bank has opened any branch in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
CBI plans to supervise newly licensed banks through regular supervisory process to ensure that legal and regulatory requirements are met according to specific licensing conditions, if any. Supervisory visits are envisaged in that regard (mostly applied for nonbank financial institutions, because no new bank has been opened in Iceland for years). CBI decides on a case-by-case basis whether to implement more stringent prudential requirements for new credit institutions. The determining factors may include the new bank’s business plan (CBI might want to monitor if the plan is working as planned, for instance by asking for monthly management accounts), as well as special risks that the business model might entail. There are no concessions granted for new banks, which must fulfill all normal capital and AML/CFT requirements from day one. CBI reports that it has not faced any material issue regarding new credit institutions shortly after they have been licensed. In practice, given that only one new savings bank has been licensed recently, there is no need to implement such specific monitoring frequently. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 5 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The licensing activity has been very limited for banks in Iceland for many years. Yet licensing requirements and processing are well structured. Based on a solid framework on licensing applications, supported by detailed requirements, comprehensive licensing criteria, and a risk-based assessment methodology, CBI may implement a thorough examination of application requests from entities for a banking license, as well as from natural persons for their appointment as members of the board of directors or senior management. CBI has adequate power to require adjustments of proposed plans, if need be, or to reject applications. Minimum capital requirements look rather low (the equivalent in ISK of EUR 5 million for banks), yet prudential capital adequacy requirements are much higher. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 6 |
Transfer of Significant Ownership The supervisor43 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The definition of a “qualifying holding” is laid down in Act No. 161/2002, article 40 paragraph 2: “A qualifying holding shall mean a direct or indirect holding in a credit institution which represents 10 percent or more of its equity, guarantee capital or voting rights or enables the exercise of a significant influence on the management of the credit institution concerned.” Quantitative thresholds of qualifying holdings are set up at 10 percent of equity, guarantee capital, or voting rights, 20 percent, 30 percent, and 50 percent. Direct or indirect ownership is considered in the law, as well as joint ownership of a group of connected parties. Therefore, persons or entities that act in concert to acquire a direct or an indirect qualifying holding are also covered by the legal requirement to notify CBI and are also subject to eligibility assessment. The qualitative criteria relating to the “significant influence on the management” of the bank, set in article 40, may provide CBI with more flexibility than the mechanistic application of quantitative thresholds to assess the effective control that a shareholder may have on the bank, even if the related capital share stands below the legal 10 percent threshold. This legal change has addressed the finding identified in the 2014 ROSC for CP6. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
All authorizations concerning any modification of license applications of regulated banks requires prior approval from CBI. All changes of direct or indirect ownership of qualifying holdings (10 percent or more) must be notified in advance to CBI, which has time to assess proposed changes before deciding whether new shareholders are suitable, and to object if legal criteria are not met, according to Act No. 161/2002, Chapter VI, articles 40 to 49(a), EBA Joint Guidelines for the prudential assessment of acquisitions of qualifying holdings, as well as Guidelines on Information requirements. A merger between financial undertakings is subject to prior approval of CBI (article 106). CBI has recently updated its internal process in such a way that owners of qualifying holdings will have to complete an annual questionnaire that contains questions on the beneficial ownership of their qualifying holdings. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has legal power to reject changes of significant ownership, as stated by Act No. 161/2002, Chapter VI on holdings and treatment of holdings. Assessment process and criteria are developed in article 42(a). Provisions on eligibility assessment, including CBI’s power to reject a proposed acquisition (because it is not eligible, or notification has not been sent to CBI), are developed in articles 43 and 46. Provisions on CBI’s power to amend a previous decision are developed in article 49 on disclosure obligations and ongoing evaluation of the eligibility of owners of qualifying holdings. The CBI has the power to cancel voting rights of a new shareholder assessed as non-eligible, and to request this shareholder to sell the related bank shareholding (Article 46). In addition, the CBI may revoke a banking license if the application is based on incorrect information (Article 9). Clarification was requested during the mission about the legal deadline relating to approval delivery. Act No. 161/2002, article 42, mentions that: “Should the conclusion of the Financial Supervisory Authority not be available within the evaluation period as provided for in the third paragraph [60 days], it may be concluded that the Financial Supervisory Authority does not object to the plans of the party intending to acquire or increase a qualifying holding in the credit institution in question.” Such legal provision might be understood as obliging CBI to accept implicit approval of transfer of significant ownership, which might put CBI at risk. Though implicit approval of any licensing request should be considered as not appropriate, whatever the underlying reason, CBI explained to BCP assessors that in any case the deadline shall start when CBI has decided that the application for transfer of significant ownership has successfully met information and documentation requirements, so that supervisors would not be forced to decide implicitly without getting proper information and documentation. In the last five years, CBI/FSA has not identified any need to require a change of control of a bank that was made without a notification or approval. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Act No. 161/2002, article 19, states that banks must disclose a list of every shareholder owning 1 percent or more of their share capital or guarantee capital on their website. This list must be continuously updated, all changes in ownership being reflected within four days. Further, for shareholders who are legal entities, banks must also disclose a list of their beneficial owners. In addition, article 48 states that banks admitted to trading on a regulated market must submit a yearly report to CBI detailing owners of qualifying holdings of their capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Act No. 161/2002, article 45, addresses the issue of any failure of regulated banks to notify CBI of any change of qualifying holding. In that case, voting rights exceeding the threshold for a qualifying holding are canceled. In addition, article 46 states that, if CBI finds an ineligible owner owning a qualifying holding, voting rights exceeding the threshold for a qualifying holding are canceled, and the related owner must sell shares exceeding the same threshold within two months, or within another timeframe as decided by CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Act No. 161/2002, article 8, obliges banks to notify CBI of any information that may affect whether the institution fulfills licensing requirements. This is a generic provision that does not explicitly mention the suitability of shareholders. Regarding shareholders, Chapter VI on holdings and treatment of holdings is not clear about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Consequently, it is recommended that Act No. 161/2002 be amended to explicitly require banks to notify CBI as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Such additional legal provision could possibly be extended to significant, but non-major, shareholders, even to tentative shareholders (at least major tentative shareholders, also non-major tentative shareholders too, if useful), so that CBI be involved in early examination of the suitability of existing or new shareholders which may adversely impact banks. CBI would then have large legal powers of preventive or corrective action against non-suitable shareholders, which may be useful powers considering recent issues raised by the privatization of a major bank. In that regard, according to the government’s website at the time of the BCP assessment mission, the MoFEA was planning to present a bill for debate in Parliament in November 2022 [postponed to February 2023 after the mission] which purpose is changing the sale proceedings of government equity stakes (in Icelandic only): https://www.stjornarradid.is/rikisstjorn/thingmalaskra/. No detailed information was available at the time of the mission in addition to the short following statement (translated from the above-mentioned source): “(16) Draft law on the treatment of the state’s holdings in companies. The bill aims to strengthen the handling of the state’s holdings in companies through a changed arrangement, where increased emphasis will be placed on transparency, equality, democratic involvement of parliament and the provision of information to the public”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 6 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Regulation of transfer of significant ownership has been upgraded to provide CBI with adequate authorization powers of significant changes of banks’ shareholdings. Yet Act No. 161/2002 is not clear enough about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Though Act No. 161/2002, article 8, obliges banks to notify CBI of any information that may affect whether the institution fulfills licensing requirements, this article does not explicitly mention the suitability of shareholders. In addition, Chapter VI on holdings and treatment of holdings is not clear about banks’ obligation to inform CBI of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. It is recommended that Act No. 161/2002 be amended to explicitly require banks to notify CBI as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Such additional legal provision could possibly be extended to significant, but non-major, shareholders, even to tentative shareholders (at least major tentative shareholders, also non-major tentative shareholders too, if useful), so that CBI be involved in early examination of the suitability of existing or new shareholders which may adversely impact banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 7 |
Major Acquisitions The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations clearly define:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The applicable legal framework has not laid down explicit provisions relating to “major acquisitions” envisaged by regulated banks, that is quantitative limitations, as well as qualitative risk management rules. Making such provisions explicit in the law would simply clarify the regulation framework on this topic. Yet the existing legal and regulatory framework may compensate this formal gap. Existing laws and regulations are restrictive regarding conditions applicable to banks on major acquisitions. The related legal framework mostly focuses on 4 topics: (i) ancillary activities; (ii) qualifying holdings in banks’ capital; (iii) mergers of regulated banks; and (iv) limits on large exposures. Banks cannot decide major acquisitions out of the scope of the above-mentioned list of 4 topics. On major acquisitions, CBI refers to Act No. 161/2002, article 21 on other services and ancillary activities, and article 22 on temporary activities and takeover of asset. CBI has published guidelines regarding side activities and temporary activities of credit institutions (in Icelandic only) specifying the conditions for each category of investments: https://www.fme.is/thjonustugatt/hlidar-og-timabundin-starfsemi/. 1°/ Ancillary Activities Banks must notify CBI before pursuing ancillary activities. Article 21 states that banks can pursue ancillary activities provided they are a “normal extension” of their financial services, for example ownership of a company that buys claims from third parties, or any other kind of subsidiary established by the bank. In practice, as established per CBI’s guidelines, banks need only notify if they have an equity interest equal to, or more than 20 percent in another entity. Banks have to notify CBI of the pursuit of ancillary activities even if they have an equity stake lower than 20 percent if they nominate a board member of the entity. If CBI raises no objection to proposed ancillary activities within one month of receiving satisfactory notification, this shall be interpreted as authorization for commencing such activities. 2°/ Mergers A merger of a bank with another financial undertaking is only permitted with the consent of CBI (Act No. 161/2002, article 106). 3°/ Equity interest arising from the work-out of problem exposures Banks may only pursue activities other that permitted activities listed in Act No. 161/2002 on a temporary basis and for the purpose of completing transactions or restructuring clients’ operations. Banks can therefore acquire equity stakes in entities in the course of working out problem exposures. CBI needs to be notified, with supporting reasoning given for equity stakes. As a general rule, banks must dispose of such equity stakes within 12 months. CBI can prolong this timeframe, for instance in case of illiquid assets. 4°/ Limits on acquisitions stemming from rules on large exposures A bank’s aggregate exposure to non-consolidated subsidiaries and other related parties may not exceed the limits set by rules on large exposures, according to EU regulation CRR (article 395) which is implemented into Icelandic Law by Act No.161/2002, article 1(c). 5°/ Absolute limits on qualifying holdings to banks’ capital Referring to CRR, articles 89-91, CBI imposes two limits on banks’ qualifying holdings in non-financial companies: (i) banks may not own qualifying holdings in individual financial or non-financial undertakings amounting to more than 15 percent of their (banks) capital base; and (ii) banks’ total qualifying holdings in non-financial undertakings may not amount to over 60 percent of banks’ capital base. Legal criteria on major acquisitions have been enhanced as a consequence of the modification of Act No. 161/2002 on qualifying holdings (see CP6 EC6). At present, the legal approach on regulating major acquisitions relies on quantitative thresholds applicable to qualifying holdings, as well as qualitative criteria on effective control that may exist below legal thresholds. In that sense, the finding highlighted in the 2014 ROSC on CP7 has been addressed, regarding major acquisitions of banks in other financial institutions. Based on this legal framework, CBI has the capacity to examine major acquisitions envisaged by banks, and assess banks’ capacity to complete related transactions, from a risk-based perspective. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws or regulations provide criteria by which to judge individual proposals |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, supplemented by EBA’s and CBI’s guidelines, set out rules used by CBI when approving banks’ proposed investments:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future.44 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI has a broad general legal power to restrict activities of a bank, according to Act No. 161/2002, article 10(a): “The Financial Supervisory Authority may restrict the activities of individual establishments if it sees specific reason to do so.” CBI is further empowered to set conditions for the continued operations of individual operating units. Act No. 161/2002, article 39 on purchase of shares in a foreign financial undertaking, applies to the establishment of banks’ cross-border banking operations, If a bank intends to purchase or exercise a qualifying holding in a foreign financial undertaking, it must notify CBI in advance. In case of qualifying holdings in entities located outside of the EEA, CBI may prohibit such acquisition if it has legitimate grounds to presume that information provision for this activity will not be sufficiently reliable, or may impede consolidated supervision, or may create obstacles to the orderly resolution of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As a general rule, CBI must analyze the safety and soundness of the types of investment set out in CP7 EC1, which includes financial and managerial resources. CBI has published a checklist on its website that describes the process and requirements for the approval of merger of financial undertakings. CBI is currently finalizing the internal manual to improve its assessment procedures with regards to adequacy of financial, managerial and organizational resources (November 2022). CBI provided a concrete illustration case of supervisory assessment of a major acquisition submitted by a regulated bank to the approval of CBI which demonstrates effective implementation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in nonbanking activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI is aware of the risks that non-banking activities can entail and has thus limited the banks’ ability to engage in non-banking activities, for instance by limiting banks’ ability to pursue ancillary activities only as a normal extension of their financial services (as developed under CP7 EC1). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 7 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
As for transfer of significant ownership (CP6), regulation of major acquisitions envisaged by banks (CP7) has been enhanced accordingly, with the introduction of the qualitative criteria of significant influence in addition to standardized quantitative thresholds, which enables more flexibility for implementing risk-based supervision of major acquisitions. Legislation and regulation, notably Act No. 161/2002, do not include a specific Section on “major acquisitions” explicitly, yet the combination of legal provisions on ancillary activities, mergers, equity interest arising from the work-out of problem exposures, and regular prudential requirements on large exposures, may compensate. Yet semantic clarification of legal requirements on authorization of major acquisitions envisaged by banks would be useful. The legal regime of major acquisitions is restrictive to banks, which have not developed a significant development strategy through major acquisitions. CBI has adequate powers to examine and possibly reject any major acquisition envisaged by a bank. Based on the recent case of a major acquisition made by a non-systemic Icelandic bank through its UK subsidiary, CBI may wish to upgrade its capacity to supervise major acquisitions at consolidated level further, even if it may create some duplication with the host country, yet this single case looks as it has been closely monitored by CBI. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 8 |
Supervisory Approach An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks:
The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI/FSA utilizes a supervisory review and evaluation process (SREP) for less significant institutions (LSI) under the single supervisory mechanism (SSM) overseen by the European Central Bank (ECB). EBA’s Guideline on common procedures and methodologies for the supervisory review and evaluation process and supervisory stress testing (EBA/GL/2014/13 updated 19 July 2018) provided the basis for CBI/FSA’s SREP framework. As part of the EEA, Iceland is obligated to abide by the EU framework, both from a banking legislative stance as well as in its supervisory approach for banking supervision. EEA members have considerable freedom to develop their own supervisory approaches on the basis of the SSM LSI SREP methodology. While the ECB sets overarching boundaries (e.g., in terms supervisory priorities, SREP methodology, joint supervisory standards, supervisory cycle and allows for a proportionate approach), national competent authorities/EEA members can develop within these boundaries their own supervisory framework and approach for LSIs tailored to the local circumstances. CBI/FSA’s SREP methodology is outlined in a document entitled Common Criteria and Methodologies for SREP (CBI/FSA’s SREP methodology). This document is to be read in conjunction with three Annexes, all published on CBI/FSA’s website, entitled:
The Icelandic authorities have been utilizing its SREP methodology since 2016. As outlined in Sec 2.1 of CBI/FSA’s SREP methodology, the SREP score is one of the key drivers for the frequency and intensity of supervisory activities (including both the minimum engagement level (MEL) and the supervisory examination program (SEP)). The Figure below provides a high-level overview of the SREP, depicting the general phases of the overall SREP assessment, including: i) classification or categorization of institutions; ii) monitoring of key indicators; and iii) an assessment of the business model analysis (BMA), strength of internal governance and institution-wide controls, and the overall assessment of the impact of all risks to an institution’s capital and liquidity and funding. Once the overall SREP assessment is completed, CBI/FSA may determine the appropriate supervisory measure pertaining to an institution’s capital and liquidity or other appropriate supervisory measures. The SREP framework also includes intervention measures (as per Article9, 86(h) and 107(c) to (e) of Act No. 161/2002).
As per Article 86(b) of Act No.161/2002, CBI/FSA’s categorization of banks has resulted in the classification of three Domestic Systemically Important Banks (D-SIBs) based on an annual assessment, approved by the FSN, that takes into consideration, among other criteria: a) the size of the group; b) interconnectedness of the group with the financial system; c) whether the services or financial infrastructure provided by the group are available elsewhere (substitutability); d) complexity of the group; and e) scope of international activities. Note that the resolvability assessment of the banks is undertaken as part of the classification system, but also as part of the business model assessment and the formal resolvability assessment undertaken by X. (please see EC X for more detail). These three D-SIBs are considered high impact institutions as per the table below.
According to CBI/SREP methodology, CBI/FSA undertakes business model analysis that aims to identify possible threats to the viability of the business model and the sustainability of the overall strategy of the institution. The business model analysis includes an analysis of the business focus (overall strategy based on the risk appetite of the bank), and the organizational structure (to assess risks from entities in the group and the structure overall) as well as addressing a resolvability issues identified as part of the risk assessment, among other things. See sec 2.4.1 of the SREP methodology. CBI/FSA’s assessment of the internal governance and institution-wide controls involves, among other things, the assessment of the bank’s overall governance framework, risk management framework pertaining to ICAAP/ILAAP, and information systems, etc. CBI/FSA monitors key risk indicators on a quarterly basis using regulatory data as well as undertaking a risk assessment of the D-SIBs across all key risks (both quantitative and qualitative assessment), resulting in a risk report. There is a comparison of institutions, and the D-SIB risk reports are provided to the Director of Banking, the DG of Financial Supervision, and the Governor. Aggregate risk reporting is provided to the FMEN regarding the D-SIBs. The Icelandic SREP framework is based on a proportionality approach, that takes into consideration the impact category rating of the institutions which results in a SREP score (see table below in EC2) and distinguishes between the nature/intensity and frequency of the SREP. For a high impact institution, a full SREP is completed annually and is aligned with CBI/FSA’s minimum engagement model (see EC2 for more detail on the MEM). Other categories of impact result in a proportionately timed analysis ranging from two to four years frequency. Note that the SREP score of F (one level below score 4) indicates that the institution is “failing or likely to fail” and is subject to early intervention measures pursuant to Article 86(h) of Act No. 161/2002 or measures pursuant to Chapter XII and Temporary Provision VI of the same Act - outlining CBI’s resolvability framework. CBI/FSA has an extensive Supervisory Handbook (CCQ) for supervisors to know and understand each aspect of what needs to be assessed for each component of the SREP processes, included guided questions the supervisors should ensure they obtain answers on as part of their risk assessment. Although not impacting CBI supervisors’ capability in undertaking its SREP assessment, it was noted that certain aspects of this Handbook need to be updated (e.g., where new risks have not been defined, or where the Handbook is outdated and not in line with CBI’s current supervisory framework such as the use of the new supervisory assessment system). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As indicated in EC1 CBI/FSA, based on the categorization of institutions, an annual SREP assessment is undertaken for the D-SIB based on these banks’ high impact category rating. Therefore, for the D-SIBs, CBI/FSA undertakes a considerable amount of forward looking analysis through the utilization of stress testing methodology for the BMA analysis as well for the assessment of ICAAP and ILAAP as well as meeting with bank’s risk experts/management to understand the results of these forward looking views. Should the analysis reveal issues/concerns (for example, if CBI’s analysis of a DSIBs ICAAP with respect to a certain kind of credit product was not adequate, CBI may request additional information from the bank, require additional or different stress testing, and or undertake an on-site credit review to obtain additional supervisory information to conclude on the bank’s overall SREP score/risk assessment), further work/follow up is undertaken by the supervisors. CBI/FSA makes a determination/conclusion on the assessment which could result in an additional prudential requirement (e.g., additional Pillar II capital requirements, etc.). The results of such analysis are taken into consideration for the determination of the SREP score. CBI/FSA uses stress testing to determine the impact of a baseline scenario on an institution’s income statement and balance sheet and to determine whether its own funds are sufficient to meet the overall capital requirement over the forecasted period (Sec 2.4.1 of the SREP framework). As part of the ICAAP review process, CBI/FSA undertakes an assessment of the institutions’ stress testing results pertaining to credit, counterparty and concentration risk; market risk; IRRBB and operational risk. CBI/FSA also undertakes an assessment of institution’s ILAAP, including the results of the stress testing of risks to liquidity and funding. CBI/FSA’s SREP framework/assessment results in a SREP score of 1 (minimal risk identified) to 4 (very high levels of risk identified), and includes an additional negative rating of F (as mentioned in EC1), please see table below for a further description. Note that the SREP score of F (one level below score 4) indicates that the institution is “failing or likely to fail” and is subject to early intervention measures pursuant to Article86(h) of Act No. 161/2002 or measures pursuant to Chapter XII and Temporary Provision VI of the same Act - outlining CBI’s resolvability framework. Any results of the SREP (e.g., assessment of Pillar 2 requirements), are publicly released as per CBI’s transparency requirements Article9(a) of Act No. 87/1998. The SREP score is not communicated to either the bank or the public.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Icelandic banks are required to comply with prudential regulations and many other legal requirements given the necessity to abide by the EU regulatory framework. This at times makes the assessment of banks’ compliance with prudential and other legal requirements a somewhat complicated task. CBI/FSA has mapped all prudential regulations and other legal requirements into one document to maintain an evergreen list of requirements. Prudential regulations and requirements are in place and are closely tracked through regulatory reporting (monthly, quarterly, annual, etc.) based on FINREP and COREP and in some cases additional reporting (e.g., Portfolio Loan Analysis for credit risk, which tracks loan quality data; credit registry, which highlights large exposures and connected clients) and ad hoc reporting when CBI/FSA deems it necessary (e.g., exposures to problematic countries, etc.). Further, CBI/FSA closely monitors other legal requirements (e.g., governance - fit and proper requirements, ultimate beneficial ownership, AML/CFT etc.). CBI/FSA prepares a risk report (D-SIBs) that pulls all risk assessments together (prudential minimum requirements across all risk areas, off-site analysis, on-site inspection results, etc.) which is reported up through to senior management on a quarterly basis. Further, banks are also closely monitoring internal prudential limits that go beyond minimum prudential and regulatory requirements (embedded in among other things recovery plans) and are legally bound to inform CBI/FSA immediately (e.g., Article 52(e) of Act No. 161/2002). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The assessment of the macroeconomic environment in Iceland is carried out by the Financial Stability Unit (FSU) in CBI. In addition, the FSU also carries out the inherent liquidity risk assessment for the D-SIBs as well as overseeing liquidity and funding risk for the entire financial sector. Prior to the FME and CBI merger, representatives of the FSU would meet to discuss various issues. All liquidity data is shared amongst the banking supervisors and the FSD staff. Post-merger, CBI/FSA is able to ensure more frequent communication and cooperation than before between supervisors from financial supervision with specialists in the FSU as well as with the supervisors for non-bank financial institutions that CBI/FSA regulates. Even though this integration and cooperation is still being evolved and formalized, progress has been made to connect micro and macro prudential supervision and integrate it into prudential decisions on individual and market level. Wider spectrum of collected data is now available for bank and non-bank markets and CBI/FSA now has access to regular information and analysis from financial stability on economic development and on the market situation at each time. For example:
CBI/FSA incorporates the factors of the macroeconomic environment into its forwardlooking supervision in its assessment of BMA, ICAAP/ILAAP as well as financial statements (e.g., D-SIBs adhere to IFRS 9 financial asset valuation standards) which both form part of the SREP process and add to the assessment of the buildup of risk in banking sector. Cooperation is critical between the Banking Department and FSU that evaluates banks’ macroeconomic assumptions with peer review and comparison to publicly available forecasts on the macroeconomic environment. Emphasis is on challenging the presumptions of the banks for their forward planning and estimation of evolution of risk in their operations and forecasts. CBI supervises all non-bank financial institutions such as payment institutions, pension funds, investment funds and insurance companies etc. CBI/FSA therefore possesses a first-hand overview of the banking sector and non-bank financial sector and its developments. The outcome of this review is incorporated into not only the risk assessment in SREP for each supervised entity but in an aggregated way to assess the banking sector which is regularly presented to the FSN and the FMEN. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The FME monitors, identifies and assesses the build-up of risks (e.g., credit and problem assets/adequacy of provisioning, liquidity and funding risk, market and IRRBB, etc.), trends and concentrations within and across the banking system as a whole through different supervisory means such as different on-site and off-site inspections, reviewing of regular reporting from the banks, through the SREP process. The FME communicates significant trends and emerging risks to the banks through the SREP process as well as by other different means depending on each situation. System-wide risks, such as those arising from international imbalances or excessive risk concentration potentially leading to sectorial bubbles (e.g., residential, or commercial real estate) are monitored by the FSU. It is based on analysis performed by CBI/FSA and other EU institutions, particularly macro-prudential analysis. Sectorial analysis also facilitates the understanding of key market developments. The most important findings of the banks are regularly reported to CBI committees where the MoFEA is present. The financial position and the major concerns of the supervisors regarding the condition of the banks or the banking sector is presented to the FSN and the FMEN quarterly and more frequently if required by certain circumstances. Furthermore, Directors within CBI/FSA have weekly meetings where major concerns can be discussed if needed. Last, CBI publishes its Financial Stability report twice a year wherein all macroeconomic variables, significant trends and emerging risks are discussed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and findings re EC6 |
As part of CBI/FSA’s on-going SREP assessment, analysis is carried out regarding banks’ organization structure, systems, outsourcing arrangements, etc., taking into consideration the bank’s risk profile and systemic importance. The objective of this assessment is to provide the foundation for a strategy/or measures that CBI/FSA should adopt to ensure resolvability issues are dealt with in advance of a problem. At the FSN’s meeting of 28-29 September 2021, the Resolution Authority45 presented draft resolvability assessments for the D-SIBs. Thereafter, the FMEN’s opinion of the resolvability assessments was sought (as per the FSN’s Rules of Procedures). After no comments from the FMEN, at the meeting held 5 November 2011 (minutes published on 29 November 2011), the FSN approved the resolvability assessments of the D-SIBs (no major requirements for D-SIBs resulted from the resolvability assessments - especially given the straightforward ownership structure of the banks post financial crisis) . No issues remain with respect to CBI/FSA’s ability to resolve the D-SIBs. Assessors noted that the financial supervisors did not provide input into the drafting of the resolvability assessments prior to being submitted to the FSN. Although the FMEN was able to provide input/comments after the development of the resolvability assessment. It would be beneficial to involve the financial supervisors in future versions, given their deep knowledge of the D-SIBs. Furthermore, on 26 April 2022, CBI announced publicly46 that the Resolution Authority prepared approved resolution plans for Iceland’s D-SIBs. (please see EC7 for more details on the role of the Resolution Authority and the resolution plans put in place for the D-SIBs). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI/FSA has an internal framework in place for handling banks in times of stress. At the outset, early detection of bank weaknesses are considered a part of the SREP process and the regular monitoring of each bank. KRI’s have been defined for each risk and signs of increased risk are addressed in the risk assessment. The close co-operation between supervisors within the Banking Department, Compliance and Financial Stability ensures that any signs of stress are addressed in a timely manner. CBI/FSA does have the ability to call an emergency or special FMEN meeting to deal with an emerging issue with a problem bank. Further, CBI/FSA has a framework and operational processes for handling banks in times of elevated stress that require actions to be taken in a timely manner. Internal mechanisms for dealing with problem banks are established however a document formalizing the escalation process is in the midst of being finalized. A working group is in the process of drafting a manual to formally describe the framework and the escalation process within CBI for handling banks in times of stress related to own funds or liquidity. This document reflects expectations of CBI/FSA supervisors to raise issues on a timely basis up to senior management and including the use of intervention tools, strategies and enforcement actions (such decisions are taken by the FMEN). Moreover, part of the framework includes ensuring that D-SIBs (that make up 94 percent of total assets in the banks sector as at end of June 2022) have both a recovery and resolution plan in place. Early intervention is considered by CBI/FSA when:
Assessors are of the view that waiting until the overall SREP score or the viability score for one of the main risk elements is rated 4 would not be deemed “early intervention”. CBI should re-assess when it chooses to undertake “early intervention” measures to ensure it acts on a timely basis when necessary. Further, CBI/FSA should be taking corrective action well before banks reach regulatory capital and/or liquidity prudential requirements. Supervisory measures are utilized when needed as stipulated in Article107(a) of Act No. 161/2002. Article107(c) outlines all early intervention tools available to CBI/FSA which is also in line with the EBA GL on triggers for use of early intervention measures (EBA/GL/2015/03), pursuant to Article27(4) of Directive 2014/59/EU. Recovery plans, which have been prepared since 2017-18, are assessed on a yearly basis. Recovery plans are suited to list appropriate measures for recovery based on strategic analysis of core business lines and critical functions. CBI/FSA’s assessment of these plans includes a review of the proposed measures in connection to the scenario analysis is conducted in the recovery plan. Further, in accordance with Article 4, Paragraph 2, of the Act on Resolution of Credit Institutions and Investment Firms, No. 70/2020 (Act No.70/2020 or the Resolution Act) and Rule No. 1733/2021, CBI together with the Resolution Authority will, among other things, put in place resolution plans for the D-SIBs. It is the decision of the FMEN if an institution is deemed to be failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so) with the Governor of CBI who takes the final decision on the resolution process itself. Further the resolution plans cover the execution of bank resolution in the event that their financial position deteriorates to the point that they are deemed failing or likely to fail. Should a D-SIB fail, the resolution plan assumes that it will be possible to resolve it quickly and securely, and without funding from the Treasury or CBI. Resolution is intended to ensure that households and businesses continue to have unrestricted access to critical functions, thereby supporting financial stability in Iceland. Arts 98-106 of Chapter XII of Act No. 161/2002 describes CBI’s legal framework in dealing with bank’s financial reorganization, winding up and mergers of financial undertakings in a crisis. All decisions of such nature are undertaken by the FMEN. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article 20 and 21 of Act No. 161/2002 outlines the authorized activities of credit institutions and other permitted and ancillary activities. Further, Article 3 states that only legal entities that are licensed as credit institutions may operate by collecting deposits or other repayable funds from the public. Therefore, if a firm wishes to undertake banking activities or a current bank wishes to undertake a new area of business that is not outlined in its current license, it must first obtain the prior approval of CBI. CBI regularly monitors the market for any firms operating bank-like activities, as well as undertaking an annual project to actively survey the market for any new institutions within specific ISAT categories and checking for key wording linked to banking activities. If a firm is found to be undertaking bank-like activities without a license, further investigation is conducted and if appropriate, CBI can impose administrative fines (as per Article 110(1) of Act No. 161/2002) which states that CBI/FSDA may level administrative fines on any party violating Article 3, prohibiting pursuit of activities subject to license without an operating license. Further, CBI may inform the public through the publication of a transparency announcement (as per Article 9(a) of Act No. 87/1998). Decisions of this nature are taken by CBI’s FMEN. Internal procedures (e.g., CCQ) exist regarding what steps CBI representatives are required to address regarding a case of a firm undertaking bank-like activities. Last, CBI/FSA supervisors review banks’ activities, including any restructuring initiatives that could avoid or circumvent certain conditions of law, rules, and regulation. In each such case, the Authority responds appropriately and demands that the banks rectify the situation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 8 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
FSA/FME fully implemented its risk based SREP framework in 2019 which is based on a proportionality approach, that takes into consideration the impact category rating of the institutions which results in a SREP score and distinguishes between the nature/intensity and frequency of the SREP. For a high impact banks, a full SREP is completed annually and is aligned with CBI/FSA’s minimum engagement model that include deep analysis of ICAAP/ILAAP, BMA, etc. Other categories of impact result in an analysis ranging from two to four years frequency which in practice does not provide adequate supervisory coverage for these institutions, as most of the financial supervisor’s time/attention is focused on the DSIBs. For example, the forth commercial bank (not a D-SIB), although classified as medium to low impact, has experienced additional growth, etc. in the past year which should therefore have resulted in additional frequency of supervisory assessment or contact with senior management of the bank. CBI undertakes a quarterly risk assessment analysis for high impact banks, speaks to bank’s senior management quarterly and rolls this assessment into the SREP framework culminating in a SREP score. CBI’s SREP methodology is very labor intensive, and therefore it is important to ensure it has an on-going, ever green view (e.g., not just annually) of the risk assessment/risk profile of the banks, especially for DSIBs. Last, CBI’s SREP methodology should reflect early intervention measures well before a bank reaches capital and/or liquidity minimum prudential requirements. Further, CBI should not wait until the overall SREP score or the viability score for one of the main risk elements is rated 4 to take intervention measures as this would not be deemed “early intervention”. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 9 |
Supervisory Techniques and Tools The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor employs an appropriate mix of on-site47 and off-site48 supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
On-site and off-site supervisory functions are split amongst several departments within CBI/FSA that work very closely together and are described as follows:
The Banking Department oversees the SREP process cycle and will request, as part of the planning process, the on-site inspection team to undertake an area of particular concern. In addition, at times, there is a need for a follow-up inspection concerning any shortcomings that were found as highlighted in previous on-site inspections. During CBI/FSA’s Supervisory Work Programme process formal requests are made by the Banking Department for on-site inspections, together with a justification. Meetings are usually held with the Inspections department to further clarify the request, scope the inspections, including holding discussions to determine the best way to conduct the onsite. During each on-site inspection regular meetings are held between the Inspections department and Banking department to provide progress update. The IA of CBI/FSA regularly assesses the main processes for off-site and on-site supervision providing feedback and recommendations. Post-merger of CBI and the FSA, the IA undertook several reviews to ensure that the various areas dealing with banking supervision and regulation were working as it should. Assessors reviewed several D-SIB supervisory files pertaining to the quarterly risk assessment and risk report, SREP analysis (BMA, ICAAP and ILAAP) which appeared to be extensive in both in how the analysis is undertaken/captured and then communicated to banks. Any observations from on-site inspections are also rolled into these various assessments. Further, assessors reviewed example on-site inspection reports for various D-SIB “thematic reviews”. The on-site risk specialists are very knowledgeable, have industry experience and are very capable of undertaking reviews across various risk areas. The onsite inspections are generally carried out on a thematic review basis, covering all three D-SIBs. Individual follow-up inspections are carried out when necessary. It was noted that when undertaking an on-site credit risk review, the inspectors would choose a limited sample of credit files to review, albeit these files would potentially be classified as large exposures, and then make broader comments/conclusions on the bank’s overall practices. It is recommended that future on-site inspections are undertaken, particularly for the D-SIBs, with larger sample sizes and overall, a deeper scope across the various aspects of the risk area. Further, with the extensive EBA guidelines that have been released over the past several years, it would be beneficial for CBI to undertake deeper on-site inspections of the DSIBs’ various material risk areas to ensure adequate compliance with these newly adopted guidelines. Overall, the mix of off-site supervision with on-site inspection appears to be appropriate with most of the work being allocated to the D-SIBs. However, the approach of the onsite inspection should be re-assessed to ensure that the depth of the reviews encompasses, on a risk basis, the review of adequate policies and procedures, internal controls, including the strength of bank’s risk management processes. Further, CBI should implement a standard for the frequency of on-site inspections applicable for all banks, regardless of impact rating. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and offsite functions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As part of the annual supervisory planning process, the supervisory tasks planned for the following year is based on the outcome of the risk assessments undertaken over the prior year, together with the results of the SREP process and prior on-site inspections. In general, future tasks are scheduled to mitigate the risk identified using the most appropriate measures available (off-site or on-site inspections, follow-up meetings etc.). CBI/FSA’s methodology for the planning off-site risk assessment versus on-site inspections is also driven by the minimum engagement model (based on the impact rating) - please see CP8 EC1 for more detail. All tasks surrounding the planning cycle for both on-site and off-site supervisors is described in detail in CBI/FSA’s CCQ. For example, the list of the tasks for the following year that the off-site banking supervisors wishes the on-site inspectors to perform are listed as an input for the planning process. (VER-0107). Following this step, the CCQ then lists the processes that describe the “project planning” phase which helps determine the annual Supervisory Work Programme. Regular progress updates can be found as per processes VER-0041 and VER-0073 outlined in the CCQ. The off-site supervisors (owners) meet with the on-site inspection team to discuss planned tasks. The senior management of the Banking Department then decide/discuss what priorities need to take place for the coming year based on the resources available and finalize the Supervisory Work Programme for the following year, as well as prepare the budget planning process that results in a view of the Supervisory Work for the next 3-5 years. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable49 and obtains, as necessary, additional information on the banks and their related entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA utilizes a variety of information, including prudential data (see CP10 for compliance with EBA reporting framework), additional reporting requirements, ad hoc data requests, data obtained from on-site inspections, risk reports and other documents directly from the bank, including shareholdings, as well as publicly available data to assess and evaluate the major risk categories on a monthly, quarterly, and annual basis. Additionally, CBI has an extensive data gathering from both supervised entities, other corporations, and institutions for various usage for central bank tools, such as Portfolio Loan Analysis (PLA), credit registry (corporate loans that provide collateral data and connected client/group information and data on real estate backed loans such as household mortgages). Not all data gathered by CBI (e.g., data collected by the FSU) is available to the Banking Department supervisors but if there is need for certain information available it can be requested and it is provided so long as personal client information is not released. CBI also subscribes to various databases and information centres like Bloomberg, S&P banking data (mostly used by the FSU). Further, CBI/FSA makes use of information from both open public sources as well as subscribed ones for on- and off-site supervision. Open sources like Firm registry - Skatturinn, National registry - Pjodskra (integrated into Vaki), Statistics Iceland from Hagstofan. With respect to shareholder information, Article19(4) of Act No. 161/2002 requires all financial undertakings to specify on its website the names and proportional holdings of all shareholders that hold 1 percent or more in the financial institution. Changes are to be updated in four days or less. Real owners are to be disclosed for legal entities that hold shares larger than 1 percent in the financial undertaking. Several CBI/FSA on-site thematic inspections have been carried out over the past 24 months to validate D-SIB’s reporting, covering the following topic: review data reporting in credit registry; the right use of SME-discount; review on the use of risk weights in COREP report - limited to certain risk weights and mitigation for loans with insurance in real estate (home and corporate); valuation review; and a review on forbearance50. All communications, findings and material important data are filed in OneCrm file management system of CBI/FSA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as:
The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerability that have the potential to affect its safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA uses a variety of tools to review and assess the safety and soundness of the banks as part of its SREP process and its quarterly monitoring risk assessment/risk reporting including KRIs. This assessment includes a review of: (a) the financial statements of the banks, issued on a quarterly basis. Following the review supervisors undertake meetings with the banks’ management to discuss CBI/FSA’s evaluation of risks inherent in the bank’s operations. (b) the banks business plans and models which are reviewed annually through the SREP process and challenged in this context. The different stress tests performed by the banks are also reviewed and challenged by CBI/FSA especially when analyzing the different types of risks in the SREP process (e.g., credit, concentration, liquidity and funding, market risk and IRRBB, etc.). (c) results of the quarterly risk assessment and risk reports provide senior management to make peer comparisons across all three of the D-SIBs. (d) results of bank’s stress testing is embedded in the ICAAP and ILAAP reports received and reviewed by CBI/FSA as part of its annual SREP assessment for the D-SIBs (less frequent review for the lower impact banks); and (e) corporate governance and internal controls are mainly monitored through the SREP process but also the evaluation of the eligibility and fit and proper conditions of the board of directors and the managing director of the bank is assessed regularly through off-site assessment processes. The quality of risk management of the various risk reviews is carried out when on-site inspections are undertaken but limited to the subject of the review (see CP15 for more information). Assessors are of the view that CBI does not undertake formal or deep assessments of bank’s corporate governance, including the quality of risk management or internal control functions, except through off-site analysis and when the on-site team happens to carry out a thematic on-site inspection (e.g., there is not a dedicated and focused review of corporate governance, etc.). The findings of the SREP process as well as off-site inspections are communicated to the banks including expectations on the requirements of banks to address any deficiencies identified. See EC8 for additional information on how the result of this analysis is carried out and the frequency of this communications. CBI/FSA follow-up with banks on its findings through the use of the bank IA, as well as through additional discussions or follow up on-site inspections. CBI/FSA tracks outstanding deficiencies in its internal system. Further, CBI/FSA also makes use of the EA to follow up on specific issues previously identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or systemwide). The supervisor communicates its findings as appropriate to either banks or the industry and requires banks to take action to mitigate any particular vulnerability that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI/FSA supervisory practices ensure constant awareness of the importance of individual institutions health and soundness for the banking and financial system as a whole. The Banking Department and the FSU work together with the purpose of identifying, assessing, and mitigating emerging risks, across banks and for the banking system as a whole. Risk is assessed on both on an individual bank and system-wide level in CBI. Macroprudential supervision stress tests are undertaken as part of the risk assessment under CBI/FSA’s SREP procedures as well as part of the bank’s recovery plan scenario analysis. Various stress tests and scenario analysis is used under and for assessment on various risk categories, according to Banking Department supervisory procedures that build on the SREP methodology. FSU and the Banking Department work together on assessing the stress test framework in ICAAP/ILAAP reports as well as the bank’s recovery plans. This analysis is mostly dedicated to the D-SIBs which represent close to 94 percent of total assets. Results of stress-tests, including potential vulnerabilities in D-SIBs overall risk profile is communicated to the bank. CBI’s approach is to adjust minimum capital or liquidity requirements for individual banks once vulnerabilities are detected. Assessors noted examples of where this is done in practice by CBI. FSU is also responsible for system wide stress test conducted by CBI. Macroprudential policy51 of CBI centres on safeguarding the stability of the financial system as a whole by limiting systemic risk. Its main objective is to enhance stability and increase resilience, thereby reducing the risk of financial shocks. In order to achieve its macroprudential objectives, CBI has macroprudential tools that it can apply when warranted. These tools generally take the form of CBI rules, including rules on capital buffers for financial institutions, foreign exchange balance, liquidity, and net stable funding, as well as rules restricting loan-to-value ratios and loan-to-income or debt service-to-income ratios for consumer mortgages. Decisions on the application of macroprudential tools are taken by the FSN. The Committee bases its decisions on an analysis of the position of the financial system, the financial markets, the economy as a whole, systemic risk, and resilience against potential shocks. CBI also carries out stress tests to evaluate resilience and conducts scenario analyses of key risk factors. The annual system wide stress test is a systemic one (e.g., a macroprudential stress test with a cyclical stress scenario). The scenarios used are published on CBI’s website and findings as well on aggregated level in the report in CBI’s Financial Stability Report. The credit registry gives a monthly overview of material exposures and systemic built up of risk in the banking system as a whole where financial undertakings with certain thresholds are required to report their loan portfolio to FME with the credit registry, version 3.0. FME can use this data and see how exposures to certain parties, connected parties or sectors is building up in the system and act on it if needed. The information is used to assess connections between debtors of banks and possible contagion effects between banks and to the economy as a whole. CBI/FSA recently received more extensive credit registry data that provides information for the whole loan portfolio of the bank beyond 300 million ISK. This will allow the FSU the ability to run special stress tests on the entire portfolio of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FSA evaluates the work of the banks’ IA functions on a yearly and ad hoc basis. Once a year, at a minimum, the IA of D-SIBs reports to CBI/FSA on the conclusions of its reviews. The Banking Department meets with the bank’s IA to discuss the reviews undertaken and, in some cases, if the reviews are considered reliable, will rely on the results of such findings. Furthermore, the IA shall specifically and promptly report to CBI/FSA any comments made and submitted to the board of directors. The Banking Department/Compliance have asked for copies of IA reports of the D-SIBs for review of findings. Last, CBI/FSA may at any time subject the qualifications of the director of the IA to a special investigation if deemed necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor maintains sufficiently frequent contacts as appropriate with the bank’s Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the bank’s Board and senior management on the assumptions made in setting strategies and business models. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
As outlined in CBI/FSA’s SREP methodology for its minimum engagement model (e.g., the frequency of meetings with Board and senior management representatives is based on the bank’s impact assessment). For D-SIBs, this includes annual engagement with both the Board (which is made up entirely of external representatives) and senior management. Specifically, the Banking Department (together with risk specialists) meet quarterly with the CFO, CRO or their representatives) to discuss the quarterly financial statement and state and trend in material risk categories. Issues addressed are among many things financial results, strategy, operational trends, major operational events, credit risk, valuation of financial assets and asset quality etc. Further, as part of the SREP process a planned meeting is held for all material risk categories within the ICAAP/ILAAP where results of this assessment are presented. High level and middle management attend these meetings from the banks as well as relevant specialists for each risk category. Often more than one meeting is held for each risk. A special meeting is held for BMA where assumptions and presumptions are discussed as well as it helps assess macroeconomic assumptions used for forecasted business plan for 3-5 years. Before final results of the SREP risk assessment are presented to the financial undertaking/bank a draft is delivered and a meeting for that draft is held in case there are misunderstandings or misrepresentation of facts etc. in FME’s SREP results or capital requirements. Finally, after the formal opposition proceedings, findings of the SREP process are presented in letter to the board as well as a meeting is held with the board and senior management where relevant issues are addressed as well as the findings of the risk assessment and capital requirements. As indicated previously, this process is carried out for the D-SIBs only. The Banking Department occasionally contacts the banks’ Boards and Audit Committees on an ad hoc basis, as needed. However, CBI/FSA is in frequent formal and informal communications with the banks’ directors and senior and middle management in connection with various on-site and off-site inspections, requests, and applications, etc. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
The findings of the SREP process are communicated to the banks first informally (via meetings), then draft findings are presented to the bank for in a report for formal opposition proceedings and then final letters are issued to the banks. If results in the SREP contain an assessment of Pillar 2 risks, this letter is posted on CBI/FSA’s website according to the transparency notices (Act No. 87/1998). With respect to on-site inspections, draft reports are provided to the banks prior to the exist meeting, this report also subject to formal opposition proceedings, with a final report issued a usually a couple of weeks after this exit meeting. The Banking Department then issues a formal letter with all requirements and recommendations as a result of the on-site examination which is sent to the bank. In this letter, the timeframe for finishing all amendments is defined and it is the Banking Department supervisors who are tasked with the follow up to ensure that relevant amendments are implemented by the bank. The findings of any particular off-site inspection are communicated to the banks on various case specific issues and based on the inspection’s level of formality, depending on the severity of the issue /issues at hand. In a formal off-site inspection, the findings are communicated through a formal report following the similar procedure as on-site inspection and delivered with a formal letter and communication process. In a less formal inspection, findings can be communicated to the bank by letter, at a meeting, through email or in a phone conversation. All findings are accounted for in the SREP risk assessment process. If findings are severe and need boards involvement necessary measures are taken, including valuating if the matter calls for revaluation of SREP risk assessment. Results of on-site inspections sent to the senior management of the bank and the final decision letters are sent to the BOD. Assessors note that the on-site inspection reports should also be provided to the BOD to ensure awareness of the detail of CBI/FSA’s findings. Furthermore, assessors noted the substantial time lag (up to 8 months) between the results of the inspection reports being handed over to senior management of the bank and the final letter on the results of the on-site inspection issued to the BOD. CBI/FSA should re-assess its timeliness of communication with the BOD with regards to the on-site inspection formal letters as the time lag between when the on-site inspection report is issued and the formal supervisory letter is issued, could cause confusion with the bank’s BOD/senior management as to what deficiencies are still outstanding, etc. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI/FSA’s SREP framework entails continuous communication with the D-SIB (less so for savings banks), KRI and risk assessment monitoring. CBI/FSA’s Vaki internal reporting systems tracks all outstanding requirements and recommendations as well as findings that require further investigation or follow-up where specific timelines/deadlines for action is tracked. This electronic system will send automatic notifications to the Banking supervisor for follow-up, this helps ensure nothing is left unattended in the follow-up process. Urgent matters regarding for example a bank becoming aware of a breach of a capital or liquidity requirement prior to CBI/FSA, are required to report such issues immediately. CBI/FSA then determines how such issues are handled according to its severity and urgency. KRI and regular quarterly risk assessment monitoring also ensures issues are follow-up on a timely basis. If the matters under consideration are deemed material, CBI/FSA will re-consider the risk score of the SREP assessment. CBI senior management are notified as well as approve any actions or update to the SREP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article 9(2) of Act No. 87/1998 states that the FSA shall be notified in advance, as applicable, of any changes in previously submitted information, including information concerning the board of directors or managing directors, any increase or decrease in the number of branches, and when a financial undertaking no longer meets the conditions for the issue of an operating license. CBI/FSA receives notifications regarding various changes in the banks’ activities, structure, and conditions. For example, the banks frequently inform CBI/FSA in due time of major changes or foreseeable breaches of laws, rules, or regulations. The notifications are usually informal at first and subsequently require a meeting with the banks or that the banks write a formal letter to CBI/FSA. Notification of some changes is done through regular reporting. Last, banks are required to provide notification to CBI/FSA of any structural changes as per Article21 (2) and Article22 of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
Article9(2) of Act No. 161/2002 states that the FSA may appoint an expert to investigate certain aspects of the activities or operations of a regulated entity, or to undertake other specific supervision of such an entity. CBI/FSA performs its supervision to large extent with its own staff. Occasionally CBI/FSA hires an independent third party to assist its employees with specific tasks such as an onsite inspection. CBI/FSA in this case would assess its degree of reliance on such work with third parties. CBI/FSA seeks to assess the ability of the third party to perform the task in question professionally and subjectively considering relations and potential interests. Third parties sign statements in this regard and agreement are made for their mandate. Various internal checklists are outlined in CBI/FSA internal requirements and include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
In recent years CBI/FSA has increased its ability to store, process, monitor and analyze information automatically by developing its IT systems and its business intelligence capabilities. Streamlining information gathering across the post-merger of CBI/FSA in order to ease the burden of reporting with the common reporting framework (EU) is in progress. Further, much work is being undertaken to implement solutions for supervisors to access and analyze relevant data (e.g., newly developed Power BI tool) as well as implementing solutions for supervisors to access and analyze relevant data. Older outdated solutions are in the process of being outed like Targit and InfoPath reports. In addition, the data warehouse stores sources of information that is accessible to relevant employees through various tools and analysis, like PBI, Vaki and K-helix. Analysis of the prudential data in COREP, FINREP, PLA and the credit registry reports are an important part of the supervision and build the foundation for KRI monitoring along with the EBA risk reporting framework. CBI/FSA has implemented its KRI system wherein many indicators with defined limits indicate warning signals that supervisors must take into account in their regular monitoring and risk assessment reporting. Although Vaki is designed to store and structure the risk-based supervision, risk assessment and supervisory information as well as document KRI breeches, it is still somewhat under development due to technical issues. Results of SREP reports, including the conclusion of SREP and letters sent as a result of an on-site inspection are documented and tracked in Vaki (see ECX for more detail). Furthermore, risk assessment, with recommendations for on- or off-site inspections or other supervisory measures, is stored in Vaki and used in supervisory planning process as well. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor has a framework for periodic independent review, for example by an internal audit function or third party assessor of the adequacy and effectiveness of the range of its available supervisory tools and their use, and makes changes as appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 9 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI’s off-site supervision function undertakes the full SREP assessments, however the scope for the on-site program needs to encompass a broader scope of review work (not just thematic reviews focusing on specific risk areas of concern), covering not only material risks but deep assessments of corporate governance, including the quality of risk management and internal control functions, with a risk-based approach over a multi-year cycle. While on-site inspectors carry out their inspections on a timely basis (inspection reports are provided to management only), banks’ Board of Directors only receive “formal letters’, which include remedial/corrective actions that are being issued with at times delays as supervisors await the results of all three on-site inspections to be completed (to ensure consistency in findings) and legal sign off on letters. This current process is undermining the effectiveness of CBI’s communication which needs to be done on a timely basis. CBI’s internal standard on completion of reviews (e.g., the issuance of the formal letters to the Board within 4 weeks), should be adhered to. Further, CBI should implement a standard for the frequency of on-site inspections applicable for all banks, regardless of impact rating. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 10 |
Supervisory Reporting The supervisor collects, reviews and analyses prudential reports and statistical returns52 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor has the power53 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 32 of Act. No. 92/2019 and Article107 of Chapter XIII of Act No. 161/2002, provides CBI/FSA with the authority to require banks to submit all information that it deems necessary, on both a solo and consolidated basis. Article107 (2-6) states that: The FSA may demand any sort of documentation or information from subsidiaries or affiliates, or from other parties regarded as having close connections with a financial undertaking, which the FME regards as necessary in the course of its supervision of the financial undertaking concerned. The FSA may demand any sort of data or information from holding companies in the financial sector or mixed holding companies, provided the FME deems such information necessary for its supervision of financial undertakings that are subsidiaries of these holding companies. The FSA shall oversee dealings by a financial undertaking with its subsidiaries and affiliated companies, companies that control or have holdings in the financial undertaking, and other subsidiaries and affiliated companies of such companies. Furthermore, the FME shall keep track of dealings between a financial institution and individuals with holdings of 20 percent or more in the above-mentioned companies. Financial undertakings shall provide the FSA with a report on such dealings in accordance with its specific instruction. Where the dealings are made with enterprises or individuals in other states, cooperation between supervisory authorities shall be as provided for in international agreements to which Iceland is a party and cooperation agreements concluded by the FSA on their basis. The FSA may, at the request of supervisory authorities in another state, verify information from parties in Iceland subject to supplementary supervision of financial conglomerates. The supervisory authorities concerned may participate in efforts to verify such information. Should the FSA be of the opinion that activities covered by this Act are pursued without the required authorization, it may demand from the parties concerned or parties subject to supervision such data and information as are necessary to determine whether such is the case. It can demand that such activities be ceased immediately. In addition, it may make public the names of parties regarded as offering services without the required authorization. Article 9 of Act No. 87/1998 states the FSA shall inspect the operations of regulated entities as often as deemed necessary. These entities are required to grant the FSA access to all their accounts, minutes, documents, and other material in their possession regarding their activities which the FSA considers necessary. CBI/FSA has adopted and implemented EBA reporting framework and validation rules. Lists for regular reporting to CBI/FME is publicly available for each sector54 covering both EBA reports and CBI/FSA reports. Example of various amendments requirement for rereporting based on data validation rules have been numerous in recent years. CBI receives the following standardized reports according to CBI’s data reporting process, that includes solo (parent bank), consolidated (group) as well as on and off-balance sheet information and include: Monthly: (either from parent companies and/or subsidiaries)
Quarterly:
Semi-annually:
Annually:
In addition to the above referenced reports, additional information is routinely collected and verified as part of on-site and off-site inspection and as well as ad-hoc inquiries. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article 88 of Act No. 161/2002 states that the annual accounts must give a clear picture of the financial position and operating performance of the financial undertaking. They must be compiled in accordance with law, rules, and good accounting practices, and include, for instance, a profit and loss account, a balance sheet, explanatory notes, and information on off-balance-sheet items. The D-SIBs have implemented the IFRS accounting standards as stipulated by Chapter VIII of Act. No. 3/2006 on Annual Accounts. Rules No. 834/2003 on the Financial Statements of Credit Institutions apply to the smaller savings banks as they have not implemented the IFRS standards. CBI is of the view that it would be too onerous to have the smaller savings banks adhere to the IFRS standards - opting for the continued use of Rules No. 834/2003. The FSA has issued the following Rules relating to annual accounts of financial undertakings which provide clear reporting instructions to banks:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
FSA has issued methodology and benchmarks for assessing risk systematically in the SREP process. These benchmarks are reviewed regularly. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. IFRS 9 standards are required in accordance with Chapter VIII of Act No. 3/2006. The requirements set out in the Chapter are consistent with the EU Accounts Directive. Smaller banks that have not implemented the standards must prepare their accounts in accordance with Chapter VII (valuation rules) of Rules No. 834/2003. All banks are required to have audited financial statements utilizing appropriate valuation methodologies and practices. Financial undertakings are required to have their financial statements audited by certified auditors. Part of the audit and the discussion with the auditor of supervised entities involves discussing value of financial assets and valuation methods. The supervisor may disagree with the financial undertaking on what constitutes a prudent valuation and may require banks to either write down (impair) assets or increase the own funds requirement. CBI/FSA legislation, rules or guidelines (including EBA guidelines) do not specifically require that bank’s valuation framework and control procedures be subject to adequate independent validation and verification, either internally or by an external expert. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA collects and analyses data from banks in accordance with the impact assessment of the banks based on its SREP Methodology. Please see EC1 for detail on the type and frequency of reporting to CBI/FSA by banks. D-SIBs are required to file FINREP prudential reporting which provides more in-depth data and at a greater frequency than the COREP reporting applicable to savings banks with less frequency and data points. CBI collects information regarding KRIs, as well as for the regular monitoring to undertake its risk assessment of banks according to supervisory handbook of FME (CCQ). Post-merger, CBI/FSA is working towards the streamlining of information gathering, the data warehouse and the way information is accessible to supervisors. Still all reported data is available and accessible through legacy systems and PowerBI software. FME has adopted the EBA data model framework and collects EBA material reports. Risk indicators of the EBA risk framework have been in use and FME uses KRI approach in its regular monitoring and risk assessment. The risk management procedure (see CP 8 and 9) of the FME and of CBI ensure that information is collected, analyzed, and reviewed according to risk-based supervision. Analysis is conducted at intervals corresponding with reporting frequency and calibrated to the significance of data collected for risk analysis (e.g., liquidity reports are collected and analyzed monthly, whereas less important data may be collected and analyzed with lower frequency). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As described in EC 1 and 2, reports and data are collected by the FSA from all credit institutions are on a comparable basis and related to the same dates and periods as appropriate. Risk assessment, KRI-approach and regular monitoring include cross comparison and tends between reporting periods. FINREP and COREP data collection is put through various validation exercises (in accordance with EU requirements), and therefore CBI/FSA is able to draw meaningful comparisons between banks. Data is collected from all relevant entities covered by consolidated supervision; however, the legal structure of the D-SIBs is very straight forward with no cross border operations, without any issues regarding whether dates and periods are questionable. Another way to compare data from banks is to use EBA published data like the quarterly risk dashboard and annual transparency exercises information where banks, countries etc. can be compared. Now that the EBA has expanded its data collection under EUCLID to include all credit institutions in the EC/EEA a larger set of data for comparable institutions is expected to become available. Also, CBI has access to S&P Global Market Intelligence data and can, when necessary, compare various data to set of banks and companies around the world. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FME has the power to request and receive any relevant information from banks or any related party where it is believed to be material for the supervision or to the financial position of the bank as per Article9 (3) of Act No. 87/1998 states that both individuals and legal entities are required to: In connection with its supervision and investigations under the provisions of special legislation, natural and legal persons are required to supply the Financial Supervisory Authority with any information and material the Authority considers necessary. In this context it is of no relevance whether the information concerns the party to which the request is directed or transactions with other parties on which the party is able to supply information which concerns the investigation and supervision of the FSA. Provisions of law concerning confidentiality do not restrict the obligation to provide information and access to data. This shall not apply to information obtained by legal professionals in the course of ascertaining the legal position of their client, including advice on instituting or avoiding judicial proceedings, or information obtained before, during or after the conclusion of judicial proceedings if the information is directly related to such proceedings. Please see EC1 for more detail. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has the power to access55 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Article 9(1) of Act 87/1998 and Article107 of Act No. 161/2002 states that CBI/FSA has the power to have full access to information regarding its supervisory work (see EC1 for more detail). Article 9 of Act No. 87/1998 states the FSA shall inspect the operations of regulated entities as often as deemed necessary. These entities are required to grant the FSA access to all their accounts, minutes, documents, and other material in their possession regarding their activities which the FSA considers necessary. As part of risk-based supervision regular interviews are conducted with board and high-level management and can be conducted on ad-hoc basis as well. Onsite inspections are also conducted where all bank data and information are made available on basis of forementioned legal requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines-the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article11 (Penalties and daily fines) of Act No. 87/1998 states that the FME has the power to impose penalties if the regulated entity fails to provide the requested information or fails to heed requests for rectifications within a reasonable time limit. Further, Article112(b)(2) of Act No. 161/2002 states that deliberate misreporting to an official is a criminal offence punishable by up to 2 years imprisonment. Last, CBI has comprehensive legal powers that can be applied to gather data or information as well as enforcement aid as per Chapters IX and XI of Act No. 92/2019. The FME imposes penalties in the form of ’per diem’ fines if banks fail to provide the requested information within a set time limit. The FME also follows up to ensure that inaccurate information is amended in a timely manner. FME has imposed such penalties in practice (as described above) as well as for bank’s misreporting or for persistent errors. The authorized official of the bank must sign all supervisory returns. Also, automated reminder notices via e-mail of upcoming reporting due dates are delivered 5-7 days to the bank before the due date by FSA’s reporting system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a programme for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts.56 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
CBI/FSA applies professional skepticism in its risk-based supervision on qualitative and quantitative information. KRI-review is used in addition to delta analysis of reported data, followed by off-site communications when needed. The verification is supplemented by on-site visits. Comparison of financial reporting is also compared to risk reporting like FINREP. The FSA has defined, implemented, and issued a high-level process for data reporting to ensure consistency in the FSA approach to determining the validity and integrity of supervisory information. A process and procedure for Data Quality Assurance (DQA) rules have been implemented in the FSA Management-IT systems which result in defective data submissions being either rejected or flagged for follow-up. As part of this framework FSA has adopted the EBA Data Model and its validation framework and validation rules are applied for data integrity and reporting in other FSA’ reports like Credit registry. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor clearly defines and documents the roles and responsibilities of external experts,57 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article9(2) of Act No. 87/1998 states that: The FSA may appoint a specialist for inspecting certain aspects of the operations or management of a party subject to supervision, or to undertake specific supervision of such a party. The specialist shall be appointed for a specific period, but no longer than four weeks at a time. The specialist is entitled to working facilities on the premises of the party subject to supervision, and shall be given access to all requested accounts, minutes, documents, and other material in their possession. The specialist is entitled to attend meetings of the board of the party subject to supervision as an observer with the right of speech. His obligation to observe secrecy shall be in accordance with Chapter IV of this Act. The party subject to supervision shall carry the expense of the specialist’s work, in part or whole, as estimated by the FSA. The FSA defines and documents the roles and responsibilities of external experts, including the scope of the work, and monitors the quality of the work. Procedure thereabout is available to FSA if needed. Further Article94 of Act No. 161/2002 states that the FSA may carry out special audits and engage a State Authorized Public Accountant for this purpose. Please see CP9 EC11 for more detail. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
When an external expert is appointed by the FSA according to Article9 of Act No. 87/1998 indicates that a contract is signed that requires the expert in question to inform the FSA about any material shortcomings identified regarding the operation of parties subject to supervision. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
CBI/FSA has defined a high-level process for the review of all data reporting to ensure that supervisory data needs are being met. The process includes the performance of an annual assessment as part of the planning process when determining the banks’ mandatory reporting requirements and submission schedule for the following year. CBI/FSA has a process for assessing and reviewing incoming data and this process is being adapted for the overall merged CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 10 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI’s IT infrastructure, supervisory data collection and interfaces built or being built for supervisors is very dynamic. CBI collects data from a variety of sources (FINREP, COREP and goes beyond the EU framework LPA, credit registry data, ad hoc data requests etc.). Further, the interfaces in the process of being built or are built (Power BI,Vaki) enable supervisors to effectively work with key data points, produce graphs and analysis to support the SREP and risk assessment processes. Further, CBI utilizes data verification methodology in line with EU expectations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 11 |
Corrective and Sanctioning Powers of Supervisors The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article10 of Act No. 87/1998 states that if a bank does not comply with laws or regulations, CBI must order that the situation be rectified within a reasonable time limit. CBI must opine on any aspect of the situation or operation of a regulated entity that it considers unsound and inconsistent with proper business practices in other respects. Should that situation arise, CBI may call a meeting of the board of directors to discuss its comments and demands, and ways to rectify the situation. A representative of CBI may chair the meeting and have the right to speak and make proposals. If on-site and/or off-site inspections reveal that a bank does not comply with laws and regulations, the bank is required to make corrections/take corrective actions within a defined time limit communicated in writing. Following on-site inspections CBI requires the IA of the bank to assess whether corrective actions have been met. CBI also assesses whether corrective action have been completed in a satisfactorily manner. The findings of CBI are always in written form, addressed to the bank’s BOD or its CEO, as per Article108 of Act No. 161/2002 states that the FSA shall justify its decisions in writing regarding the application of supervisory powers or penalties pursuant to this Act. For example, assessors noted that in certain cases where material findings from such a review result in the inspection report being provided to the CEO instead of the BOD. CBI/FSA should ensure that all inspections reports are provided to bank BODs/Audit Committee and not just the CEO. (noted in CP9) In addition, assessors noted that CBI/FSA tend to make use of an assessment of additional capital rather than make use of the other intervention tools/measures outlined in Article107(a) of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor has available58 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article107(a) and (c) of Act No. 161/2002 provides CBI/FSA with a range of appropriate options for intervention when a bank is not complying with laws, regulations, rules or guidelines. Article107(a) is used for less severe situations. If the credit institution does not fulfill legal and regulatory requirements of if CBI is of the opinion that, within the next 12 months, it is likely that a credit institution will not be in a position to fulfil legal or regulatory requirements, CBI can impose certain measures upon the credit institution, the choice of which is appropriate given the gravity of the situation (Article 107 A (3)) Article107 (c) is used when the financial situation has further deteriorated: When the credit institution violates the Act (161/2002), or its regulations, or increasingly serious financial situation (including worse liquidity position, increased leverage or increased defaults) makes it more likely that it will violate the Act or its regulations (cf. 107 9(c)(1)) as well as subject to per diem fines pursuant to Article 11 of Act 87/1998.. See EC4 for a full description of tools. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA has the power to intervene at an early stage to require banks to address issues. Specifically, Article107(a) and (b) of Act 161/2002 outlines the ability of CBI to require banks to hold additional capital well before the breach of regulatory ratios and states that: The FSA shall notify financial undertakings of the guidance on additional own funds it deems desirable, in particular on the basis of a stress test as provided for in the seventh paragraph of Article 80, in excess of its obligations under this Act and the requirements of the FSA laid down in Art.107(a) to cover risks that the obligation does not cover sufficiently. CBI has a range of options to address scenarios described in EC2 and EC3 - please find description of supervisory measures and tools in EC4. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA has an appropriate range of supervisory measures to address, at an early stage, when a bank is not complying with laws, regulations, rules and/or guidelines. Article107(a) of Act 161/2002 outlining supervisory powers states that the FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the undertaking does not comply with the provisions of this Act, as well as the regulations and rules adopted by virtue of it. If, on the basis of data or information in its possession, the FSA considers it likely that a financial undertaking will not be able to comply with the provisions of this Act within the next 12 months, as well as the regulations and rules deriving from it, the FSA shall require the financial undertaking to take the necessary corrective measures in a timely manner. Corrective measures may include, among other things, the application of powers pursuant to this Article or other provisions of the law that are necessary to respond to the situation of the relevant financial undertaking. To enforce the requirements and follow up on the evaluation as provided for in Article 80 and the fourth and fifth paragraphs of Article 81, third paragraph of Art.109(ff) and Regulation (EU) no. 575/2013, the FSA is authorized to prescribe: 1. higher own funds requirements than those laid down in Regulation (EU) no. 575/2013 2. improvements to internal processes, cf. Chapter IX, 3. that a financial undertaking present a special plan on how the undertaking will fulfil the requirements of this Act as well as the regulations and rules deriving from it, and set deadlines for financial undertakings regarding the implementation of the plan, including due to delays or improvements made to the plan. 4. write-down of assets in the calculation of own funds. 5. limiting or restricting a financial institution’s activities or, as applicable, sale or assets or business units that create excessive risk. 6. reduction of the risks entailed by the undertaking’s activities, products or system, including due to outsourced activities. 7. that financial undertakings limit bonuses to a percentage of net profits when payouts lead to insufficient own funds. 8. that financial undertakings use net profits to strengthen its own funds. 9. that dividend and interest payments to shareholders, guarantee capital owners and owners of additional Tier 1 instruments shall be limited or prohibited, provided this does not cause the financial undertaking to default. 10. Imposing specific liquidity requirements, including due to maturity mismatches between a financial undertaking’s assets and liabilities. 11. More frequent reporting requirements. 12. Additional disclosure to the market. Article107(c) of Act No. 161/2002, which outlines early interventions by the FSA states that the FSA can apply early interventions against a credit institution or investment firm with guarantee capital if: a. the undertaking violates the provisions of this Act or government directives based on them and regulations established on their basis, including Regulation (EU) no. 575/2013 or b. it is likely that, due to a deteriorating financial situation, including a deteriorating liquidity position, increased hedging, increased defaults by borrowers or a concentration of exposures, that the undertaking will violate the Act or government directives as provided for in point (a). If the circumstances referred to in points (a) or (b) exist, the FSA can implement or demand that a credit institution or investment firm take at least one or more of the following actions: 1. Take measures prescribed in the recovery plan or update the recovery plan and carry out actions according to the updated plan. 2. Submit an action plan with a timeframe to the Financial Supervisory Authority. 3. Call a shareholders’ meeting or guarantee capital owners meeting. If that requirement is not complied with, the Financial Supervisory Authority can call a shareholders’ meeting or guarantee capital owners meeting. In both cases, the Financial Supervisory Authority determines the agenda of the meeting and can demand that certain issues be discussed and decided upon. 4. Dismiss one or more board members and/or managing director, if they do not meet the requirements as provided for in Article 52 (eligibility requirements), Article 52(a) (conflict of interest), Article 54 [also covered in Article107(c)] (violating the conditions of early intervention measures). Note that Article 110 (b) and 112 (f) provide the power to ban an individual from working at a bank or serving on a bank Board. 5. Submit to the Financial Supervisory Authority a plan for negotiations on debt restructuring with creditors. 6. Change the undertaking’s business strategy. 7. Restructure the undertaking. Further, Article 107 (c) provides for the ability to put in place interim management. Last, conditions precedent for the CBI to revoke a banking license are set out in Article 9. CBI/FSA has formed a working group to put in place a formal “escalation” procedure when a problem or issue arises. This procedure, when finalized, is expected to also cover all procedural mechanisms to deal with a crisis situation for a problem bank. This document is expected to be finalized in the coming months. Although certain procedures are covered in the CCQ Supervisory Handbook, assessors have indicated that this escalation of procedures to deal with problem banks should be finalized quickly to ensure that CBI/FSA staff know and understand the procedures and supervisory measures/tools that need to be undertaken quickly in a crisis situation. Assessors were informed regarding the use of supervisory measures in 2015 for a savings bank wherein various legislative tools were utilized. This is the only case available for assessors review since the crisis of Icelandic bank failures in 2009. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Administrative sanctions in the form of penalty payments can and has been issued against both individuals and legal entities. CBI/FSA has the power to remove a credit institution’s CEO or one or more of its board members if it is of the opinion that the credit institution has seriously violated against laws or administrative rules or if there has been a case of serious mismanagement, cf. Article107(d) of Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Article10(a) of Act 161/2002 states that CBI/FSA has the power to restrict activities of a bank. CBI/FSA is further empowered to set conditions for the continued operations of individual operating units. CBI/FSA would utilize these powers to take corrective actions to limit of restrict actions between parents and other entitles within the groups when/if necessary (e.g., restrict the payment of management fees or dividends, payment of service fees, etc.). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Recovery plans are assessed on a yearly basis. Recovery plans are suited to list appropriate measures for recovery based on strategic analysis of core business lines and critical functions. The assessment reviews these proposed measures in connection to the strategic analysis scenario analysis is conducted in the recovery plan. Recovery plans of systematically important credit institutions have been assessed by FME since 2017-2018 and discussed in detail with each institution. Further, in accordance with the Article4, Paragraph 2, of the Act on Resolution of Credit Institutions and Investment Firms, No. 70/2020 (Act No.70/2020 or the Resolution Act) and Rule No. 1733/2021, it is the decision of the FMEN if an institution is deemed to be failing or likely to fail (i.e., those that are unable to service their liabilities or are highly likely to be unable to do so) together with the Governor of CBI who takes the final decision on the resolution process itself. Resolution plans have been put in place by the Resolution Authority to cover the execution of bank resolution in the event that their financial position deteriorates to the point that they are deemed failing or likely to fail. Should a D-SIB fail, the resolution plan assumes that it will be possible to resolve it quickly and securely, and without funding from the Treasury or CBI. Resolution is intended to ensure that households and businesses continue to have unrestricted access to critical functions, thereby supporting financial stability in Iceland. CBI is empowered to pass necessary information on to other financial supervisors within the EEA as per Arts 109(u), 109 (v), 109(w), 109(x) and 10 (aa) of Act 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
Laws or regulations guard against the supervisor unduly delaying appropriate corrective actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC2 |
When taking formal corrective action in relation to a bank, the supervisor informs the supervisor of non-bank related financial entities of its actions and, where appropriate, coordinates its actions with them. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 11 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI/FSA has an appropriate range of supervisory measures to address, at an early stage, when a bank is not complying with laws, regulations, rules and/or guidelines. Assessors did note CBI/FSA’s tendency to make use of an assessment of additional capital (P2R) rather than make use of the other intervention tools/measures outlined in Article107(a) of Act No. 161/2002. CBI/FSA has established a working committee to develop and implement internal escalation procedures which help CBI to effectively operationalize such a plan when needed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 12 |
Consolidated Supervision An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.59 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
A legal framework is established to enable CBI to implement consolidated supervision of banking groups. Main legal provisions are laid out in Act No. 161/2002, notably Chapter XIII Section B articles 109 to 109(t) on supervision on a consolidated basis, covering a wide range of relevant issues, from consolidated prudential requirements to the conduct of consolidated supervision, including consolidated regulatory reporting, cooperation among authorities on cross-border banking groups, conditions for group financial support. In addition, CBI is empowered to address banking groups fragilities at consolidated level, by article 107(g) on early intervention on a consolidated basis. Among other legal provisions relevant to consolidated banking supervision included in Act No. 161/2002 are the following:
Act No. 61/2017 on supplementary supervision of financial conglomerates implemented EU directive No. 2002/87/EC (FICOD), as amended by EU directive No. 2011/89/EU, in Iceland . This Act provides CBI with additional responsibilities and tools to supervise financial conglomerates. While specific banking and insurance regulations are already applicable to the banking activities of financial conglomerates, this Act requires CBI to apply supplementary supervision to financial groups in order to reduce the risks inherent in their activities, and CBI is provided with powers to oversee the conglomerates’ parent entities, such as holding companies. There is only one financial conglomerate in Iceland, with no major bank involved. Supervision of banking groups is conducted both on a consolidated basis and on a standalone basis. CBI maintains oversight on the overall structure of a bank, both through prudential reporting checklists, and the bank’s consolidated financial statements and reports. Regulatory prudential reporting encompasses both the stand-alone and consolidated levels. CBI supervisors review prudential reporting and financial statements of banking groups on a quarterly basis and file their findings and concerns in checklists. SREP is implemented for banking groups on a consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002 lays down rules on prudential requirements applicable to banking groups on a consolidated basis. Chapter X sets prudential regulations of capital buffers. Rules on consolidated supervision of capital adequacy and liquidity are mainly found in EU CRR and CBI Rules No. 1520/2022 on liquidity requirements for banks which implements the EU liquidity regulation. Chapter XIII of Act No. 161/2002 has enacted provisions on measures to be taken if own funds are insufficient. In addition, Chapter XI states rules regarding annual accounts, auditing, and consolidated accounts. CBI also refers to EU CRR, Part 4, articles 387 to 403, on rules regarding large exposures. Consolidated capital requirements are defined in article 83(d): “Capital buffers for systemically important financial undertakings globally shall be maintained on a consolidated basis. CBI of Iceland may stipulate by regulations that other capital buffers be maintained on a consolidated, sub-consolidated or entity basis, as appropriate.” Article 109 is extending the scope of legal requirements to banking groups as a principle: “The provisions of Chapters VII, IX and IX A shall apply to groups where the parent company is a financial undertaking, mixed financial holding company or financial holding company. The parent company shall be responsible for implementation of this provision within the group.” CBI has legal power to impose prudential standards at the stand-alone and consolidated levels regarding capital adequacy, large exposures, exposures to related parties, lending limits, group structure, and liquidity. Consolidated supervision powers are enforced in prudential regulations by Act 161/2002, Article 109 (l), as well as in supervisory processes, such as regulatory reporting templates on a consolidated basis. Moreover, CBI imposes more stringent standards well above the minimum requirements, based on its own assessment, if needed. CBI has also issued the following rules on liquidity and funding: Rules No. 266/2017 on credit institutions’ liquidity ratios, and Rules No. 750/2021 on credit institutions’ minimum net stable funding ratios. CBI reviews reports from banks and their financial statements on a consolidated basis, and takes appropriate action, when necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any crossborder operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Cross-border activities of banks and banking groups are regulated by Act No. 161/2002, notably Chapter V, supplemented by Chapter XIII Section B that includes many detailed articles (from 109 to 109(hh)) regarding consolidated supervision. CBI may demand any sort of documentation or information from subsidiaries or affiliates or from other parties regarded as having close connections with a regulated bank, which CBI regards as necessary for consolidated supervision. Regular supervision is conducted on a consolidated basis, including foreign operations. CBI implements oversight of the overall structure of a bank, based on banks’ prudential reporting, consolidated financial statements, and reports. The prudential reporting is structured on a consolidated as well as on a stand-alone basis. Management of group operations can be evaluated during on-site inspections. The SREP is conducted on a consolidated basis, resulting in evaluating the risk profile of each banking group, and key risks are rated. Part of the SREP focuses on corporate governance and risk management, covering both domestic and international activities. Icelandic systemically important banks have developed very few operations in foreign countries since the 2008-10 great financial crisis. One commercial bank has very recently developed its network abroad, with the acquisition of a UK subsidiary, which operations are still not material. CBI considers the effectiveness of supervision conducted in host countries in which banks have material operations. Should operations in foreign countries become material, CBI would step up supervisory work accordingly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As a general principle, CBI has legal power for implementing supervision of foreign branches and subsidiaries of a banking group regulated in Iceland, according to Act No. 161/2002, article 107. In reality, given that Icelandic banks have currently no foreign establishments, except one subsidiary of a non-major bank in the UK, the existing legal framework on international cooperation aimed at enabling consolidated supervision by CBI has not been concretely implemented. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As already mentioned under CP5 EC4, CBI has legal power to identify the shareholding structure of regulated banks, including qualified holdings and ultimate beneficial ownership. Based on Act No. 161/2002, Article 107 (Para 2) and Article 49, CBI has legal power to oversee main shareholders of regulated banks, including parent companies, as well as sister companies (that is, subsidiaries of parent companies), in order to identify any risk issue that might impact regulated banks, coming from shareholders’ group structures that are not included in the scope of consolidated banking supervision. During the mission, CBI has mentioned that there has been no need to oversee any parent company so far, given the absence of non-financial holding companies among major banks’ shareholders. Therefore, there has been no case for which banking supervisors would have needed accessing to a parent company on-site, applying enforcement action over the parent company and/or its directors and managers, requiring financial reports of the parent company, restricting upstream dividends or transactions between the bank and its affiliates, or applying consolidation of any relevant entity, even if not directly controlled. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI has legal power to limit the range of activities that banking groups may conduct, according to Act No. 161/2002, Chapter V Section B. CBI may prohibit activities of banks abroad. Powers of limitation of banks’ foreign activities are included in Act No. 161/2002. Article 9 lays down the grounds for revocation of an operating license, which may be decided in full or in part. Article 10(a) lays down rules regarding restrictions on banks’ activities, which may be decided if CBI sees specific reasons to do so. In addition, CBI is authorized to establish special conditions for the continued operations of individual establishments of a bank. Furthermore, CBI is permitted to temporarily restrict, in part or in full, operations that an undertaking is permitted to engage in, whether the undertaking is subject to an operating license or not. Before any revocation may be enacted by CBI, related banks must be allowed a suitable period to rectify the situation, if rectification is possible in the estimation of CBI. In practice, such power has not been used, because CBI did not need to use it. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand-alone basis and understands its relationship with other members of the group.60 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI implements banking supervision at stand-alone level and consolidated level through supervisory processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 12 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The legal framework is in place to ensure consolidated supervision of banking groups, which is implemented by CBI in supervisory processes. The existing legal framework enable CBI’s oversight of regulated banks’ main shareholders, including parent companies and sister companies (at least, risk-significant subsidiaries of parent companies), in order to identify and address any risk issue that might impact regulated banks, coming from shareholders’ group structures that are not included in the scope of consolidated banking supervision. In practice, the need of such extended CBI oversight on banks’ shareholders has not been identified yet. Effective CBI oversight of banks’ shareholdings on a regular basis, not only at the licensing stage or at the change of ownership stage, may be further developed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 13 |
Home-host Relationships Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI has legal power to establish supervisory colleges that would be needed for international cooperation aimed at ensuring consolidated supervision of banking groups, according to Act No. 161/2002, article 109(j) on supervisory colleges. In reality, since no Icelandic bank has any foreign branch or subsidiary, except one nonmajor bank’s subsidiary in the UK (Alternative Investment Fund Manager), there has been no concrete need for CBI to set up supervisory colleges. This UK subsidiary is nonmaterial for UK supervisory authorities, and bilateral cooperation may take place as needed based on the bilateral MoU. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group61 and on the supervisors’ assessments of the safety and soundness of the relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
As mentioned in CP3 EC2, CBI has signed many bilateral and multilateral Memorandums of Understanding (MOUs), and CBI has legal power to share information and collaborate with foreign supervisory authorities, within and without the EEA. According to Act No. 87/1998, article 14, CBI may provide foreign regulatory authorities of other EEA member states with confidential information, if such information sharing is part of cooperation in the supervision of activities of regulated entities and is useful in permitting the conduct of the supervision prescribed by law. CBI may share confidential information with regulatory authorities of non-EEA countries, provided that obligations of confidentiality are observed. Existing MoUs include provisions concerning information sharing, on-site inspections, and protection of confidentiality. There are no branches of foreign banks operating in Iceland, and no supervised entity in Iceland has any branch in another country. Subsequently, CBI is not using any of the signed MoU’s for the purpose of prudential supervision of specific entities, except for the UK subsidiary of the non-major Icelandic bank (a recent acquisition). However, CBI mentioned that it used these MoU’s for getting information when assessing the qualified holders of supervised entities, years ago, and it faced no issues that impacted CBI assessment. CBI is a member of only one supervisory college relating to a payment institution (therefore, not a bank). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not started any work concerning coordinating or planning supervisory activities with other authorities acting as home or host supervisors. Only one European foreign investment firm has opened a branch in Iceland, using the EU/EEA passporting framework. CBI has received information concerning the branch from the home supervisor according to EU Directive 2014/65/EU. Supervision of this branch is performed by CBI according to Act No. 115/2021 on markets in financial instruments. CBI has faced no issues with cross-border information sharing on that case. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not developed any communication strategy with other authorities acting as home or host supervisors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross-border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As already mentioned, since no Icelandic bank has any foreign branch or subsidiary, except one non-material bank subsidiary in the UK, CBI has not developed any crossborder crisis cooperation and coordination that would involve relevant home and host authorities. Yet Iceland is part of the cooperation agreement on cross-border financial stability, crisis management, and resolution signed between relevant ministries, central banks and financial supervisory authorities of Iceland, Denmark, Finland, Norway, Sweden, Lithuania, Latvia, and Estonia. On a national basis, the Resolution Authority of CBI has made resolution plans for banks, according to Act No. 70/2020, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
The resolution framework of a cross-border banking group is subject to legal provisions in Act No. 161/2002, Chapter XII, which addresses financial reorganization of a bank with head offices located in Iceland and a branch in another EEA state, as well as financial reorganization of a bank with its head office located abroad and a branch in Iceland. As mentioned under CP13 EC5, CBI has not developed any cross-border crisis cooperation and coordination that would involve relevant home and host authorities, because there has been no need to do so, given the inexistence of cross-border banking groups in both ways. Therefore, development of group resolution plans including cross-border arrangements has not been relevant so far. Yet the Resolution Authority of CBI has made resolution plans for domestic systemically important banks, according to Act No. 70/2020, article 9. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The legal framework enforces the principle of a similar supervision of domestic banks and Icelandic branches and subsidiaries of EEA foreign banks. Yet this principle has not been implemented, because there has not been any branch of foreign banks in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
The legal framework enabling mutual on-site inspections exists, but it has not been implemented so far, because of the lack of cross-border entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
The licensing regime prohibits shell banks from operating in Iceland. In that regard, when examining applications for a new banking license, CBI reviews the applicant bank’s operational structure. CBI has confirmed that there are no shell banks, nor any booking office of any bank located in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
The legal framework in place states that information received by CBI from foreign supervisors for banking supervision is protected as confidential. In the event that CBI would have to take action on the basis of such information, CBI would consult with foreign supervisors, as appropriate, before taking action. Yet such framework has not been concretely implemented so far, because of inexistence of cross-border entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 13 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Home-host relationships don’t need to be much developed in Iceland because crossborder banking activities through branches and subsidiaries is limited in both ways. However, a dedicated legal and institutional framework is in place on home-host relationships, which is appropriate. Immateriality of cross-border banking entities has made the set-up of supervisory colleges, as well as the conduct of on-site inspections abroad, unnecessary so far. Crossborder cooperation for supervisory purpose is implemented on a case-by-case basis. CBI is well connected to other supervisory authorities with which it may be relevant to ensure effective relationships, especially among Nordic countries. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Prudential Regulations and Requirements |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 14 |
Corporate Governance The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,62 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The responsibilities of the BOD of a company are set out in Article68 of the Act respecting Public Limited Companies, No. 2/1995, (Act No. 2/1995) which state the BOD undertake the Company affairs and ensures the Company’s organization and activities are at all times in correct and in good order. The Company’s BOD and the Director undertake the administrative activities of the Company, where the Director is in charge of daily operations. Furthermore, the Company’s BOD shall ensure that the book-keeping and the handling of Company funds be sufficiently supervised. Iceland has implemented Article 88 of Directive 2013/36/EU into Arti 54 of Act 161/2002. It is stated that the board is responsible for the company’s operations and strategy, robust governance arrangements, which include a clear organisational structure with well-defined, transparent, and consistent lines of responsibility, risk strategy, adequate internal control mechanisms, including sound administration and accounting procedures. The board must oversee the process of disclosure and communications. CBI/FSA’s expectations and guidance on governance are set out in various guidelines and rules, including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Part of CBI/FSA’s regular monitoring includes the financial supervisors’ identifying issues as early as possibly by monitoring changes or signs that could be indicators of weaknesses or threats to the institution’s governance and internal control framework. Regular monitoring consists of quarterly “status” assessments performed three times a year (i.e., quarterly - as the overall risk assessment is conducted in one of the quarters). The main objective is to have in place a documented summary of the status of the bank’s governance including an overview of incidents, indicators and cases that have occurred in the last week and months. However, the assessment may trigger further investigation or need for an on- or off-site inspection, based on the severity of the case. CBI internal methodology and guidance for supervisors is outlined in its Supervisory Handbook (CCQ) 01 entitled assessment of governance and internal control as well as the requirements for regular monitoring. CBI/FSA supervisors assess whether bank’s governance systems are in place and in line with supervisory expectations. Internal guidance is outlined in CBI/FSA’s Supervisory Handbook (CCQ) and includes the following subjects: 02 Overall internal governance framework (VIN-0042) 03 Composition, organization and functioning of the management body (VIN-0044) 04 Corporate risk and culture (VIN-0043) 05 Remuneration policies and practices 06 Internal control framework (VIN-0047) 07 Risk management framework, including ICAAP and ILAAP (VIN-0046) 08 Summary of findings and risk scores for the overall risk assessment of internal governance (VIN-0049) The annual SREP assessment for D-SIBs takes into account all on and off-site inspections, reviews of regular reporting (risk reports, internal audit and compliance reports, etc.), interviews with board members, managers and employees, and institution’s selfassessments. Deficiencies are communicated to the bank through different channels depending on the severity of the issue. Arti 107(a) of Act No. 161/2002 states that CBI/FSA may require a financial undertaking, which does not meet the provisions of Act No. 161/2002 and regulations and rules based thereof, to take corrective action in a timely manner. In order to ensure compliance, CBI may require:
In case of formal (administrative) decisions, CBI demands corrective actions to be implemented within a specific timeframe. Some weaknesses, i.e., strengthening risk culture, are long term projects. Then CBI requires a documented project plan for the implementation of improvements within in a certain time frame. In order to ensure compliance with the plan, CBI has meetings with senior management and if necessary, the BOD. CBI/FSA requires banks to make improvements and correct deficiencies through various channels - regular communication, formal meetings and with formal administrative actions (letters). Recent corrective measures include:
Assessors note that CBI/FSA’s SREP methodology pertaining to low and medium-low impact category classification, do not necessary require meetings/interviews with the CRO, CFO, IA, Board members, compliance officer or EA - only ’when necessary’. Further, meetings with the CEO are only required every 3 years. Although it is acknowledged that CBI/FSA financial supervisors are in contact with the bank throughout the year, and will take action if there are any indications of breaches/poor governance however this does not necessarily equate to having contact with the Board members and critical control functions. CBI/FSA does undertake fitness and propriety of board members upon appointment and financial supervisors review IA and EA reports as part of the regular monitoring. CBI/FSA during on-site inspections does have the opportunity to make contact with certain of these key individuals and that the last formal comprehensive assessment of governance for institutions classified as low/medium low risk was in 2016 with plans to make another similar assessment in 2023. Assessors recommend that CBI/FSA re-assess the frequency with which it makes contact with Board members for both the savings/commercial banks that are classified as low or medium low impact to ensure adequate coverage/oversight of corporate governance frameworks in these banks. According to the SREP framework, it is possible these key functions/Board members may never be interviewed. Although the size of the savings banks may be immaterial, the reputation risk to CBI/FSA of one of these institutions failing is high considering the general view of the importance of these banks in the Icelandic community. Moreover, CBI/FSA should ensure adequate oversight of the strength of these critical functions/board members for banks that operate cross border. Last, the corporate governance expert working within the Banking Department oversees the D-SIBs only and it would therefore be appropriate for similar coverage of the remaining banks, on a risk basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Iceland has a two-tier system by law and at the shareholder’s meetings elects the members of the board which is a supervisory board. All members of the supervisory board are required to be non-executive directors (NED’s). Following the shareholder’s meeting and appointment of board members, the board convenes and elects’ members of the committees in line with legal and supervisory requirements. Appointment of new members is subject to approval of CBI/FSA. Please see below and EC 6 for the assessment of fitness and propriety of individual board members, which includes an assessment of whether the proposed non-executive member possess adequate experience for the position. Article88 of directive 2013/36/EU (CRD), the establishment of a nomination committee has not been required by law nor expected by the supervisor. However, in June 2022 requirements on the establishment, responsibilities and functioning of the nomination committee were incorporated in Act No. 161/2002 on financial undertakings (Article53) and will apply to D-SIBs from July 2023. Article53 includes an exemption clause, the requirement of a nomination committee does not apply if all board members are appointed by the Icelandic State Financial Investments (ISFI). Article78 of Act No. 161/2002 sets out detailed requirements of the establishment, responsibilities and functioning of the risk committee of the board. The risk committee consists of board members only and are all non-executive directors (paragraph 1). CBI/FSA has the authority to allow financial undertakings to combine the risk committee and audit committee (Article78, paragraph 4). CBI also has the authority to grant an exemption of the establishment of a risk committee (Article78 paragraph 5). CBI/FSA grants exemptions, as per paragraph 4 and 5 in relation to the undertaking’s size, nature, and complexity. Article108(a) in Act No. 3/2006 on Annual accounts sets out requirements of the establishment, responsibilities and functioning of the audit committee in public interest entities including banks. Article57(e) of Act No. 161/2002 sets out detailed requirements of the establishment, responsibilities and functioning of the remuneration committee for D-SIBs. It is stipulated that the committee should consist of at least three members of the board, including the chairman. CBI/FSA’s expectations and guidance for the establishment, responsibilities and functioning of the committees of the board are set out in the following guidelines:
BCI/FSA assesses the composition of the board in line with the bank’s strategy, risk profile and complexity by:
Assessors note that the EBA guidelines (Art. 76(3), sub-paragraph 4, of CRD IV) as well as Art. 78(4) of Act 161/2002 suggest that, based on nature, size, and complexity of the institutions, that the audit committee and the risk committee of the Board may be combined. Assessors recommend, in line with Basel standards, that if a supervisory authority requires an audit committee and risk committee, that the audit committee be kept distinct from other committees, such as the risk committee (BCBS Guideline on Corporate Governance Principles for Banks, July 2015, item 68 and 7163). It is recommended that different non-executives be appointed to the audit committee and the risk committee, as well as keeping these subjects/issues separate in order to assure the member who oversees the risk of the institution is not also approving/reviewing the audited financial statements of the institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.64 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC 4 |
The requirements of fitness and propriety are set out in Art. 52 of Act No. 161/2002 and in the EBA-ESMA/GL/2021/06 on the assessment of suitability. Following the initial appointment members of the board/CEO submit background information which CBI/FSA examines and verifies as well as evaluating their knowledge, skills and experience based on the submitted information. In the case of board members of D-SIBs and the CEO of the commercial bank designated as a financial conglomerate the knowledge will also be evaluated during an oral interview. For smaller institutions, individuals will only be evaluated with an oral interview if there are doubts about their knowledge. Review and assessment of self-assessments of the board and senior management are in line with Annex I - Joint EBA and ESMA GL on the assessment of suitability is part of regular monitoring and the annual SREP process. Article52, paragraph 2 of Act No. 161/2002 states that the main fit and proper criteria for the board members and the managing director is that they may not behave in any manner that would give cause to doubt their ability to be responsible for sound and prudent business operations or to abuse their position or harm the undertaking. Assessors recommend that going forward, CBI/FSA specifically assess Board members “duty of care” and “duty of loyalty” as defined in the footnote attached to EC4 of CP14 and with respect to Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite65 and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The board’s role and responsibilities are set out in Article54 of Act No. 161/2002. CBI/FSA regularly assesses, through its off-site and in on-site inspections, and as part of the annual assessment in line with requirements of the board’s responsibilities in (Article 54). Article 54 stipulates that the board of directors is also responsible for ensuring that corporate governance and internal organization promote the efficient and prudent management of the undertaking, and the separation of duties prevents conflicts of interest. These requirements are further stipulated in EBA/GL/2021/05 on internal governance, in Title II - Role and responsibility of the management body (Art. 22.l), Chapter IV Risk culture and business conduct and Chapter 11 Conflict of interest policy at institutional level and Chapter 12 Conflict of interest policy for staff. CBI/FSA’s objective is verifying the board is fulfilling it role and responsibilities in setting and overseeing the implementation of its policies through various on- and off-sites and regular interviews. Supervisors determine if and how the BODs are promoting a strong risk culture and awareness of risk (tone from the top) throughout the operations of the bank. The assessment of the board’s role and responsibilities includes reviewing meeting minutes, policies, governance statements, procedures, risk reports, results of internal audits and compliance reports. Further, CBI/FSA’s objective is to verify if the board discusses the institution’s risk appetite on regular basis and whether the board receives adequate and appropriate information on risk (risk reports) and whether sufficient time is allowed in board meetings to consider and discuss those risks. Supervisory Handbook in CCQ used by supervisors as part of this guidance: 03 Composition, organization and functioning of the management body; 04 Corporate and risk culture (VIN-0043) 07 Risk Management framework, including ICAAP and ILAAP (VIN-0046). The assessment includes the:
CBI/FSA has required bank’s boards to enhance their role in overseeing the implementation of its policies and to increase their focus and attention on a specific issue, for example during the ICAAP/ILAAP process, assessment of internal controls, recovery plans, and conflict of interest policies. CBI/FSA has also required banks boards to strengthen banks risk culture, emphasizing the importance of strong corporate and risk culture and “tone from the top” and how it should be visible not only in policies, codes of conduct and published material but also in the conduct of board, senior management and employees and all activities of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI/FSA regularly assesses, as part of the SREP process “assessment of internal governance and institution-wide controls” and in line with requirements of the board’s responsibilities in (Article 54) which are further stipulated in EBA guidelines. The EBA/GL/2021/05 stipulates that internal governance should set out clear requirements of the supervisory role of the board. The EBA/GL/2021/06 stipulates the assessment of fitness and propriety. EBA-ESMA/GL/2021/06 sets out clear requirements on the responsibilities of the financial undertaking to assess the fitness and propriety of board, senior management, and other key functions holders. CBI/FSA determines the bank’s fit and proper procedures by undertaking the:
CBI/FSA has required a bank to review and update their policy and of assessment of senior management and key function holders. In that case the bank had only carried out the assessment at the time of the initial appointment and did not fulfil their role in continuously ensuring the fitness and propriety of senior management and key function holder. CBI has also required corrective measures where the board’s policy did not include heads of internal control functions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Iceland has implemented Article94 of EU’s CRD V into Article57 B(1) of Act No. 161/2002, which obliges financial undertakings, including credit institutions, to ensure that variable remuneration (“bonuses”) fulfil a number of conditions, including but not limited to
CBI/FSA is of the view that a compensation system that fulfills the above-mentioned conditions is consistent with the long-term objective and financial soundness of banks. In recent years, CBI/FSA has imposed fines and undertaken other enforcement actions on financial undertakings, including but limited to banks, that have violated rules on variable remuneration. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Following the initial appointment of members of the board and the CEO of D-SIBs and conglomerates, their knowledge of the bank and banking group operational structure and its risk, including those arising from the use of structures that impede transparency is evaluated. Regular interviews with the board and senior management have been part of regular monitoring since 2016 (CCQ CBI/FSA Supervisory handbook) and an important part of the annual SREP assessment. Topics vary and depend on activities, issues, and risks which the bank is faced with at the time. In recent years CBI has emphasized the importance of clear and transparent organisational, operational, and legal structures of the bank in line with the term “know your structure” in the EBA/GL/2021/05 on internal governance. As part of the annual assessment the composition, organisation and functioning of the board, its committees and management board, self-assessments of the board and senior management are reviewed, and the results are discussed with board and if relevant with management. Assessors noted that commercial banks in Iceland have very straight forward and transparent organizational structures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Article 10 paragraph 4 of Act No. 87/1998 states that if the board members or managing directors of regulated entities do not meet the eligibility requirements of the special laws that apply to the activities of regulated entities, the FSA may demand that the person resign, either temporarily or permanently. If the requirements of the FSA are not met within a reasonable time limit, the FSA can unilaterally dismiss the person. CBI/FSA has made use of this section of the legislation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 14 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Assessors recommend that CBI/FSA re-assess the frequency with which it makes contact with Board members for both the savings/commercial banks that are classified as low or medium low impact to ensure adequate coverage/oversight of corporate governance frameworks in these banks. According to the SREP framework, it is possible these key functions/Board members may never be interviewed. Although the size of the savings banks may be immaterial, the reputation risk to CBI/FSA of one of these institutions failing is high considering the general view of the importance of these banks in the Icelandic community. Moreover, CBI/FSA should ensure adequate oversight of the strength of these critical functions/board members for banks that operate cross border. Last, the corporate governance expert working within the Banking Department oversees the D-SIBs only and it would therefore be appropriate for similar coverage of the remaining banks, on a risk basis. The work undertaken by the corporate governance expert is adequate with many touch points with senior management and boards. Further, CBI carries out fit and proper assessments when Board members are on-boarded. CBI/FSA do not specifically assess Board members “duty of care” and “duty of loyalty” as defined in the footnote attached to EC4 of CP14. Further, CBI permits audit committee and risk committee to combine, whereas Basel indicates these two committees should be distinct., as keeping these subjects/issues separate in order to assure the member who oversees the risk of the institution is not also approving/reviewing the audited financial statements of the institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 15 |
Risk Management Process The supervisor determines that banks66 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate67 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.68 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 77 of Act 161 states that a financial undertaking must always have in place a secure risk management system for all its activities. Furthermore, the financial undertakings shall have in place adequate and documented internal processes to assess the necessary size, composition, and internal distribution of the capital base considering the risks entailed by the business activity at any time. Further Article 78 of Act 161 states that financial undertaking shall have a risk committee and indicates how they should manage the risks in its activities. Financial undertakings shall always have in place a sound and comprehensive risk management system covering every aspect of their activities. (a) a sound risk management culture is established throughout the bank Since 2016, CBI has documented its assessment of bank’s risk culture and continuously puts emphasis on boards to enhance their role in risk culture. Risk culture is a consistant topic in all interviews with board’s, senior management, heads of internal control functions and yhe external auditor. CBI has formally required D-SIBs to strengthen their risk culture and required the BOD and senior management to enhance their role in setting and communicating the bank’s values and expectations. The corrective measures have included putting forward a detailed plan, with time limits, on how the bank intends to strengthen their risk culture. Follow ups have included formal meetings with the board, senior management and project team. Supervisors determine if and how the BOD and senior management are promoting a strong risk culture and awareness of risk (tone from the top) throughout the operations of the bank. Supervisors determine if attitudes, behaviors and decisions in daily operations are in line with the bank’s values, risk appetite and internal rules. The assessment includes reviewing meeting minutes, policies, procedures, risk reports, results of internal audits and compliance reports. CBI’s Supervisory Handbook (CCQ) includes guideance on the review of corporate and risk culture (VIN-0043) and risk management framework, including ICAAP and ILAAP (VIN-0046).
Part of CBI/FSA’s annual assessment of D-SIB’s SREP process pertaining to internal governance and institution-wide controls, financial supervisors require banks to submit policies and processes regarding risk appetite, strategy risk taking and risk management. For example, for one D-SIB, an assessment was done on the bank’s overall strategy, organization, and policies. The handbook includes all policies, rules and charters approved by the BOD in effect at the date of publication. The objective of the handbook is to maintain in one place the relevant documents to provide a holistic view of the Bank’s policies and corporate governance. Further, there is a requirement that the risk management and risk appetite metrics are outlined to the Board, and executive management in the monthly Risk Report. The report shall include information about any temporary deviations from the risk appetite or risk limits which occurred during reporting period. CBI/FSA also monitors KRIs with respect to risk limits and prudential requirements. Further, CBI/FSA’s assessment of BMA as part of SREP and in reviewing for example the risk indicators in the Recovery Plan. Governance assessment also include annual interviews with IA. Assessors noted that CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit expsoures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices, and especially critical for the D-SIBs. (c) uncertainties attached to risk measurement are recognized; No comments were provided in this regard. Assessors recommend that CBI/FSA determine if bank’s recognize any uncertainties with respect to the risk measurement practices.
CBI/FSA regularly reviews D-SIBs’ monthly risk report which displays an aggregate view of whether the bank is operating within risk limits. In all the banks are risk dashboard and risk reports. That being said, Assessors noted that supervisors do not necessarily challenge banks, especially the D-SIBs, with respect to whether appropriate limits are in place commensurate with bank’s risk appetite and risk profile. CBI/FSA does challenge the adequacy of bank’s capital strength through the SREP ICAAP process.
Banks are required to monitor and control all material risks consistent with the Board approved strategies and risk appeitite. Although CBI/FSA supervisors reviews certain aspects of bank’s reporting against limits established in the various risk areas, including reviewing the monthly risk report submitted to the FSA, as well as the review off-site of risk appetite, assessors recommend that CBI/FSA develop an approach that will provide a deeper analysis of whether appropriate limits have been established by banks in line with the bank’s risk appetite, risk profile, capital strength. The analysis would be key for the supervisors to utilize as part of the discussion with Board and Senior Management if/when there is a need to challenge the bank regarding higher risk or inappropriate thresholds. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Several references in legislation/regulation refer to the responsibility of banks’ Boards to implement adequate risk management practices and internal controls. References include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that risk management strategies, policies, processes and limits are:
The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA reviews D-SIB’s risk management policies and procedures taking into consideration whether the policies are properly documented, regularly reviewed and adjusted according to changes in the risk appetite and communicated within the bank as part of its on-site inspections and only within the subject area within scope of the inspection. For example, one on-site inspection at a D-SIB carried out in July 2021, which examined the risk management structure, roles, responsibilities and scope of risk management related to credit risk and the role of the board and the risk committee in managing it. CBI also looked at the bank’s risk culture and whether it is conductive to making well-informed and professional decisions. CBI/FSA financial supervisors, in their off-site inspections, have also conducted similar reviews as mentioned in the previous paragraph. For example, CBI/FSA’s Supervisory Handbook requires financial supervisors to assess bank’s risk management framework as it pertains to ICAAP/ILAAP (CCQ VIN-0046). Assessors recommend that CBI/FSA re-assess its overall approach to its assessment of bank’s risk management policies, procedures and practices (See EC1 for more detail regarding the Assessors’ views), and whether practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Article 80 (paragraph 1) of Act No. 161/2002 stipulates that bank’s BOD are required to approve and provide an ICAAP/ILAAP report to CBI/FSA. In practice this is on an annual basis for D-SIBs and less frequently for lower and medium impact banks. The bank’s recovery plan also addresses the comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control. The bank’s recovery plan is reviewed every year. As part of its SREP process, CBI/FSA financial supervisors and risk specialists are provided with in-depth analysis, stress testing of the material risk areas of the D-SIBs and how these risks relate to the bank from a capital and liquidity. CBI/FSA is able to examine the adequacy of senior management’s view of the risk profile of the bank, challenge bank’s assumptions, and assess capital and liquidity requirements according to prudential requirements as part of the ICAAP/ILAAP review process. Limitations with respect to D-SIB’s use of risk measurement techniques/models in comparison to CBI/FSA’s benchmarks (e.g., benchmarks utilized by CBI/FSA and provided in the relevant annexes to the SREP Methodology document as posted on CBI’s website) are discussed on an indepth basis but generally conducted “off-site”. The results of these assessments, specifically differences in opinion on CBI;s benchmarks, are discussed with D-SIB risk specialists and senior management as well as comments obtained in writing from banks are considered by CBI/FSA as part of the ICAAP/ILAAP process. However, CBI/FSA on-site inspections do not necessarily include a deep examination of whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). Senior management and board members are required to review and understand liquidity risks of the banks. For example, according to Principle 3 of Guidelines No. 2/2010 on best practice on liquidity management for financial undertakings, the senior management should develop a strategy, policies, and practices to manage the liquidity risk in accordance with the risk tolerance and to ensure that the financial undertaking maintains sufficient liquidity. The senior management should also continuously review information on bank’s liquidity developments and review reports to the board of directors on a regular basis. A financial undertaking’s board of directors should review, understand and approve the strategy, policies, and practices for management of the liquidity, at least annually, and ensure that senior management manages the liquidity risk effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
In general, overall capital and liquidity adequacy is estimated in accordance with the capital requirements regulation No. 575/2013 on prudential requirements for credit institutions and investment firms Implemented in Icelandic law and rules of CBIs No. 266/2017 liquidity ratio of credit undertakings. CBI/FSA’s SREP process dictates an in-depth assessment of D-SIB’s ICAAP/ILAAP on an annual basis. This entails an assessment of the ICAAP (meetings on each risk area, discussion and assessment of Pillar 2 requirements, results in letters to the bank and CBI posting the results of overall capital requirements for the D-SIBs on its website). For low or medium impact banks, ICAAPs are required to be filled annually but CBI carries out its assessment every two years (with the result of a Pillar 2 assessment at that time). Throughout COVID, banks with a lower impact rating, ICAAPs were not reviewed/Pillar 2 assessment not changed - but this is in line with how other jurisdictions dealt with the P2R process during the pandemic. The FSA’s assessment of an institution’s liquidity and funding needs, outlined in the ILAAP, is an integral part of the SREP (pursuant to Article 79 (para 2) and Article 81 (para 2) of Act no. 161/2002 and FSA’s Guidelines No. 2/2010 on best practice of liquidity management). The assessment is based on three factors including an assessment of: liquidity and funding risk management; inherent liquidity risk; and inherent funding risk (pursuant to Article 78(h) and 83 of Act no.161/2002). The outcome of the assessment may lead to CBI/FSA to require specific liquidity requirements and requests for improved management and control of the risks in question. The outcome may also lead to requirements that the institution extend maturities, acquire additional own funds, reduce off-balance-sheet exposures, and so forth. CBI/FSA’s Supervisory Handbook (CCQ VER-0002) provides guidance to financial supervisors on what assessment criteria to utilize as part of the assessment. FSU also assists with the assessment of D-SIB’s ILAAP. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Where banks use models to measure components of risk, the supervisor determines that:
The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
(a) All the Icelandic banks use the Standardized Approach for assessing their regulatory capital (Pillar I). In the banks ICAAP assessment for additional capital requirement (Pillar II) they use internal models that are not approved by CBI/FSA. Models developed by risk management are widely used throughout the D-SIBs such as PD models and LGD models. The Banks uses its internal PD, LGD and macro-economic models and its IFRS 9 framework to translate the scenarios to PD, LGD and losses and write-offs. CBI/FSA financial supervisors have not finished reviewing these models, but CBI/FSA supervisory benchmarks are often used in assessment of pillar II requirements. b) Although model risk is one of the risks discussed in ICAAP reports of the banks and the report is approved by the D-SIB bank BOD, it is difficult for CBI/FSA financial supervisors to assert that the D-SIB boards and senior management, other than the risk management representatives, know and understand the limitations of these models. In CBI/FSA’s SREP process in the previous few years, as D-SIBs have been focusing on developing and calibrating these models, CBI/FSA has been making an effort to assesses whether the model outputs appear reasonable as a reflection of the risks assumed in the SREP process. c) Banks perform regular and independent validation and testing of the models. Assessors note that CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes around the use of models, including whether banks perform regular and independent validation and testing of such models. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital, and liquidity needs and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Banks are required to comply with Guideline EBA on ICT and security risk management EBA/GL/2019/04. In general CBI/FSA assesses bank’s strength of reporting through an assessment of the data and reporting provided to D-SIB BOD and to CBI as part of the off-site monthly monitoring process (e.g., risk reports provided by the D-SIBs to CBI). CBI/FSA indicated that an assessment of the D-SIBs IT systems has not been undertaken with respect to the adequacy of information for the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. As a result, CBI/FSA is not in a position to challenge the quality of banks risk management reporting from IT systems (off-site) regarding information received by the senior management/BOD. Assessors do acknowledge that when CBI/FSA does carry out an on-site inspection, supervisors do an examination of the quality of the data pertaining to the subject matter under review (e.g., large exposures, etc). If CBI becomes aware of insufficient documentation to senior management/BOD and/or insufficient submission of material to CBI, either as part of an on- and off-site inspection, it requests corrective actions. Assessors recommend that CBI/FSA carry out on-site inspections (especially for D-SIBs) with respect to the strength of bank’s risk management information systems, in order to ensure these systems are accurately measuring, assessing, and reporting exposures across all applicable risk areas and that senior management and the BOD are receiving adequate risk management information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,69 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
EBA Guidelines on product oversight and governance arrangements (POG) for retail banking product, EBA GL 2015/18, banks are required to have an approval process in place for new products and material modifications to existing products. The risk management department of a financial undertaking should analyze and control the risk inherent in new products and exceptional transactions. The financial undertakings should ensure that product oversight and governance arrangements are an integral part of its governance, risk management and internal control framework as referred to in EBA Guidelines on internal governance under Directive 2013/36/EU, EBA/GL/2021/05, where applicable. D-SIBs have developed processes for launching new products. As part of CBI/FSA’s SREP process is to review banks’ business plans annually and comments on the banks’ processes when appropriate. Further, on occasion, an on-site inspection is carried out to assess bank’s processes on new products, of which assessors reviewed one example. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Article 77 of Act No. 161/2002 requires banks to have at all times secure risk management systems in place for all activities and regularly assess internal processes for measuring and controlling all types of risks with regard to the nature, scope, and diversity of operations. CBI/FSA has issued Guidelines EBA 05/2021 on internal governance under Directive 2013/36/EU where requirements regarding segregation of functions within the bank are outlined and required. CBI/FSA requires banks’ risks control functions and risk-taking functions to be clearly segregated. In some instances, on-site inspections have resulted in CBI requiring stricter segregation of risk control and of risk-taking functions. Further, an inspection at one of the D-SIBs was completed in July 2021 which examined the bank’s risk management structure, roles, responsibilities and scope of risk management related to credit risk and the role of the board and the risk committee in managing it. CBI/FSA also looked at the bank’s risk culture and whether it was conducive to making well-informed and professional decisions. Assessors are of the view that this type of inspection should be carried out on all D-SIBs, during the risk based supervisory cycle. Throughout the SREP process, and at least annually, CBI/FSA receives and analyzes offsite, detailed information on the D-SIBs risk management and corporate governance, such as the role and tasks of the risk management and risk management committees. In addition, the IA functions of banks undertake reviews regarding bank’s risk management divisions. CBI assesses the frequency of IA bank reviews in general and receives an annual report of all IA reviews undertaken and if relevant, CBI/FSA will request/review a copy of such report. Although certain aspects of bank’s risk management functions are assessed by CBI/FSA corporate governance expert and financial supervisors in its off-site capacity, and certain aspects of bank’s risk management practices have been reviewed by on-site examiners (e.g. only one D-SIB, which included the review of 1st and 2nd line of defense, etc.), assessors recommend that CBI/FSA re-assess its approach to assessing the adequacy of bank’s risk management function to assess whether these functions are adequately staffed, have required independence, direct access to the BOD, duties are clearly segregated (an assessment of each D-SIB). Assessors are of the view that CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function (as outlined earlier) to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Article 77 (g) of Act No. 161/2002 requires that the head of risk management will neither be dismissed, nor be transferred to work except with the approval of the board. CBI is notified if the CRO is removed from his/her position and calls the person for an interview to further discuss the reasons for the removal. Article 77 (b) of the same Act states that if the head of risk management terminates employment, it shall be notified to the FSA. The head of risk management will not be dismissed or transferred without the approval of the board. There is no requirement in the legislation or procedures that the dismissal of the CRO be disclosed publicly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
See CP1 EC 4, as well the discussion in each of the CPs pertaining to a) CBI/FSA’s adoption of the EU regulations, directives, guidelines into Icelandic law and b) the need for additional standards to be implemented related to certain of these risk areas (e.g., credit risk and operational risk). Although certain national standards currently exist, they do not necessarily address the updated EU requirements. A list of CBI guidelines are as follows:
Part of CBI/FSA’s SREP process is to evaluate the banks’ risk assessment and practices. In each on-site inspection, CBI assesses the banks’ practices where appropriate if deemed part of the thematic review. For example, in recent years CBI has reviewed the banks’ liquidity contingency plans, assessed the loan valuation processes for certain products (albeit very small sample), the quality of the risk reporting, and the certain aspects of the processes of operational risk assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
Article 88 of Act No. 161/2002 sets out requirements for Recovery Plans and Article78(g) requires banks to have, and annually test, Business Continuity Plans (BCP) in place. CBI/FSA reviews the BCPs of D-SIBs annually and will make comments/suggestions for improvements when needed. Further, CBI/FSA Rule No. 266/2017 Article 5 on the liquidity ratio of credit institutions also have requirements for banks regarding contingency arrangements should the credit institution’s liquidity ratio falls below the minimum requirements. Further CBI Guidelines No. 2/2010 on liquidity risk stipulate requirements concerning BCP should liquidity issues arise. D-SIBs first submitted recovery plans to CBI/FSA in December 2018, further to Directive 2014/59/EU) entitled The Bank Recovery and Resolution Directive (BRRD) which was enacted in Iceland on 6 June 2018 (Act No. 54/2018, amended Act No. 161/2002 accordingly). The BRRD is designed to provide authorities with a set of tools to intervene sufficiently early and quickly in an unsound or failing relevant entity and provide measures to be taken by the Bank for the Group to restore its financial position following a significant deterioration of its financial situation. Other applicable laws and regulations regarding Recovery plans for banks:
The Recovery plans of the D-SIBs, approved by bank BOD, have been reviewed four times 2018, 2019, 2020 and 2021. CBI/FSA has noted bank’s improvement in the quality of plans since 2018. Along with the Recovery Plan, the Bank’s Contingency Plans for Liquidity Shortage is integrated into the Bank’s BCP, as well as other contingency plans (such as IT Incident response plan and IT Cyber-attack response plan). Part of CBI/FSA’s SREP process is evaluating the strength of banks’ contingency arrangement, both regarding capital and liquidity position. The financial supervisors assess the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Assessors reviewed one such example as part of the BCP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC13 |
The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing programme:
The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC13 |
Article 77 of Act No. 161/2002 requires banks to perform stress tests regularly, both for capital and liquidity positions. These stress tests form part of the banks’ risk management process and includes risk identification, on a bank-wide basis, including a system-wide interaction between the risks. Further, guidelines regarding supervisory review of stress testing include:
CBI/FSA’s annual SREP process for D-SIBs includes an evaluation of banks’ stress testing programs which includes a deep assessment of bank’s ICAAP and ILAAP. Further, bank’s stress testing assumptions embedded in the recovery plans are also assessed once a year. Financial supervisors regularly push back on bank’s assumptions/scenarios regarding ICAAP and ILAAP stress testing, wherein CBI/FSA may require bank’s Pillar 2 capital assessment to be modified as a result of such assessment (e.g., Pillar 2 capital increased in the form of a corrective measure). ICAAP and ILAAP are approved by the Board and key senior management are involved with the creation of these assessments. CBI/FSA comments on any aspect of the financial position of a D-SIB, or its operations in other respects, which it considers unsound and inconsistent with normal business practices and may also require corrective action within a reasonable time limit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC14 |
The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC14 |
CBI/FSA has not published any rules or guidelines specifying requirements regarding internal pricing and performance measurement. Guideline EBA on ICT and security risk management EBA/GL/2019/4 and Guideline EBA on product oversight and governance arrangements for retail banking products EBA/GL/2015/18 does specify requirements on new product approval process. To date, CBI/FSA has not assessed banks internal pricing processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 15 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Although CBI/FSA supervisors review certain aspects of bank’s reporting against limits established in the various risk areas, including reviewing the monthly risk report submitted to the FSA, as well as the review off-site of risk appetite, assessors recommend that CBI/FSA develop an approach that will provide a deeper analysis of whether appropriate limits have been established by banks in line with the bank’s risk appetite, risk profile, capital strength. Assessors noted that CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit exposures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices, and especially critical for the D-SIBs. Assessors therefore recommend that CBI/FSA re-assess its overall approach to its assessment of bank’s risk management policies, procedures and practices. Further, Assessors recommend that CBI/FSA determine if risk management practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). CBI/FSA indicated that an assessment of the D-SIBs IT systems has not been undertaken with respect to the adequacy of information for the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. As a result, CBI/FSA is not in a position to challenge the quality of banks risk management reporting from IT systems (off-site only) regarding information received by the senior management/BOD. Assessors therefore recommend that CBI/FSA carry out on-site inspections with respect to the strength of bank’s risk management information systems, to ensure these systems are accurately measuring, assessing and reporting exposures across all applicable risk areas, especially for the D-SIBs. Further, Assessors note that CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes around the use of models, including whether banks perform regular and independent validation and testing of such models. Although certain aspects of bank’s risk management functions are assessed by CBI/FSA corporate governance expert and financial supervisors in its off-site capacity, and certain aspects of bank’s risk management practices have been reviewed by on-site examiners (e.g., one D-SIB, review of 1st and 2nd line of defense, etc.). Assessors are of the view that CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. This type of review should be covered for all D-SIBs at a minimum (not just one D-SIB). In addition, CBI/FSA should include a review of banks internal pricing processes, as part of its risk based supervisory cycle. In addition, Assessors noted that CBI/FSA on-site inspections do not necessarily include a deep examination of whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). Although banks are required to notify CBI/FSA of the dismissal of the CRO, there is no requirement in the legislation or procedures that the dismissal of the CRO be disclosed publicly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 16 |
Capital Adequacy70 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC 1 |
Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The CBI/FSA’s prudential requirements for capital adequacy applicable to banks, both on a stand-alone and consolidated basis are aligned with the EU framework. Although the CBI/FSA is of view that it has adopted Basel III capital adequacy requirements, with the transposition of the EU framework into Iceland’s banking legislation, however, there exists some deviations from the Basel standards. The EU rules (Capital Requirement Regulation (CRR)/Capital Requirements Directive (CRD)) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Please see below an overview of Iceland’s capital adequacy requirements for credit institutions, with reference to the BIS BCBS’s RCAP assessment (which outlined the deviations between the EU rules and the Basel standards regarding capital adequacy), an update to the EU rules (CRR II/CRD V) applicable to Iceland, as well as assessor’s views on the materiality of these deviations/gaps with respect to the specific jurisdiction of Iceland. The CBI/FSA capital rules are outlined in Act No. 161/2002 (Article 1(c), 117 to 117(b) and Chapter X on capital buffers (Articles 83 to 86(c)) (further detail/discussion outlined below). The CBI/FSA formally adopted the EU framework into its legislation in 2016 based on EU Directive (CRD IV) No. 2013/36/EU; EU regulation (CRR) No. 575/2013 is directly applicable and binding in its entirety (contains Pillar 1 and Pillar 3 requirements). However, in H2 2022 (two months prior to the BCP on-site assessment), amendments71 72 to EU regulation No. 575/2013 (CRR II directly applicable) and EU Directive (No. 2013/36/EU) (CRD V73) were transposed into Act No. 161/2002. The EU rules, together with binding Level 2 EBA guidelines (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) adopted by delegated acts) and Level 3 EBA guidelines which provide guidance and recommendations on how to comply to EU requirements (compliance/intention to comply with Level 3 guidelines is tracked by the EBA). The adoption of the CBI/FSA Rules in 2016 and updated in 2022 harmonized the Icelandic regulatory framework with the current EU capital framework as provided for in the Commission Delegated Regulation (EU) 2015/61. The regulatory framework in the EU pertaining to capital adequacy, which was adopted by Iceland into its legislative framework (as stated above), is not fully compliant with Basel III standards. The EU’s capital framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III capital adequacy standards in 2014.74 The EU framework was found to be overall materially non-compliant.75 One of the main areas of difficulty cited in the RCAP was the IRB approach for credit risk. It is noted that the recent changes and implementation of CRR II and CRD V for the EU framework have not been subject to an updated RCAP, neither has the EU provided an updated selfassessment to previously noted deviations of the Basel capital regulations that would provide a sufficient reference on the materiality of remaining deviations. In general, CBI adheres to the CRR (definition of capital, eligible components of capital -Pillar 1 and Pillar 3 capital requirements of banks). Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process (risks not captured by Pillar 1) is considered by assessors as adequate and consistently utilized by the supervisor (updated annually for D-SIBs). In addition, Icelandic capital buffer requirements for D-SIBs are considered strong given the nature, size and complexity of Icelandic D-SIBs that are not internationally active) resulting in very high levels of Tier 1 and total capital. Further, Iceland has not made use of any of the national discretions available. Finally, Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (as stated above as one of the most egregious deviations from Basel standards according to the 2014 RCAP) is not applicable/utilized at this time for its three D-SIBs, this issue could prove material in the future. Assessors, however, are of the view that this is not considered a material or relevant deviation from the Basel standards at this point in time for Iceland. Overview of CBI/FSA’s capital requirements: 1°/ Minimum capital for Iceland Rules on minimum capital applicable to banks are set by Act No. 161/2002 at the equivalent amount of EUR 5 million (1 million for smallest savings banks), as mentioned under CP5 EC6. 2°/ Definition of capital (own funds), and elements of capital The CRR establishes the following minimum capital requirements thresholds: Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital) 8 percent. Part Two of the CRR defines the components of capital following the Basel-based capital tier structure, which reflects varying degrees of loss absorption capacity, and the deduction requirements. It includes CET1 and AT1 in Tier 1 which are loss absorbing on a going concern basis, and Tier 2 which is a gone-concern capital. Same deductions from Tier 1 and Tier 2 apply as in the CRR with no exceptions. Subordinated capital (additional Tier 1 and Tier 2 instruments) should be capable of being fully and permanently written down or converted into Common Equity Tier 1 capital at the point of non-viability of the bank. 3°/ Capital adequacy requirements on credit risk, market risk, and operational risk (Pillar 1) Calculation rules of capital requirements cover credit risk, market risk, and operational risk are defined. The regulatory approach for calculation of capital requirements, including risk-weighted assets (RWA), allows the use of internal models by banks, subject to the validation of CBI, yet banks only use internal models for their internal capital adequacy assessment process (ICAAP), as well as for their internal risk management. CBI has not validated any internal model of a bank to be qualified as a regulatory internal ratings-based (IRB) model aimed at calculating regulatory capital adequacy requirements. Only one request for validation of an IRB model was submitted to CBI for validation many years ago, which was not approved, and no further request of that kind has occurred afterwards. Therefore, banks, including major banks, use standardized methods, as is possible with CRR. 4°/ Additional capital adequacy requirements (Pillar 2), and capital buffers An Internal Capital Adequacy Assessment Process (ICAAP) is requested from banks, based Act No. 161/2002, article 80 (generic provision of paragraph 1), supplemented by CRR regulatory provisions. Banks are encouraged to use internal models for that purpose, although internal models are not formally validated by CBI, however the bank’s outcome may be challenged by CBI. CBI has finalized implementation of it’s SREP in 2020, which includes a formal review process for ICAAP reports and ensuring supervisory dialogue with banks on capital adequacy. These guidelines have been tailored to Iceland and disclosed in English:
Above-mentioned CBI guidelines on SREP and Pillar 2 enables CBI to implement a riskbased and conservative Pillar 2 approach aimed at determining tailored capital adequacy requirements applicable to banks in order to capture specific risks areas that CBI considers as being not sufficiently covered by regular Pillar 1 requirements. CBI identifies such risk areas specific to Iceland (for instance, concentration risk, certain collateralized loans), and consequently uses supervisory databases and benchmarking models for challenging banks’ ICAAP calculations. CBI’s assessment results for each D-SIB have resulted in substantial Pillar 2 additional capital, in addition to Pillar I standardized capital requirements (that is, minimum capital adequacy ratio and capital buffers). The conservative prudential strategy used by CBI for Pillar 2 may have some drawbacks, in the sense that requiring high Pillar 2 additional capital may be considered as a kind of curative supervisory approach, more than a preventive supervisory approach. In other words, ordering substantial quantitative capital buffers under Pillar 2 may somewhat compensate determining specific qualitative expectations for sound risk management aimed at preventing banks from excessive risk-taking policies. Major banks are classified as other systemically important institutions (O-SIIs) or D-SIBs. They must submit an ICAAP report to CBI at least once a year. Non-systemic banks only submit an ICAAP every two to three years, and the systemic risk buffer has been implemented at a slower pace for these smaller banks. CBI typically announces the submission date at least two months in advance, and banks are notified by mail of this. Banks receive feedback from CBI on their ICAAP reports through the SREP, based on CBI guidelines. CBI supervisory processes follows guidance from EBA and BCBS. Although CBI continuously monitors the financial strength and other supervisory information for savings banks, the SREP has been effectively performed in 2021, five years after the previous formal assessment, which is not in line with CBI’s SREP methodology as these small entities are typically assessed on a frequency of 2-3 years (see CP 8 and CP9 for more detail). Based on the SREP, specific Pillar 2 capital requirements are decided and tailored for each bank, usually in the 2-4 percent range for O-SII banks. Pillar 2 decisions are proposed by CBI supervisors, then submitted to an internal CBI risk committee chaired by an independent external expert who may challenge technical assumptions on which Pillar 2 requirements are calculated, then validated by the FMEN. CBI then formally notifies each bank with specific each bank’s total capital adequacy requirements, including Pillar 2 additional capital, which banks may discuss and object to, however CBI does enforce Pillar 2 capital adequacy requirements that are deemed appropriate for each bank, even if banks disagree with CBI’s approach. As stated above, the minimum Pillar 1 capital ratio is set at a minimum 8.0 percent (Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital) totaling 8 percent. In addition, prudential requirements on capital adequacy include several capital buffers:
Therefore, before any specific additional Pillar 2 capital is assessed, the minimum capital requirement applicable to all major banks is 17.5 percent. CBI has disclosed this requirement: https://www.cb.is/financial-stability/macroprudential-policy/capital-buffers/. CBI has also disclosed additional capital requirements based on the additional Pillar 2 capital assessment applied to each of the three major banks (O-SIIs), as follows:
The capital adequacy requirement has been slightly adjusted by CBI with reductions in the systemic risk and countercyclical capital buffers for foreign exposures, adjusted for each bank (from -0.2 percent to -0.4 percent). In conclusion, total capital adequacy requirements enforced by CBI for major banks (which altogether represent most of the banking sector) are the following:
As at H3 2022, the three O-SIIs’ average capital adequacy ratios were reported above 23 percent, of which CET1 (higher quality capital) was reported above 20 percent - , which is considered quite high. 5°/ Regulatory templates on capital adequacy Banks submit quarterly COREP reports, which they fill out in accordance to Act No. 161/2002. COREP reports show how banks calculate their total minimum capital requirement according to Pillar 1. 6°/ Supervision of capital adequacy Off-site supervisors responsible for each bank review the reports using a prepared checklist. They examine both methods and calculations to verify that ratios are not lower than required. This is done through the COREP report, the financial statements of the banks, and the SREP. On-site inspections performed by CBI have not covered the whole framework of capital adequacy ratio calculation recently. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
At least for internationally active banks,76 the definition of capital, risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
See EC1 for details on Basel minimum standards for Pillar 1, applied by Iceland (CRR), including the definition of capital, the manner in which CBI/FSA assesses the risk coverage (SREP process, including additional Pillar 2 requirements and capital buffers), as well as an overview of the calculation of capital requirements. Of note, Iceland has not made use of any national discretions with regard to the capital definition, regulatory and reporting requirements. In addition, as stated in EC1, the BCBS RCAP of 2014, identified several deviations from the Basel standards (see footnote #72) of which the materiality of the IRB credit approach is not yet applicable to Iceland. As stated above the CRR and CRD apply to all institutions, which includes internationally active banks. Iceland’s D-SIBs, which are not internationally active, are considered domestic systemically important in Iceland, but in comparison to other EU banks, the D-SIBs would generally equate to “less significant institutions” within the EU framework. That being said, CBI has treated its D-SIBs as O-SIIs within the context of the EU framework and as defined in the CRR. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)77 entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Based on applicable legislation and rules (as described under CP16 EC1), CBI may require quantitative and qualitative adjustments considering banks’ risk profiles: (i) higher capital requirements, based on Pillar 2 rules; (ii) improvements of internal processes; (iii) depreciation of assets; (iv) restrictions or limitations of business activities; and (iv) reduction of risks entailed by the business activities of a bank. Act No. 161/2002 stipulates the capital adequacy requirements (CAR) and the method for determining the risk base of banks (risk-weighted exposures) both for on- and off-balance sheet items. The COREP report, based on a uniform report template disclosed by EBA, shows how banks calculate the total minimum capital requirement according to Pillar 1 and include both on-balance sheet and off-balance sheet risks. CBI has the power (and it has used that power) to impose a specific capital limit. A 16 percent CAR ratio requirement was for example imposed on all three O-SIIs in 2009 to create a cushion in the event of future setbacks. This minimum capital requirement expired in 2012. However, capital requirements imposed on the banks through Pillar 2 of the SREP, together with capital buffer requirements, have always exceeded 16 percent since then and now stand at 17.5 percent. CBI imposes additional capital requirements under Pillar 2 relating to risks such as concentration risk, market risk, credit risk and operational risk, as well as other risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The prescribed capital requirements reflect the risk profile and systemic importance of banks78 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The regulatory framework in place for capital adequacy requirements (as described in CP16 EC1) is conceptually risk-based, considering the tailored risk profile of banks as well as the classification of major banks as systemically important institutions (O-SIIs), and adjustable to capture risk areas that are not embedded in quantitative calculation rules (Pillar 2). CBI has legal power to set higher capital requirements than the minimum for banks having unsatisfactory capital strength with regard to their risk profile and exposures. Such power is implemented periodically, usually through the SREP, but on-site inspections can also result in increasing capital requirements for specific banks, if justified by the inadequacy of provisions and reserves to cover expected losses on exposures. Furthermore, the macroprudential capital buffer (CCyB) is used to cover systemic risks that apply to the banking sector as a whole. Without exception, CBI has increased the capital requirements through Pillar 2 for O-SIIs for the past 10 years. This has been due to wrong classification of exposures as well as inappropriate application of the correct methodology to calculate the capital requirement for certain exposures or risk classes. This has mainly resulted from credit and concentration risks, but also market risk. CBI considers that relatively high capital requirements currently applied to banks in Iceland, which are among the highest in Europe, take into account the degree of uncertainty in the Icelandic economy and consequently in the banks’ operating environment. A leverage ratio is implemented in Iceland, based on EU CRD/CRR, on a standalone and consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Prudential rules on the use of banks’ internal models aimed at calculating capital adequacy requirements are included in applicable regulations, requiring prior approval of CBI after review of banks’ internal models. According to Act No. 161/2002, banks’ internal assessments of risk as inputs to the calculation of regulatory capital are subject to the same rigorous approval process as outlined in EU Directive (CRD IV) 2013/36/EU. Banks must demonstrate annually to CBI that they continue to meet the qualifying standards and validate all their rating systems. Rules also stipulate that banks have to either present a plan for timely return to compliance or demonstrate that the effect of non-compliance is immaterial should they cease to comply with the requirements. CBI has a right to revoke its approval of banks’ internal risk assessment systems. Interpretation of existing regulation relating to using Internal Ratings-Based (IRB) approaches for calculating capital adequacy requirements was clarified during the BCP assessment mission, as outlined below.
All banks in Iceland use the standardized approach of the Basel framework for the calculation of regulatory capital for credit risk and market risk. For operational risk, one O-SII is using the standardized approach, the others are using the indicator-based approach. The implementation of Basel III has not yet impacted the methods used by banks, although some banks are developing internal models and might apply for using them for regulatory calculation of capital requirements in the future. None of the banks in Iceland is using an Internal Ratings-Based (IRB) approach. One O-SII bank did apply to use the F-IRB approach to calculate regulatory capital for a part of its loan portfolio. The application was submitted in the autumn of 2013 but was rejected by the FSA due to the inadequacy of this internal model. However, the three large banks use internal models to calculate their economic capital (ICAAP) in view of setting their own strategy on capital adequacy. If any bank would apply for CBI’s permission to use internal models for the purpose of calculating regulatory capital, such an application would be subject to the same rigorous approval process as outlined in applicable regulations. Each internal model must be approved formally by CBI before it is used for capital calculations. The approval is only granted if banks meet all regulatory criteria. These criteria relate to the use test, governance, and risk management framework, independence of risk management and development of internal models, the adequacy of the rating system, the internal validation process, documentation, data collection, and conservatism of estimates. When approving an internal model to calculate regulatory capital, CBI would attach conditions to the approval to allow for periodic monitoring of the model and assess results of implementation. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).79 The supervisor has the power to require banks:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Prudential rules are enacted on the stress testing framework that banks must implement in order to assess the resilience and adequacy of their capital to adverse shocks. Act No. 161/2002, article 77(a), stipulates as a general principle that all banks are required to conduct regular stress tests, and to document underlying assumptions and outcomes. Stress test results and subsequent proposed actions for upgrading banks’ capital resilience shall be communicated to banks’ boards at the earliest opportunity. The assessment power of CBI on banks’ stress testing and SREP is laid down in articles 80 and 81 of the Act. The FSA issued Guidelines No. 2/2015 on stress testing, concentration risk, and interest rate risk. Furthermore, 2018 EBA guidelines on stress testing are used, and referenced as follows: https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2282644/2b604bc8-fd08-4b17-ac4a-cdd5e662b802/Guidelines%20on%20institutions%20stress%20testing%20%28EBA-GL-2018-04%29.pdf?retry=1. As part of the ICAAP process, banks are required to perform stress tests using several scenarios, differing in severity. The output from these stress tests is then used in the capital planning part of the ICAAP report. CBI also conducts its own stress test as a part of the SREP, and can use the results from these stress tests to add a capital charge, or capital guidance, for stressed conditions on the banks through Pillar 2 guidance of SREP. In practice, capital adequacy requirements are already quite high, given the substantial additional Pillar 2 capital, so that supervisory stress tests have not resulted in any need of requiring even more capital through Pillar 2 Guidance (P2G). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 16 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Act No. 161/2002 outlines the capital requirements for Icelandic banks with the EU framework (CRD transposed in 2016 and updated in 2022 and the CRR No. 575/2013 which is directly applicable and binding in its entirety). In H2 2022 (two months prior to the BCP on-site assessment), amendments to EU regulation No. 575/2013 (CRR II directly applicable) and EU Directive (No. 2013/36/EU) (CRD V) were transposed into Act No. 161/2002. Although the CBI/FSA is of view that it has adopted Basel III capital adequacy requirements, with the transposition of the EU framework into Iceland’s banking legislation, there are some deviations from the Basel standards. The EU’s capital framework was subject to a BCBS RCAP regarding the compliance with Basel regulations in 2014. The EU framework was found to be overall materially non-compliant. One of the main areas of difficulty cited in the RCAP was the IRB approach for credit risk (rated materially non-compliant). It is noted that the recent changes and implementation of CRR II and CRD V for the EU framework have not been subject to an updated RCAP, neither has the EU provided an updated self-assessment to previously noted deviations of the Basel capital regulations that would provide a sufficient reference on the materiality of remaining deviations. The EU rules are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process (risks not captured by Pillar 1) are considered by assessors as strong and consistently utilized by the supervisor (updated annually for D-SIBs). In addition, Icelandic capital buffer requirements for D-SIBs are considered adequate (given the nature, size and complexity of Icelandic D-SIBs that are not internationally active) resulting in very high levels of Tier 1 and total capital. Further, Iceland has not made use of any of the national discretions available. Finally, Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (as stated above as one of the most egregious deviations from Basel standards according to the 2014 RCAP) is not applicable/utilized at this time for its three D-SIBs, this issue could prove material in the future and should be watched for in future FSAPs. Assessors, however, are of the view that this is not considered a material or relevant deviation from the Basel standards at this point in time for Iceland. CBI requires a high level of capital from banks, as a precautionary supervisory strategy, using accumulated capital buffers and significant Pillar 2 additional capital. Major banks are classified as D-SIBs. In addition to the minimum capital adequacy ratio of 8 percent (Common Equity Tier 1 (CET1) capital 4.5 percent, Tier 1 capital (including additional Tier 1) 6 percent, and total capital (including Tier 2 capital)), they are subject to a capital conservation buffer (2.5 percent), a systemic risk buffer (3 percent), a so-called other systemically important institution (O-SII) buffer (2 percent), a macroprudential countercyclical capital buffer (2 percent), and ad-hoc Pillar 2 additional capital requirements, which are quite significant (from 2.6 to 3.5 percent). Furthermore, a leverage ratio is required, though not impactful on Icelandic banks at this time. For determining Pillar 2 requirements, CBI uses in-house benchmarking models aimed at supplementing Pillar 1 requirements for risk areas that CBI considers as being not enough covered by capital. Banks may discuss CBI’s calculations with banks; however, CBI’s views are usually enforced by CBI on an annual basis through the SREP process. CBI’s methodology and decisions on capital adequacy requirements are publicly disclosed for each major bank for full transparency. In all and average, the capital adequacy ratio of D-SIBs stands above 23 percent, which is quite high and conservative. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 17 |
Credit Risk80 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk81 (including counterparty credit risk)82 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regulated financial institutions apply CRD (Article73) and CRR (Part III, title II) on credit risk as it has been implemented in Iceland (re: Article1(c) of Act No. 161/2002) in addition to relevant Icelandic laws (Act No. 161/2002), relevant technical standards and guidelines are also applicable requirements for banks on credit risk management, and include:
Further, Article77(a) of Act 161/2002 states that financial undertakings shall operate a secure risk management system for all its activities and internal processes to assess the necessary size, composition and internal distribution of the capital base in light of the risks entailed by the business activity at any time. CBI/FSA has established a Supervisory Handbook (CCQ) for financial supervisors and credit risk experts when assessing bank’s credit risk function. The Supervisory Handbook is largely based on the EBA guidelines for SREP and there are two main elements on credit risk assessment: a) regular monitoring where there is a description on how to monitor credit risk every quarter; and b) provides a description on how to do a more comprehensive assessment on inherent credit risk and risk management and control in relation to the SREP process. Assessors noted that the handbook for credit risk assessment does need to be updated to adequately reflect all newly issued EBA guidelines. Over the past five years, CBI/FSA has carried out a number of thematic on-site inspections pertaining to various areas of credit risk (such as evaluating forbearance in accordance with EBA/GL/2017/06, FINREP reporting and stage 3 IFRS 9 (EBA/GL/2018/06). In addition, financial supervisors in the Banking Department, together with the Banking Department credit risk specialists, have undertaken some off-site inspections into various areas of credit risk management on a bi-lateral basis with the D-SIBs they oversee. Most of this work pertains to the review of ICAAP wherein bank’s credit risk exposures are stressed using pertinent macroeconomic factors with a result of making a Pillar 2 assessment. Off-site inspections were also carried out for other areas of credit risk that were a concern to the financial supervisors, such as a review of large borrowers. Given the extent and recent release of the EBA guidance pertaining to credit risk exposures that Icelandic banks (and in particular the D-SIBs) need to comply with, the Assessors are of the view that additional on-site inspections need to be undertaken by the credit experts to determine/assure themselves that bank’s credit underwriting, evaluation, administration and monitoring processes in practice comply with prudent standards that the banks have put in place. Off-site assessment work that CBI/FSA has undertaken would no doubt ensure credit experts as well as financial supervisors would be aware of credit risk policies, however there is a need to ensure these policies are in fact adhered to in practice across all types of credit risk exposures (e.g., not limited to small sample sizes covered during the thematic on-site inspections). Last, given the extent of the EBA guidelines, CBI/FSA should consider putting in place external prudential standards that are tailored to Iceland to ensure banks know and understand all of CBI/FSA’s expectations with respect to credit risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,83 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI/FSA gains some insight into the Board’s setting and monitoring of credit risk through a) the review of D-SIBs ICAAP/ILAAP, BMA processes submitted and assessed as part of the SREP; and b) through the monthly/quarterly risk report and discussions with senior management on a quarterly basis. Specifically, there is a discussion on the overall risk profile pertaining to credit risk and other risk data that CBI/FSA has access to through prudential reporting. CBI/FSA also carries out thematic on-site inspections related to a bank’s credit risk practices wherein these inspections have provided some assurance that Board approved credit risk policies/procedures are being adhered to by senior management in the areas under the focus for the credit review (see EC3(c) for more detail). In addition, certain of these on-site reviews looked at whether a D-SIB’s credit policy is part of the governing structure of a bank and if it is properly signed by the board and if it is regularly reviewed. As an example, one particular on-site inspection of a D-SIB examined the bank’s protocol (delegation of lending limits) for ensuring that person who signed off on loan agreements, had the proper authority to do so. Also, the risk appetite of the board was reviewed and compared to the underwriting rules of the bank (e.g., extension of loans, etc.) - see EC3(c) for more detail. CBI/FSA requests and reviews the banks’ risk reports and risk dashboards, which are regularly presented to the bank’s BOD and the senior management. Assessors acknowledge that CBI/FSA does gain some in-sight into how bank Boards oversee the credit risk exposures (through the review of quarterly risk reporting that goes from senior management to the Board), however it is recommended that credit experts, on a risk based supervisory cycle, review the strength/quality of bank’s ability to identify, measure, evaluate, monitor, report and control or mitigate credit risk in practice, is line with/complies with not only the bank’s overall credit risk strategy but the credit limits put in place and approved by the Board as part of its credit risk appetite. This would include the credit experts having a view across all types of credit risk exposures and not just limited to the thematic credit reviews undertaken in the past five years. This is a critical component of CBI/FSA’s oversight of bank’s credit risk management practices. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Article 77(a) of Act 161/2002 requires financial institutions to operate secure risk management systems. Further, institutions are required to operate a properly controlled credit risk framework with sound policies and processes. Requirements where different issues are addressed are outlined in several EBA guidelines, within the scope of credit risk, which have been adopted in Iceland. Credit risk assessment in SREP, includes a determination of certain aspects of the risk management of credit risk. The supervisors evaluate various elements within risk management and control framework in the SREP process and assign a risk score to each element within the main categories. Main categories covered in SREP assessment are:
Although CBI/FSA utilizes a “thematic approach” for its on-site inspection program focusing on specific topics/areas of concern of the financial supervisors/credit risk experts in the Banking Department, deeper assessments should be undertaken on a per bank basis to ensure CBI/FSA is adequately assessing not only overall credit risk exposures against limits, but ensuring that bank’s credit risk management policies and procedures are being adhered to in practice. These credit risk assessments can be carried out on a risk basis during the supervisory cycle (e.g., spread out the reviews that will result in better supervisory coverage of credit risk) which is considered given that credit risk is considered one of the most material risks for Icelandic banks. Assessors noted that certain aspects of the requirements listed in this EC were covered by CBI/FSA on-site examinations or off-site inspections over the last several years, however, several critical areas need further or deeper assessment. For example, CBI/FSA is not fully determining for example, bank’s:
Moreover, CBI/FSA supervisors need to assure themselves that banks (especially D-SIBs) have effectively implemented the EBA guidelines (given the recent publication for loan origination and monitoring). This can be accomplished on a risk basis supervisory cycle. CBI/FSA financial supervisors as well as the credit risk experts within CBI/FSA need additional training on the latest requirements. Not because these individuals do not have deep knowledge and expertise, but to afford them an opportunity (e.g., the time) to get across these recent guidelines so that they are on par with the bank’s knowledge. Further, the Supervisory Handbook should be updated to reflect recently released guidelines. It is noted that one on-site credit expert did form part of a working group/task force that examined NPL management, loan origination and monitoring as well as internal governance (e.g., borrower affordability). This credit expert is tasked with training the other credit experts in CBI/FSA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Credit risk assessment in SREP, includes an “off-site” determination of banks’ strategies, policies and processes for all material risks have been integrated into the banks risk management processes and approved by the banks’ Boards assessed as part of the ICAAP. Chapter 5, item 86 of EBA/GL/2020/06 outlines a list of items that a bank should consider when underwriting a loan, among the items listed is “financial position and commitments, including assets pledged and contingent liabilities”. Further, 5.2.9 item 182 of the GL speaks to the need to assess total indebtedness of the client. CBI/FSA has carried out an on-site inspection at one of the D-SIBs in 2021 that included a sample of 5 large borrowers, where inspectors examined the origination of loans and what information the bank collects and uses when deciding on a loan among the information is the total indebtedness. CBI/FSA also focused more broadly on the valuation of loans (a few loans were sampled) where loans were already committed and the inspector replicated the underwriting of the loan to a certain extent, including looking at the overall valuation of the loan, the ability of the borrower to pay which was estimated by looking at the total indebtedness. The authority looks at examples of customers and all relevant information is considered with the annual accounts of the customer, borrowing at the relevant bank, the documents of the bank on originating the loan and value of collateral. Assessors however are of the view that this type of on-site inspection should be carried out using a deeper loan sample across all types of credit exposures at all D-SIBs (at a minimum) as part of a risk based supervisory cycle. The FX lending risk is reviewed in CBI’s credit risk assessment with focus on unhedged borrowers, in accordance with the Supervisory Handbook (CCQ). In the risk evaluation of the SREP process the largest borrowers of FX are listed and evaluated in relation to exposure to FX risk (as part of the “off-site” program. The banks are then evaluated depending on the amount of exposure of FX that is considered unhedged. CBI/FSA expects the banks to prudently address FX lending risk policy. Chapter 5.2, item 108 of EBA/GL/2020/06 stipules what banks need to address with respect to FX lending risk policy. Strict requirements have been implemented regarding FX mortgage loans in Act No. 118/2016 on loans to consumers. Specifically, Article 21 stipulates that foreign exchange mortgage consumer loans to borrowers that do not have sufficient income in the same currency, are prohibited. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
See CP20 EC2 for an overview of legislative references within Act No. 161/2002 on the granting of loans by institutions to a related party. (e.g., Article29, 27 and 55) dealing with conflicts of interest. Article 6 of Rules No. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. Issues regarding the definition of a related party are addressed in CP20. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks are required to operate according to Chapter 4.1 and 4.2 of EBA’s Final Report -Guidelines on loan origination and monitoring (EBA/GL/2020/06). The EBA GL states that the management board set the credit risk appetite within the overall risk framework, including credit-granting standards, qualitative statements, quantitative metrics and limits, and escalation thresholds, without business performance biases. The EBA GL states in general that banks should establish thresholds that require management board approval. Chapter 4.2 (paragraph 34) of the GL states that credit risk policies and procedures should specify: policies and procedures and rules for the approval of credit granting and decision- making, including appropriate authorization levels set in accordance with the credit risk appetite and limits. CBI/FSA has conducted an on-site supervision inspection in 2018 on the framework of loan approval within the D-SIBs. The supervision looked at the policy from the board regarding credit activities and the role of the CEO in the credit underwriting process. The setup of loan committees and the approval structure of loans was also under consideration and especially how the rules for each committee were determined. Also, it was investigated what cases were decided by the board or the board loan committee and how exceptions were handled. The banks have limits for the banks loan committee that if loans go past this limit the board loan committee is the deciding party of the loan. This applies to a single loan as well as accumulated loans of a customer. In the bank’s loan committee, there is a party from the CRO that has a veto or the ability to escalate a loan decision to the next level if that party considers that the loan is outside the banks risk appetite or otherwise out of scope. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
According to Article 9, paragraph 1 of Act 87/1998, the parties subject to supervision are obliged to grant the authority access to all their accounts, minutes, documents, and other material in their possession, regarding activities the authority considers necessary. In pursuance of its activities, the authority may perform on-the-spot checks or request information, in such a manner and as often as it deems necessary. The authority has full access to all bank personnel, including management and the Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Article77(a), paragraph 2 of Act 161/2002 stipulates that all financial undertakings should perform a stress test on a regular basis and that the board should be presented with the results at the next meeting after the results are ready. Requirements on credit risk exposures and stress testing programs for risk management purposes are outlined in the EBA GL on institution’s stress testing chapter 4.7 page 34 of EBA/GL/2018/04. Further, banks are expected to also follow domestic guidelines No. 2/2015 on stress testing As part of the ICAAP process, banks are required to perform stress tests using several scenarios, differing in severity. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 17 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comment |
Although CBI/FSA utilizes a “thematic approach” for its on-site inspection program focusing on specific topics/areas of concern of the financial supervisors/credit risk experts in the Banking Department, deeper assessments (e.g. extend size of loan sample, across all types of credit exposures, etc.), should be undertaken on a per bank basis (especially for the D-SIBs) to ensure CBI/FSA is adequately assessing not only credit risk exposures against limits, but ensuring that bank’s credit risk management policies and procedures are being adhered to in practice. These credit risk assessments can be carried out on a risk basis during the supervisory cycle (e.g., spread out the reviews that will result in better supervisory coverage of credit risk) to ensure adequate supervisory coverage of credit risk is given it is considered one of the most material risks for Icelandic banks. Assessors noted that certain aspects of the requirements listed in the various ECs were covered by CBI/FSA during the “thematic” on-site examinations or off-site inspections over the last several years, however, several critical areas need further or deeper assessments. For example, CBI/FSA is not fully determining for example, bank’s:
Moreover, CBI/FSA supervisors need to assure themselves that banks (especially D-SIBs) have effectively implemented the recently adopted EBA guidelines (given the recent publication for loan origination and monitoring). CBI/FSA financial supervisors as well as the credit risk experts within CBI/FSA need additional training on the latest requirements. Not because these individuals do not have deep knowledge and expertise, but to afford them an opportunity (e.g., the time) to get across these recent guidelines so that they are on par with the bank’s knowledge. Further, the Supervisory Handbook should be updated to reflect recently released guidelines. Last, given the extent of the EBA guidelines, CBI/FSA should consider putting in place external prudential standards that are tailored to Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 18 |
Problem Assets, Provisions, and Reserves84 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.85 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Commercial banks prepare their accounts in accordance with the IFRS accounting standards which address provisions on impaired loans in their financial accounts. The savings banks have not implemented IFRS9 and therefore are obliged to follow Rules No. 834/2003 on the Annual Accounts of Credit Institutions. Banks and CBI/FSA also rely on the view of the EA with respect to the asset classification, provisioning and write-offs of bank’s loans. CBI/FSA thematic on-site inspections do cover a review of the asset classification, provisioning and write=offs of bank’s loans, but only in the area of the credit exposures being examined as part of the thematic credit review, and not necessarily across all credit exposure types (see CP17 for more detail), as the EA would typically do as part of their annual audit of the bank. Requirements on policies and processes for identifying and accounting for problem assets that banks must comply with, as well as the requirement to undertake periodic reviews, are stipulated in Article 57 and Appendix I of the Rules. Regulated financial institutions apply CRD (implemented through Act No.161/2002) and CRR (implemented directly) as it has been implemented in Iceland in addition to relevant laws (Act No. 161/2002). Article178 of CRR defines default exposures. Relevant technical standards and Guidelines are also applicable as requirements on credit risk management. The Authority has defined sound practices by implementing the EBA
CBI/FS’s Supervisory Handbook provides for internal guidance to supervisors to help determine how to value loans. This guidance is used for on-site inspections (e.g., how to value cash flow and how to value collateral). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The commercial banks prepare annual, semi-annual and quarterly financial statements and accordingly review problem assets quarterly in compliance with IFRS. Notes to the annual accounts, as well as the semi-annual accounts, of the commercial banks contain detailed information on the provisioning processes and write-offs of the banks. Further, CBI/FSA regularly review the overall financial statements of the banks and performs a comparison analysis between the banks. CBI/FSA collects quarterly reports from all financial undertakings on the status of loans in default where all loans and receivables are classified according to arrears by type of debtor and type of loan. Annual audited financial statements prepared by EA, according to Arts 2, 6, 8, 9, and 13 of Rules No. 532/2003 on the Audit of Financial Undertakings, describe the methods used for the provisioning of the bank and, if deemed necessary by the auditor, as well as provide comments on the bank’s management of credit risk. Further, banks are required to comply with EBA guideline on non-performing and forborne assets (EBA/GL/2018/063) and CBI/FSA conducted a thematic review of D-SIBs to ensure that banks were in fact complying with these guidelines. On-site inspections regarding non-performing loans and forbearance was conducted for the D-SIBs in 2021. The first part of the inspection focused on the adoption of the EBA guidelines (chapter 6 forbearance and 7 NPE recognition) and annex 5 (chapter 17 nonperforming exposures and Chapter 18 forborne exposures) of the Commission Implementing Regulation (EU) 2021/451 (implemented with rules 1163/2022) that covers the management of non-performing and forborne assets. The second part focused on the methods of the banks classifying forborne exposures. This type of on-site inspection is not necessarily typical for CBI/FSA as this thematic review was deemed timing given the adoption of the EBA guideline. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.86 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
The D-SIBs financial accounts are IFRS compliant, including the classification of problem assets and provisioning take into consideration off-balance sheet exposures and information regarding off-balance sheet exposures are reported in FINREP. Furthermore, Rules No. 834/2003, applicable to savings banks, require off-balance sheet items to be taken into account when provisioning for problem assets, cf. Annex I of the Rules. CBI/FSA review commercial bank’s credit classification systems through the audited financial statements with confirm both on-balance sheet and off-balance sheet exposures. Further, notes to the annual financial accounts of the commercial banks contain detailed information on off-balance sheet exposures. CBI/FSA conducted an on-site inspection of off-balance sheet exposures at the D-SIBs in 2022, one objective of the inspection was to confirm that the off-balance sheet exposure is correctly reported in FINREP. In the on-site the reporting of the off-balance sheet exposure was checked to see if the banks reported under the appropriate conversion factor. Off-balance sheet exposure of the banks has been stable over the last quarters, last quarter it was 13.5 percent of total assets, the fluctuation over several quarters is from roughly 10 percent to 15 percent. At the same time the non-performing off-balance sheet is in the last quarter 0.9 percent of total off-balance sheet exposure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA reviews provisioning policies processes and write-offs along with their adequacy through various on-site and off-site inspections at the banks. The commercial banks prepare annual, semi-annual and quarterly financial statements and accordingly review provisions and write-offs in compliance with IFRS, which CBI/FSA regular review. Further, although the authority has through various on-site inspections determined if the banks have the appropriate policies and processes regarding provisions and write-offs. For example, CBI/FSA undertook an on-site inspection regarding non-performing and forborne exposures focused on the policies and processes of the classification of loans in non-performing and forborne status. One aspect was to determine if the banks had adopted the definition and procedures stipulated in the EU GL on non-performing and forborne exposures. Another aspect was to determine if the banks were classifying loans properly and if provisions were made respectfully. Another example included the on-site inspection which was conducted at all the savings banks (2021/2022) focusing on three issues: 1) the credit processes; 2) the impairment process and 3) the book value of the largest exposures. In issue 2, the impairment processes, both the general provision and special provision were examined. The process of how the impairment was decided was examined and in the case of the special provisions the provisions of some customers was challenged. On-site inspectors also focused on the bank’s general provisioning methodology, as well as how conclusions of impairments were derived. See EC1 above (as well as the conclusions for CP 17) for Assessor’s comments regarding the depth of the thematic on-site inspections and the need to undertake more work to ensure bank’s practices are in line with the required provisioning policies and practices across all credit exposures, on a risk basis during the supervisory cycle and not just carrying on one off on-site inspections. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The authority, in both its off-site and on-site inspections, reviews the internal rules and procedures regarding problem loans, impairment, collection of past due loans and reviews the banks resources regarding this domain. IFRS requires the banks to classify loans in arrears after 30, 60, 90 days, and older. Savings banks are also required to classify loans in arrears, with the requirement to book specific provisions at 90 days, as well as well as the requirement to maintain a general provision. Further, savings banks must also adhere to standards for the extension or renegotiation of loans87, this manner (see Appendix I, Rule No. 834/2003). During the three on-site inspections conducted at the D-SIBs over the past three years, CBI/FSA focused on whether: a) banks followed the accounting standard regarding classification of loans in compliance with IFRS 9; b) forborne loans were being classified adequately; and c) the valuation of loans where the classification of loans was confirmed if it was in line with standards and guidelines. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
There are several reports that the authority receives regarding information on the classification of assets and provisioning. The main report is FINREP which includes information on classification of loans in stages as well as provisioning. Further, CBI/FSA also collects information from the Loan Portfolio Analysis report (LPA) and from the credit registry which greatly assists financial supervisors with additional information that FINREP does not provide. CBI/FSA financial supervisors also have access data of “days in arrears” however the risk assessment mainly focuses on “stages” of problem loans. Assessors suggest an analysis of both aspects as it will be important to know what credit risk is “moving through the system” (e.g., credit cycle/trends). Last, CBI/FSA has undertaken several on-site examinations on D-SIBs over the past several years, plus undertaken a thematic review for savings banks in 2022, that included a review of whether banks have adequate documentation to support their classification and provisioning levels. The authority has full access to any and all information needed for assessment purposes as per Article 9 of act 87/1998. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Art. 107 (a) of Act No. 161/2002 provides CBA/FSA with the power to increase requirements for own funds or decrease assets if through its work the provisions are deemed to be inadequate for prudential purposes. Assessors noted that CBI/FSA has undertaken several thematic reviews regarding loan classification, valuation and to test whether provisioning is adequate. Assessors recommend that on-site examiners undertake a deeper dive into bank’s asset classification practices (replicating the loan file) across a number of different loan types (real estate back loans, personal loans, etc.), assess collateral valuation practices, etc. See CP17 for additional information. In addition, assessors noted that CBI/FSA financial supervisors tend to adjust Pillar 2 capital of bank’s overall capital requirements rather than force a bank to book additional specific provisions, as banks typically argue that they have sufficient collateral or “insurance” and therefore are not required to take this action. From a “legal enforcement” perspective, CBI/FSA is more confident to assess additional Pillar 2 capital on a temporary rather than prescribe additional provisions. Assessors are of the view that CBI/FSA should be insisting on additional provisions with banks when needed instead of utilizing this temporary corrective measure of increasing capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI/FSA has implemented the guideline on loan origination and monitoring (EBA/GL/2020/06), part of that is regular monitoring of exposures and collateral valuation, includes:
Article 208 of CRR stipulates that there is a procedure for monitoring and valuating immovable property. Further, there have been several on-site inspections on the valuation of D-SIB loans. Part of the valuation process is to valuate collateral and compare to the valuation of the relevant bank. The banks are required to evaluate the collateral regularly and take into account all factors that can affect the valuation. Further, the inspection focused on large loans wherein the banks should be regularly re-evaluating the collateral. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
Laws, regulations or the supervisor establish criteria for assets to be:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
D-SIBs classification systems and provisioning must be compliant with IFRS9, CRR and CRD requirements. Guidelines on management of non-performing and forborne assets (EBA/GL/2018/06) are also in place. Article47(a) paragraph 3 of CRR defines non-performing exposures and paragraph 6 when exposures can be reclassified as performing. In paragraph 3 of Article47(a) of CRR the nonperforming exposures is defined and for the purposes of point (m) of Article36(1)88, the following exposures shall be classified as non-performing: (a) an exposure in respect of which a default is considered to have occurred in accordance with Article 17889; (b) an exposure which is considered to be impaired in accordance with the applicable accounting framework; (c) an exposure under probation pursuant to paragraph 7, where additional forbearance measures are granted or where the exposure becomes more than 30 days past due; (d) an exposure in the form of a commitment that, were it drawn down or otherwise used, would likely not be paid back in full without realization of collateral; (e) an exposure in form of a financial guarantee that is likely to be called by the guaranteed party, including where the underlying guaranteed exposure meets the criteria to be considered as non-performing. For the purposes of point (a), where an institution has on-balance-sheet exposures to an obligor that are past due by more than 90 days and that represent more than 20 percent of all on-balance-sheet exposures to that obligor, all on- and off-balance-sheet exposures to that obligor shall be considered to be non-performing. In paragraph 6 of art. 47a of CRR the reclassification into performing is defined, nonperforming exposures subject to forbearance measures shall cease to be classified as non-performing for the purposes of point (m) of Article 36(1) where all the following conditions are met:
In 2021 CBI/FSA started a thematic on-site inspection of the savings banks that focused among other things on the impairment process (see EC 4). On-site inspections in the D-SIB in 2021 focused on whether the banks were classifying loans timely and appropriately in forbearance status or non-performing status. The method used was to examine the governance, the procedure and the strategy of the banks in this regard. One on-site inspection for a D-SIB in 2020 focused on the reclassification of loans back to preforming status. There were examples of loans examined and the process of reclassification was traced back in history with the borrower and reviewed to examine whether the bank had adequately followed the reclassification rules (chapter 7.3.3. in GL on management of non-performing and forborne exposures (EBA/GL/2018/06)). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
CBI/FSA requires bank Boards and senior management to review the bank’s asset portfolio, including the classification of assets and level of provisioning. CBI/FSA has directed banks’ Board’s to receive risk reporting from the various business units, covering risk areas against Board approved risk appetite and established risk limits. CBI/FSA regularly receives and reviews these risk reports from the bank which help the financial supervisors with their own quarterly risk assessment of the D-SIBs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
The authority has implemented guidelines on loan origination and monitoring. Also, Article208 in CRR outlines requirements involving exposures with collateral in immovable property where there is a threshold for valuation of collateral dependent on the amount of the exposure. During its last thematic on-site credit review of D-SIBs large borrowers undertaken in the last several years, CBI/FSA has ensured that bank’s large exposures, large loans in general and especially significant exposures classified as stage 3 are individually assessed and provided for. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
The authority regularly monitors trend and concentrations in risk across the banking sector in relation to banks problem assets. The results of this assessment on credit risk and potential concentrations is reflected in CBI’s semi-annual financial stability report that is published. The FSR speaks to various factors regarding the macroeconomic conditions, overall indebtedness, asset quality, loan to values (with the various real estate backed loans, etc. Further, CBI has put in place certain policy measures to help manage/mitigate the buildup of risk in the banking sector (e.g., setting debt to equity and loan to value requirements for household lending). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 18 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Assessors note that to a certain extent, CBI/FSA financial supervisors rely on the work of the EA with respect to the adequacy of bank’s asset classification, valuation and provisioning practices. However, Assessors also noted that CBI/FSA has undertaken several thematic reviews regarding loan classification, valuation and to test whether provisioning is adequate. Assessors recommend that on-site examiners undertake a deeper dive into bank’s asset classification practices (replicating the loan file) across a number of different loan types (real estate back loans, personal loans, etc.), assess collateral valuation practices, etc. This recommendation is in line with CP17 observations on the depth and breadth of the thematic on-site credit inspection program. In addition, assessors noted that CBI/FSA financial supervisors tend to adjust Pillar 2 capital of bank’s overall capital requirements rather than force a bank to book additional specific provisions, as banks typically argue that they have sufficient collateral or “insurance” and therefore are not required to take this action. From a “legal enforcement” perspective, CBI/FSA is more confident to assess additional Pillar 2 capital on a temporary rather than prescribe additional provisions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 19 |
Concentration Risk and Large Exposure Limits The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.90 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.91 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Article 77(a) of Act No.161/2002 states that a financial undertaking shall operate secure risk management systems regarding all of its operations. In the same Article, exposures are defined as loans, securities, shares and guarantees granted by the financial undertaking, as well as all other obligations towards the financial undertaking. Article 1(c) of Act No. 161/2002, also states that the capital requirements regulation, described in EU Regulation No. 575/2013 (CRR), is applicable in Iceland, this includes concentration risk and large exposure limits described therein. Article 78(c) of Act No. 161/2002 states that a financial undertaking shall handle and manage concentration risk in relation to their counterparties. The article identifies that a bank should among other things consider group of connected clients92, sector concentration, geographic, industry, or product. Credit risk mitigation should be taken into account as well as large indirect exposures. The financial institution should also especially consider collaterals from a single publisher. This article is based on Article81 of Directive 2013/36/EU (CRD). Articles 387 to 403 (Part four) of the CRR, define large exposures (Article389-392), impose limits (Article395), and define regular reporting (Art. 394). Article 393 requires that institutions have sound administrative and accounting procedures and adequate internal control mechanism for the purpose of identifying, managing, monitoring, reporting, and recording all large exposures. Article 390 defines that exposures include both on and off-balance sheet items. Article 249 in EBA’s Guidelines on loan origination and monitoring (EBA/GL/2020/06) detail that when monitoring credit risk institutions should aggregate the credit risk exposure in various areas to support the identification of credit risk concentrations. The areas that should be considered include sector, transaction purpose, geographical location of borrower and collateral. Article 255 also indicates that the institution should monitor concentration measures. Further, CBI/FSA’s Supervisory Handbook (030 Risk Assessment - Risk management and control indicators), details CBI’s procedure for evaluation of concentration risk management “[...] institutions should have in place effective internal policies, systems and controls to identify, measure, monitor, and control their concentration risk.” Internal rules, guidelines, and practices regarding large exposures, including how the issue of connected parties is dealt with, are reviewed as a part of annual SREP process for D-SIBs as well as during on-site inspections at the banks when this is a focus. Last, the EBA SREP Guideline, Article186 indicates that competent Authorities should pay particular attention to hidden sources of credit concentration risk that can materialize under stressed conditions, when the level of credit risk correlation can increase compared to normal conditions and when additional credit exposures can arise from off-balance sheet items. CBI/FSA SREP methodology also follows this position. CBI/FSA’s requirements for banks regarding concentration risk is spread out between the EU regulations (CRR), EBA guidelines, Act No. 161/2002, Rules on large exposures and financial undertakings (Rule No. 625/2013 still up on CIB/FSA’s website) and its’ SREP framework (e.g., including Annex 1: Supervisory Benchmarks for the Setting of Pillar 2 Additional Own Funds Requirements for Credit and Concentration Risk). Banks would therefore benefit from CBI/FSA releasing its own specific prudential guidelines, even if streamlined with links, so that all banks know and understand clearly CBI’s prudential requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure93 to single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Although the CBI/FSA is of view that it has adopted Basel standards regarding large exposures (LEX), with the transposition of the EU framework into Iceland’s banking legislation, however, there now exists some deviations from the Basel standards. In the EU, the LEX requirements were first introduced through Regulation (EU) No 575/2013, and then amended for improved alignment with the Basel LEX framework through Regulation (EU) 2019/876, supplemented by a series of acts adopted by the European Commission and Guidelines issued by the EBA. The amendment to EU LEX requirements was published on 7 June 2019 and became applicable from 28 June 2021. Article 392 of the CRR defines a large exposure as an institution’s exposure to a client or group of connected clients which shall be considered a large exposure where its value is equal to or exceeds 10 percent of its eligible capital (e.g., Tier 1). Where that client is an institution or where a group of connected clients includes one or more institutions, that value shall not exceed 25 percent of the institution’s eligible capital or EUR 150 million, whichever the higher, provided that the sum of exposure values, after taking into account the effect of the credit risk mitigation in accordance with Arts 399 to 403, to all connected clients that are not institutions does not exceed 25 percent of the institution’s eligible capital. Financial undertakings report quarterly to CBI/FSA on large exposure in their COREP reporting. The reporting consists of an overview of large exposures, i.e., commitments between 10 percent-25 percent of equity, as well as a more detailed overview of each large exposure, with exposures to institutions and unregistered institutions. CBI/FSA regularly monitors the developments of large exposures (exposures over 10 percent of equity) of financial undertakings based on the quarterly reports, risk assessment, risk reporting and during on-site inspections. The Banking Department and credit risk specialists delve deep into bank’s assessment of credit concentration risk (e.g., sectoral, geographic, etc.) as well as take into consideration single counterparty or groups of connected counterparties as part of its overall risk assessment of the D-SIB. Article 393 of the CRR states that an institution shall have in place internal control systems where all large exposures and their changes are documented. Article394 stipulates the reporting requirements (available in Annex IX Instructions on large exposures, amounts exempted (column 320 in the reporting template (Article 400 of the CRR) where a competent authority may fully or partially exempt certain exposures from the large exposure limits. CBI/FSA, therefore, allows exemptions according to item a) and b) of the previously mentioned paragraph (Article4 of Regulation No. 789/2022). The EU’s large exposure (LEX) framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel LEX standard regulations in 202294. The LEX regulations in the EU are assessed as largely compliant with the Basel LEX standards. The three components of the Basel LEX standard (scope and definitions; minimum requirements and transitional arrangements; and value of exposures) are assessed as compliant, largely compliant and compliant, respectively. The overall grade is driven by a potentially material finding related to the limit applicable to trading book exposures and nine findings that were deemed not material. For trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit. If an EU bank does utilize the excess limit, it must report the breach to the national competent authorities and hold additional capital. EU banks assessed a spart of the RCAP were found to have not utilized this 600% of a bank’s Tier 1 capital. This deviation from the Basel framework is not considered material for Icelandic banks as total trading book assets for all Icelandic banks represented approximately 8 percent of total assets as at Q3 2022 with an average 3 year duration. Article 77(a) of Act No. 161/2002 states that a financial undertaking shall operate secure risk management systems regarding all of its operations. Article 17(a) of Act No. 161/2002 states that financial undertakings shall submit to the CBI/FSA’s credit registry information on all debtors owing gross ISK 300 million or more, as a single counterparty or as a group of connected counterparties. The registry is updated each month and reported to CBI. In the past all financial undertakings report exposures over ISK 300 million monthly, however recently, CBI/FSA has received newly requested credit registry data from the banks for all loans with additional detail on collateral. The validity of the data entered into the registry, including an overview of the bank’s IT system to produce this data, is checked as a part of CBI/FSA’s on-site inspections program. In general, CBI/FSA has not carried out in-depth on-site inspections/reviews of bank’s information systems that identify and aggregate risk, management of such exposures. However, the Banking Department together with the credit risk specialists closely monitor bank’s exposures as part of its quarterly risk assessment, risk reporting, discussions with senior management and analysis and assessment of D-SIB’s credit risk concentration exposures/stress testing as part of the ICAAP submissions/discussion. In 2019, CBI/FSA’s on-site inspection team carried out a “thematic review” at all D-SIBs focusing on, among other things, the large exposures (a few large exposures were examined at each D-SIB). See EC3 for more details. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI/FSA’s on-site inspection team undertook a thematic credit review on the valuation of 3-5 large exposures at each D-SIB in 2019 (as outlined above in EC2). The purpose of the reviews was to determine: if bank’s provisioning practices were adequate, for one bank, the inspectors took one exposure that was presented to the bank’s BOD to test whether the internal governance was adequate and whether the BOD’s decisioning was based on adequate data presented, and the last bank had 5 large exposures reviewed for an assessment on whether adequate lending procedures were utilized by the bank. CBI/FSA’s Supervisory Handbook part 030 Risk Assessment-Risk management and controls - Internal control framework details what the supervisor should be determining with respect to adequate limits for concentration risk as well as relevant skills, systems and methodologies for identifying and measuring credit concentration risk, including whether the reporting by banks of concentration risk to management is appropriate. CBI/FSA, through its quarterly monitoring of prudential data, risk assessment and risk reporting to CBI’s senior management, includes an overview and assessment of credit concentration risk and an overview of large exposures, including connected clients (this information obtained through the credit registry). In general, all three D-SIBs have a very few number (less than 5) of large exposures (that is, exposures greater than 10 percent of regulatory capital) to single counterparties or groups of connected counterparties. Assessors recommend that on-site inspections, when carried out on a risk basis, should undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BODs are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA’s SREP process looks at several facets of credit concentration risk, including indirect risk (other financial institutions and unregulated financial institutions), singlename, sector, geographical, collateral and product (data obtain quarterly from FINREP), specifically:
Each of these credit concentration risks are explicitly discussed with the bank risk specialists during the annual meetings regarding CBI/FSA’s assessment of bank’s ICAAP reports. Further information on credit concentration risk is obtained from the bank’s Pillar 3 reports for more information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI/FSA has adopted the CRR into its legislation. Article 4, paragraph 1, sub-paragraph 49 of the CRR, defines the concept of “a group of connected clients” as:
Also, EBA has published Final Guidelines on connected clients (EBA GL 15/2017) that give a more detailed definition on when two obligors should be connected. By subparagraph a) above, when a control relationship exists between two obligors, there is reverse burden of proof. CBI does not exercise discretion in applying this definition on a case-by-case basis as it expects banks to comply with the EBA Guidelines and the CRR. CBI/FSA monitors the group of connected clients and has in the past reviewed when clients were disconnected by a bank. For example, one D-SIB had classified one connection as no longer being connected. In that case the FSA challenged the bank on its reasoning and the bank accepted the FSA’s views. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
Laws, regulations or the supervisor set prudent and appropriate95 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off-balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Article 395 of the CRR stipulates that a financial undertaking may not incur an exposure to a client, or a group of connected clients, exceeding 25 percent of its own funds. Exposures include all claims and transactions, on-balance sheet as well as off-balance sheet, cf. Article 390 of the CRR. Article 393 of the CRR stipulate that the procedure for the evaluation of concentration risk management, “institution [...] shall have adequate internal control mechanism for the purpose of identifying, managing, reporting and recording all large exposures”. CBI/FSA’s Supervisory Handbook - 030 Risk Assessment - Risk management and controls - Risk identification, measurement, management, monitoring and reporting. Measurement and monitoring of concentration risk limits is considered as part of regular monitoring and the SREP process. The banks have internal risk dashboards (risk reports) which include the legal limits on concentration risk, and generally, also their own internal limits. These risk dashboards goes to the senior management and BOD monthly. These dashboards generally include figures or tables, summarizing the risk and compliance of the banks. These always include a list of the large exposures. CBI/FSA receives a copy of these dashboards and incorporates the results into its quarterly risk assessment/risk report if relevant - limits are monitored on a solo and consolidated basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
CBI/FSA utilizes EBA GL on institution’s stress testing, as well as guidelines published by the FSA in 2015, entitled Domestic Guidelines no 2/2015 on Stress Testing. Chapter 6.2.2 of EBA GL 2014/13 describes how concentration risk, including significant risk concentrations, should be taken into consideration as part of bank’s stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:
Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 19 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Although the CBI/FSA is of view that it has adopted Basel standards regarding large exposures (LEX), with the transposition of the EU framework into Iceland’s banking legislation, there are some deviations from the Basel standards. In the EU, the LEX requirements were first introduced through Regulation (EU) No 575/2013, and then amended for improved alignment with the Basel LEX framework through Regulation (EU) 2019/876, supplemented by a series of acts adopted by the EC and Guidelines issued by the EBA. The amendment to LEX requirements was published on 7 June 2019 and became applicable from 28 June 2021. The EU’s large exposure (LEX) framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel LEX standard regulations in 202296. The LEX regulations in the EU are assessed as largely compliant with the Basel LEX standards. For trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit. This deviation from the Basel framework is not considered material for Icelandic banks as total trading book assets for all Icelandic banks (e.g., mostly the DSIBs) represented approximately 8 percent of total assets as at Q3 2022 with an average 3 year duration. CBI undertakes considerable assessment off-site of bank’s concentration risk as part of the SREP ICAAP review. However, CBI/FSA should undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BODs are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank and whether bank’s information systems adequately identify and aggregate risk concentrations and large exposures. Further, CBI/FSA needs to ensure that banks have adequate limits in place to monitor and track exposures. Some of bank’s risk reports embed tracking of concentration risk limits but assessing banks risk management processes in practice would provide additional assurance. This type of review should be incorporated into CBI/FSA’s on-site inspection program (especially for the D-SIBs), on a risk basis supervisory cycle. CBI should contemplate issuing guidance on concentration risk to ensure banks know and understand CBI’s expectations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 20 |
Transactions with Related Parties In order to prevent abuses arising in transactions with related parties97 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties98 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the principle. The supervisor may exercise discretion in applying this definition on a case-by-case basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
CBI’s Rule No. 247/2017 on the facilities of a financial undertaking to relational parties Chapter 1 (Sec 2) on Definitions, defines Relational Parties as follows: Related parties according to established accounting principles cf. the Act on Annual Accounts, including directors, managing directors, key employees, those who have qualifying holdings in the Company, their close family members and persons in close contact with the aforementioned parties. Related parties may also include other parties who the FSA assess as having a direct or related interest in the activities of the financial undertaking. Further Article 29(a) (paragraph 2) of Act 161/2002 also outlines additional legislative requirements for banks to comply with related parties (see EC2 below). CBI/FSA’s definition of relational parties needs to be broader not only to include (beyond what was mentioned in the previous paragraph) qualified holdings in the company, but to extend the definition to the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, as per the footnote attached to the overall description of Principle 20 to comply with the Basel Standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.99 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Article 6 of Rules no. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. However, Article 29 (a)(paragraph 2) of 161 states that a financial undertaking may not grant a board member, managing director, key employee or party who owns a qualifying holding in it, and close family members or parties closely connected to the aforementioned parties, loans or other credit except against secure collateral. Credit is to be understood as loans, securities assets, holdings, guarantees provided by a financial undertaking, derivative contracts and other obligations towards a financial undertaking or loans to third parties secured by financial instruments issued by one or more parties who have a qualifying holding in it, or their close family members or parties closely connected to them. The total of loans and other credit facilities that may be granted to each person and close family members and persons closely related to them as provided for in the first sentence may not exceed a maximum of ISK 200 million taking into account the restrictions [set in Part 4 of Regulation (EU) no. 575/2013]. Transactions between a financial undertaking and the owners of qualify holdings, board members and immediate family members, or parties closely related to them, shall be subject to the same rules as transactions with ordinarily customers in similar transactions. Further, transactions of managing directors and key employees with the financial undertaking are governed by the second paragraph of Article57 of Act No. 161/2002. The limitation of the first sentence on loans or other credit facilities does not apply to loans to owners of qualifying holdings if the owner of the qualifying holdings is the state or a municipality. A loan or credit facility as provided for in the first sentence does not include deposits owned by another financial undertaking. Although state owned exposures are exempted, financial supervisors track the total state exposures for each D-SIB on a quarterly basis (credit registry report). Given the shareholdings by the state of three the D-SIBs, assessors recommend that CBI/FSA track closely the total outstanding loans to the state and that this information is provided up through to CBI/FSA senior management. As per the Basel definition and highlighted in the footnote attached to Principle 20, related party transactions should include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted more broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. Assessors are of the view that CBI/FSA’s definition of a related party transaction is not broad enough to encompass the definition described in the previous paragraph. Further, CBI/FSA needs to assure itself that banks’ policies, procedures and procedures reflect this definition adequately. Moreover, CBI needs to reassess the appropriateness of excluding the limitations pertaining to “the state” given the current shareholdings in the some of the D-SIBs. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Financial institutions are obliged to report on transactions with related parties to CBI, and CBI/FSA reviews EA reporting on related party transactions. Related party transactions are reported to CBI/FSA on a semi-annual basis. Article 55 of Act 161 stipulates that the board of directors of a financial undertaking may not involve itself in decisions on individual transactions, unless their scope is substantial in relation to the size of the undertaking. Individual board members must not involve themselves in decisions on individual transactions. More specifically, paragraphs 2 and 3 of Art. 55 state that: Directors of a financial undertaking may not be involved in handling a question if it concerns: 1. dealings with themselves or undertakings where they are directors, hold responsible positions or in other respects have substantial interests at stake, or 2. dealings with competitors of the parties referred to in Point 1. The same shall apply to dealings with parties personally or financially connected to directors. The Act also establishes that “Commercial transactions of board members, and of undertakings where they hold responsible positions, must be placed before the board of the financial undertaking, or the chair of a company’s board, for approval or refusal. The board of a financial undertaking may, however, adopt general rules on handling of such cases, prescribing in advance what business proposals require, or do not require, special discussion by the board before they can be dealt with” Further, Article 57 (paragraph 1) of Act No. 161/2002 stipulates that an agreement by a financial undertaking concerning loans, guarantees, options or similar dealings with board members, a managing director, and close family members, shall be subject to the approval of its board. Any decision to such effect must be recorded and notified to the FSA. Risk management and control requirements are stipulated in article 9 of the Rules, and institutions must clearly document all transactions with related parties, so that they can be monitored. Institutions are obliged to review transactions to related parties at least annually. Assessors noted that Act No. 161/2002 does not explicitly state that the BOD should review related party transactions over a certain threshold nor to be involved in the approvals process for a transaction with risks posed from related parties. Assessors recommend that CBI/FSA put requirements in place to ensure the BOD is involved, when necessary, with specific thresholds of related party transactions as well as certain of these transactions pose a special risk to the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Article 6 of Rules No. 247/2017 stipulates that transactions with related parties must be on an arm’s length basis and equal to similar transactions with non-related parties. There are no general rules or requirements that persons benefiting from transactions be excluded from granting and managing the transaction, except for board members, as described in EC 3. In supervisory reviews of loan portfolios, when the authority encounters situations where, for instance, a loan officer is involved in a transaction with a related party, a comment is made to the bank to review its internal credit risk policies and processes. Assessors recommend that CBI/FSA require banks to have updated policies and procedures to specifically deal with the granting of related party transactions to ensure that persons related to the party/person from being part of the process of granting and managing the transaction. Assessors further recommend that once CBI/FSA clarifies its prudential requirements (including a broader definition of both a related party and a related party transaction) with respect to related party transactions, that a risk based onsite, or off-site inspection be carried out to confirm bank’s compliance with these requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
The law only sets limits to and requires secure collaterals of related parties, as described in Article 29(a) of Act no. 161/2002 and Rules No. 247/2017. CBI/FSA has the power to reduce exposures or increase capital requirements for exposures that the authority deems insufficiently accounted for from a provisioning perspective. Assessors recommend that CBI/FSA implement the requirement for banks to set limits on aggregate exposures to related parties that are at least as strict as those for single counterparties or groups of connected counterparties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
CBI expects banks to have policies and processes to identify individual exposure to and transactions with related parties according to Rules No. 247/2017. Risk management and control requirements are stipulated in Article 9 of these same Rules, and institutions must clearly document all transactions with related parties, so that they can be monitored. Institutions are obliged to review transactions to related parties at least annually. Assessors noted that CBI/FSA have not undertaken independent on-site inspections that focus on related party transactions, whether such transactions are regularly reported to senior management and the Board and whether exceptions to such policies, processes and limits are reported and tracked on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor obtains and reviews information on aggregate exposures to related parties. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The supervisor obtains and reviews information on aggregate exposures to related parties. Reports on both aggregate exposures and transactions, as well as reports from EAs on transactions with related parties, are sent to CBI semi-annually. The supervisor obtains and reviews information on aggregate exposures to related parties as defined in Rule No. 247/2017. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 20 |
Materially Non-Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
CBI/FSA’s definition of related parties needs to be broader not only to include qualified holdings in the company, but to extend the definition to the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, to comply with the Basel Standards. Further, such definition should not exclude some parties (e.g., state or public entities). Further, CBI/FSA’s definition of a related party transaction is not broad enough to capture related party transactions that include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs (in line with Basel requirements). In addition, CBI/FSA should require bank Boards to review and approve related party transactions over a certain threshold (specified by the bank Boards) as well as undertaking deeper supervisory reviews to determine if banks’ policies and processes in fact prevent persons from benefiting from such transactions and/or persons related to such a person from being part of the process of granting and managing the transaction. Moreover, CBI/FSA should require banks to set limits on the aggregation of total exposures to related parties and that such limits are at a minimum as strict as those for single counterparties or groups of connected counterparties. Given three of the DSIBs are either state owned or have a significant interest in the bank, it would be appropriate to monitor aggregate exposures to the state for these banks, as these loans are normally exempt. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 21 |
Country and Transfer Risks The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk100 and transfer risk101 in their international lending and investment activities on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bankwide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including country risk and transfer risk. Nevertheless, these risk domains are not explicitly covered by specific provisions in the Act. CBI refers to the EU regulation (CRR) which has been incorporated in Act No. 161/2002, specifically on provisions relating to risk-weighting of sovereign exposures, based on country ratings, for calculating capital adequacy requirements. Yet such legal references are not directly pertaining to country risk nor transfer risk, about which there is no specific binding regulation applicable to banks. CBI mentions that banks’ credit policies and procedures are expected to cover country risk and transfer risk associated with lending and other transactions. But guidelines and supervisory documentation don’t address these risk domains explicitly nor systematically. SREP methodologies pointed out by CBI in that regard (for instance, Annex 1 on supervisory benchmarks for the setting of Pillar 2 additional own funds requirements for credit and concentration risk, Sections 2.8 and 3.3) are not very specific nor relevant to country risk and transfer risk. CBI has not issued rules on prudential country exposure limits nor provisioning on high-risk countries which may increase default risk. CBI rules No. 412/2022 on reporting requirements and limits to exposures in currency derivatives, articles 4 and 5, set limits and reporting requirements on FX/ISK derivatives, which topic is not directly related to country risk nor transfer risk: https://www.stjornartidindi.is/Advert.aspx?RecordID = 50f16bd0-5b12-4d5d-b2cb-11306fcfc1df (in Icelandic only). CBI mentions these rules which state that FX/ISK derivatives transactions of commercial banks against each counterparty shall not have a book value (positive or negative) that is more than 10 percent of capital. Commercial banks shall not have a gross forward currency position that is higher than 50 percent of capital. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Given the unclear regulatory framework on country risk and transfer risk, CBI lacks an explicit supervisory strategy on country risk and transfer risk, aimed at capturing banks’ exposures to such risks and implementing tailored and risk-based supervisory policies, quantitative and qualitative prudential requirements, and monitoring of country risk and transfer risk. CBI indicates that, as with all key risk areas, the methodology for risk assessment of banks, including their risk management and control, is outlined in internal procedures, that is the CCQ quality manual. Credit risk assessment in SREP would include risk management of all exposure types, including country and transfer risk. Yet no evidence of CBI’s off-site supervision and on-site inspection on country risk and transfer risk has been provided. CBI mentions that such risks are not material for Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
As a consequence of the supervisory strategy described in CP21 EC1, CBI does not effectively assess banks’ IT systems dedicated to country risk and transfer risk, from a risk management perspective. Banks are required to report geographical breakdown of non-domestic exposures in accordance with reporting requirements in European regulation No. 680/2014 (FINREP and COREP). Banks are also required to monthly report detailed information in the credit registry on all loans, securities, and derivatives, for which counterparties are not natural persons. Residency of each counterparty is included in reporting requirements. CBI has disclosed a list of countries that are considered as risky and non-cooperative, from a specific AML/CFT perspective: https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/ahaettusom-og-osamvinnuthyd-riki/ (in Icelandic only). This list is not used for the supervision of country risk and transfer risk, from a risk management perspective. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
The regulatory and supervisory framework does not explicitly require specific provisioning of exposures to country and transfer risks. CBI expects banks to set sufficient provisioning levels covering all expected losses, including on international exposures, in accordance with applicable accounting standards and EBA guidelines on accounting for expected credit losses. The level of provisions, stage allocation and coverage ratios are regularly reviewed by supervisors to ensure that provisions and reserves are consistent with current expectations of credit losses. CBI has in place analytical tools with historical provision levels, stage allocation, and coverage ratios which can be compared between institutions. The analytical tool for loans to companies, which is based on the credit registry, provides granular information. Supervisors can monitor impairments, IFRS 9 stage allocation, etc., on a borrower level and on a loan-by-loan basis. Since non-domestic loans are mostly granted to companies, supervisors can access information on provisioning levels, etc. regarding foreign borrowers. Yet CBI has not demonstrated a specific monitoring of country risk and transfer risk. Such situation should be assessed in light of CBI’s view that country risk is considered insignificant for banks. Overall bank loans to customers located outside Iceland are less than 5 percent of total loans to customers. The ratio of non-domestic exposures to total exposures, was about 6.2 percent (2.4 percent on USA) at end-June 2022 for commercial banks (source: CBI). Regulated credit institutions other than D-SIBs have very limited exposures abroad. In response to a question on Icelandic banks’ exposure to Russia and allied countries, in the context of the war in Ukraine, CBI answered that banks’ exposures to Russia, Ukraine, and Belarus are almost non-existent, in total around ISK 7 million. Exports to Russia and Ukraine are less than 1.5 percent of total exports, therefore direct impact on credit risk towards export companies is considered quite limited. One of the banks has however lent to a company in the Faroe Islands, up to ISK 1.6 billion. This company has been placed on the bank’s watchlist, due to Russia’s invasion of Ukraine and market uncertainties for fish sales. About 49 percent of the debtor’s revenues come from trading with Russia. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
For the purpose of stress testing focusing on country risk and transfer risk, CBI follows EBA guidelines No. GL 2018/04 on institutions’ stress testing, as well as CBI guidelines No. 2/2015 on stress testing. Yet in EBA guidelines, Section 4.7.7 pointed out by CBI is not relating to country risk nor transfer risk. According to Chapter 6 of CBI guidelines, CBI should review whether banks’ stress tests, on a consolidated basis, reflect non-domestic banks activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
According to CBI, country risk to foreign borrowers has been limited for recent years. Should risk towards certain countries increase, for example due to economic situations, increased risk for every material risk category would be assessed, as soon as necessary, or when the SREP is performed. CBI has legal power to obtain additional information as needed. In crisis situations, banks must provide CBI with all necessary data that CBI may request to be able to update banks’ resolution plan and assess banks’ assets and liabilities and its possible resolution procedure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 21 |
Materially Non-compliant. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Though country risk and transfer risk are not identified as significant risk domains to which Icelandic banks are exposed, the applicable legal and regulatory framework applicable to banks relating to prudential requirements on risk management of country risk and transfer risk, as well as supervisory policies and processes implemented by CBI regarding these risk domains, are not clearly structured. Therefore, CBI should clarify prudential requirements and structure a supervisory strategy on country risk and transfer risk, aimed at implementing tailored and risk-based supervisory policies, quantitative and qualitative prudential requirements, and effective monitoring of country risk and transfer risk, though considering proportionality for Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 22 |
Market Risk The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including market risk. In addition, article 78(e) includes specific requirements on risk management of market risk which constitute a legal base for supervision of banks’ market risk management policies and frameworks, from a qualitative risk management perspective, in addition to capital adequacy requirements on market risk which are out of scope of CP22 but relate to CP16 on capital adequacy. According to Act No. 161/2002, banks shall operate secure risk management system for all activities and internal processes. Banks must have in place policies and processes to identify, measure, and manage all significant factors that cause market risk and its effects. Yet legal provisions of Act No. 161/2002 remain quite generic on market risk. For the purpose of regulation and supervision of market risk, with a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1 (c), and articles 117 to 117(b). Therefore, banks must adhere to the following EBA guidelines, at least theoretically:
Regarding foreign exchange (FX) risk, CBI has issued rules No. 784/2018, requiring systemically important banks to limit FX positions in each foreign currency up to 10 percent of capital. Their overall FX position is limited to the same percentage of capital, as well as to a fixed maximum amount of ISK 25 billion. For non-systemically important institutions, these FX limits are slightly higher (up to 15 percent). CBI has implemented a specific framework to calculate Pillar 2 capital requirements on market risk, in addition to regular Pillar 1 capital requirements on market risk exposures: https://en.fme.is/media/vidmid-fme/Annex 2.pdf, as mentioned under CP16 EC1. CBI has issued a regulation No.1592 which sets a ceiling to the total capital requirement for market risk-related activities. Total capital requirements for (i) traded-debt instruments, (ii) equities in the trading book, (iii) equities in the banking book, and (iv) loans where the repayment is dependent on the value of equities or bonds, cannot exceed 15 percent of capital. Higher risk exposure would be deemed excessive by CBI which would require banks to lower the risk. According to CBI, no infringements have been observed. CBI has created a handbook for market risk monitoring and assessment. This handbook is for internal use only. A part of the handbook deals with risk management and control aspects, and it develops details on how to assess whether banks comply with applicable regulation and SREP guidelines. The handbook also details how quarterly regular monitoring is performed, as well as the yearly capital requirement assessment. The third part of the handbook details how a risk rating (1 -4) is calculated for market risk. The methodology considers both quantitative and qualitative aspects, as well as macroeconomic conditions, and it is forward-looking. Banks are subject to close off-site supervision, involving thorough technical support of the single risk specialist in charge of market risk within the Banking department. Yet CBI may be exposed to a significant “key-person” risk, as well as to limited capacity to implement effective supervision thoroughly through on-site inspections, as far as banking supervision of market risk is concerned: (i) this risk specialist covers other risk domains and categories of regulated financial institutions; (ii) this risk specialist does not participate to on-site inspections of banks anymore (he was involved in the latest on-site inspections of market risk that were performed in 2018, and he participated to targeted supervisory meetings on market risk with banks until 2019 before the CBI/FSA merged). From BCP assessors’ viewpoint, this potential source of concern about supervisory human resources should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. Off-site supervisors review banks’ market risk reports. Benchmarks used by CBI for Pillar 2 evaluation of additional capital requirements look prudent. For example, CBI benchmark for equities in the trading book has resulted in capital requirements in excess of 80 percent of the average position on equities, in some cases. Yet the scope of on-site bank inspections performed by CBI for the last five years has not covered market risk frequently nor comprehensively nor thoroughly. A thematic inspection was performed in 2018 on the management of the trading book. CBI has not developed on-site inspections of global market risk management frameworks in the banking sector. Therefore, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. Market risk is also subject to macroprudential surveillance by the Financial Stability department and the Financial Stability Council when deciding macroprudential measures. Such surveillance has been left out of the scope of the BCP assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that bank’s strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, article 54(a) on the board’s role in risk management, includes a generic requirement applicable to all risk domains about the requested involvement of banks’ boards in risk management. In that regard, the board of directors in each bank shall approve the risk policy, risk appetite, and implementation of risk management, and it shall ensure that internal risk management procedures, risk-taking, risk mitigation, and other risk management-related issues are reviewed at least once a year. The involvement of the board of directors in setting and monitoring the bank’s market risk management framework is partly determined through CBI’s annual SREP process, by reviewing risk reports to the board of directors as well as other available information. The main objective of ICAAP reports, subject to the SREP process, is to ensure that banks’ boards, as well as senior management, understand banks’ market risk profile, and that there is a system in place to assess, quantify, and monitor banks’ market risk exposures. CBI requires that each bank’s board endorse the business plan, the business policy, and the risk policy inherent in the ICAAP report, as well as the whole ICAAP report. CBI off-site supervisors verify that market risk policies are approved by banks’ boards. Several times a year, CBI requests and reviews banks’ risk reports and risk dashboards on market risk that are presented to banks’ boards and senior management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
By reviewing regulatory reports (COREP, FINREP), as well as other reports (CBI market risk data report, financial statements, internal risk reports to the board, etc.), CBI off-site supervisors remotely assess the quality of banks’ information systems, internal monitoring, and reporting of market risk. Concretely, supervisors discuss major banks’ internal reporting tools and dashboards during their annual SREP, and they review their internal models dedicated to market risk management, yet CBI/FSA has not performed on-site inspections of banks on market risk for long. Therefore, the accuracy and reliability of banks’ IT systems on market risk management have not been verified thoroughly. An overview of banks’ portfolios and risk limits for market risk positions is included in CBI market risk data report, and is discussed with banks, as well as exception tracking. This data report is used by CBI for data integrity checks, as well as for inputting data into VaR models for capital requirement calculations. Major banks use in-house internal models for the purpose of market risk measurement and management. In some cases, banks use VaR or Monte Carlo models for market risk management and/or ICAAP. Based on desk reviews and discussions with banks made during the SREP (but not on on-site inspections), CBI/FSA off-site supervisors analyze banks’ internal market risk management models and may challenge their results. Yet, as mentioned under CP16 EC5, capital adequacy requirements on market risk are not based on IRB models, because major banks have not applied nor been authorized to use such IRB models for regulatory purpose. Whenever a bank introduces a new internal market risk management model or makes changes to existing models, this is reviewed by CBI market risk specialist and discussed in detail with the bank’s model developers. Back-testing and “sanity checks” are a material aspect of such review. As there are only 3 major banks in Iceland, and given that CBI has its own benchmark model on market risk, banks’ model effectiveness and suitability is frequently discussed with banks. As previously mentioned, on-site bank inspections are not regularly conducted by CBI to assess the appropriate implementation of regulations and guidelines on market risk management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that there are systems and controls to ensure that banks marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to operate in accordance with EU regulation (CRR), article 105, that sets out provisions on prudent valuation, and regulation (EU) 2016/101 on regulatory technical standards for prudent valuation, article 105 (14). Banks use market price information disclosed by external data providers (Reuters, Bloomberg, and Kodiak). Data are supplied to banks’ front-office and back-office systems and used for end-of-day revaluation of market operations. CBI requires banks to report (CBI market risk data report) all end-of-day positions for equities, traded debt instruments, and derivatives in the trading book. Revaluation rates and end-of-day profit for each instrument re included. Rates mentioned in banks’ reports are then compared with historical end-of-day rates that CBI gets from third party market data vendors. Banks rely on modeling only for rare equity positions in the banking book, as well as for options. Option models rely on third party software, such as Kondor, Murex, and Fenix. Banks’ internal auditors review internal models and report to banks’ boards as well as CBI. CBI reviews all positions in the trading book as well as all equity positions in the banking book with regards to whether the valuation is prudent and liquid. Only listed securities are allowed to be classified in banks’ trading books. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
As mentioned under CP22 EC4, banks are required to operate according to EU regulatory technical standards on prudent valuation. On a yearly basis, banks evaluate their capital requirements for market risk through the ICAAP, while CBI does the same using its own benchmarks and data from COREP and CBI market risk data reports, which include information on the valuation of each equity in the banking book, as well as daily information on each position in the trading book. The valuation of each less liquid position is reviewed by CBI. Subsequent supervisory dialogue with banks leads to an updated Pillar 2 capital requirement for market risk, which banks may discuss, but must implement in the end of the discussion at CBI’s request. CBI’s data, dashboards, and supervisory tools on banks’ market risk exposures are in Icelandic only. According to CBI, banks’ sources of market risk are primarily of client-driven nature. Most significant sub-categories of market risk are securities-price risk, exchange-rate risk, and interest-rate risk. Credit-valuation-adjustment (CVA) risk is low. Banks mostly trade in equities on the Icelandic stock exchange market (90 percent), and occasionally on European or American stock exchanges. Overall positions in banks’ trading book are rather small. Bonds held by banks are mostly government bonds. Banks do use forward and swap instruments, as well as, in some cases, options on currencies, equities, and bonds. In most cases, banks try to close price risk. CBI has reported that no Icelandic bank owns any kind of crypto asset. According to CBI, capital requirements (Pillar 1 and Pillar 2) on market risk for banks are dispatched among equity risk (51 percent), exchange rate risk (29 percent), interest rate risk (18 percent), and CVA risk (2 percent). Regarding savings and loans institutions, market risk capital requirements only cover exchange rate risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks are required to operate in according to EBA guidelines on institutions’ own stress testing framework (EBA/GL/2018/04), which include requirements on stress testing of market risk exposures as part of overall stress testing programs. Furthermore, CBI has issued specific guidelines No. 2/2015 on best practices for stress testing: https://www.fme.is/media/leidbeinanditilmaeli/LT-um-bestu-framkvaemd-vid-alagsprof-til-stjornar.pdf (in Icelandic only). Act No. 161/2002, article 77(a) stipulates that all banks must perform regular stress tests and that banks’ board should be provided with their results and outcome at the next meeting after stress test results are available. Banks are required to maintain internal models aimed at implementing the ICAAP, to measure and monitor market risk. As already mentioned, internal models are not designed for calculating regulatory capital requirements under Pillar 1, and therefore they are not formally validated by CBI for this purpose. Banks’ internal models on market risk are however reviewed and challenged by CBI through off-site supervision. Banks are required to provide extensive documentation as well as stress testing outcomes to support their models. Until such information has been provided, CBI will discount the use of results of banks’ models in their ICAAP reports. Yet no on-site inspection of banks’ internal models nor stress tests on market risk has been implemented by CBI so far to investigate these topics directly and more in depth. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 22 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision of market risk has been carefully implemented in recent years with demonstrated technical expertise, including daily monitoring of major banks’ market risk exposures, as well as reviewing banks’ internal models for market risk management, banks’ stress testing process and outcome, and banks’ overall risk management policies and documentation. Yet global effectiveness of banking supervision of market risk may still be upgraded because CBI has not performed any on-site banking inspection covering the overall market risk management framework of major banks comprehensively nor thoroughly. Though the global risk exposure of the Icelandic banking sector to market risk may be considered as rather low compared to credit risk or operational risk, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. In addition, given that CBI has only one risk specialist of market risk, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “keyperson” risk, as well as possibly limited human resources and technical expertise on market risk. Therefore, CBI should develop comprehensive and thorough on-site inspections to directly ensure that major banks’ market risk management frameworks and practices are effectively adequate, not only from a quantitative perspective focused on calculating capital adequacy requirements on market risk, but also from a qualitative perspective aimed at verifying the adequate implementation of market risk management. In addition, the potential source of concern about the adequacy of supervisory human resources on market risk should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 23 |
Interest Rate Risk in the Banking Book The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk102 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Act No. 161/2002, article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including interest rate risk in the banking book (IRRBB). In addition, article 78(e) includes specific requirements on risk management of interest rate risk arising from non-trading book transactions, which is equivalent to IRRBB. These principles-based legal provisions enable supervision of banks’ IRRBB management policies and frameworks, from a qualitative risk management perspective. According to Act No. 161/2002, banks shall operate sound risk management systems for all activities and internal processes. Banks must have in place policies and processes to identify, assess, manage, and mitigate risks due to possible interest rate changes that affect both the economic value of capital and net interest income from non-trading book transactions. Yet legal provisions of Act No. 161/2002 remain quite generic on IRRBB. For the purpose of regulation and supervision of IRRBB, from a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1 (c), and articles 117 to 117(b). Regarding IRRBB, banks must adhere to EBA guidelines on the technical aspects of the management of IRRBB under the supervisory review process (EBA/GL/2018/02), as well as other relevant guidelines and technical standards under the EBA framework, for risk assessment and management purposes. CBI is currently developing a new IRRBB report and benchmark aligned with the upcoming EBA guidelines on IRRBB issued on the basis of Article 84 (6) of EU Directive 2013/36/EU and the related technical standard. CBI has issued guidelines on supervisory benchmarks for the setting of Pillar 2 additional capital requirements for market risk, including a Section 6.1 specific to IRRBB: https://www.fme.is/media/vidmid-fme/Annex-2-2020.pdf. CBI has created an internal handbook manual for IRRBB monitoring and assessment. This handbook is for internal use of banking supervisors only. Part of the handbook deals with risk management and control aspects and includes details how to assess whether individual financial institutions fully comply with applicable regulation and SREP guidelines. The handbook also details how quarterly regular monitoring is performed by CBI, as well as the yearly assessment of banks’ Pillar 2 additional capital requirement on IRRBB. The third part of the handbook details how SREP risk rating (1-4) is calculated for IRRBB. CBI’s methodology considers both quantitative and qualitive aspects of IRRBB, as well as macro-economic conditions, with a forward-looking approach. According to CBI, interest rate risk has always been significant in Iceland, and more material than market risk, in a context of more or less significant inflation persisting. The relative importance of IRRBB for the Icelandic banking sector has increased since end-2021, given the upsurge of high inflation and successive aggressive hikes of interest rates decided by CBI acting as the authority in charge of monetary policy. Banks are largely exposed to inherent IRRBB, given the size of their loan portfolios, including a mix of (i) loans at interest rates indexed or non-indexed on inflation, and/or (ii) loans at fixed or variable interest rates. Such mix of loan pricing methods has been gradually moving, since before end-2021, due to the change of debtors’ attitude regarding interest-rate categories of housing loans. As highlighted by CBI, most housing loans were traditionally long-term index-linked ISK loans, due to availability of long-term index-linked funding (from the pension funds), and recently many such loans have been converted to normal short-term ISK loans. Since 2021, amounts of loans with fixed interest rates (often, 3-5 years at origination) have increased while amounts of indexed loans with variable interest rates have decreased. As non-indexed interest rates have gone down, those loans have become a more realistic option for households in Iceland to minimize their overall cost of interest, and a record number of homeowners have refinanced from indexed to non-indexed loans. The financial environment has dramatically changed and highlighted IRRBB as a risk domain under increased monitoring. As highlighted by CBI for BCP assessors (typos edited): “When it comes to IRRBB Iceland has a peculiarity; since a large portion of Icelandic bonds, loans and deposits are inflation-linked, an additional inflation-linked-ISK currency has been added to the IRRBB calculation, as well as the normal ISK. Since many of the banks model IRRBB with indexation risk, the latter will be included under this principle”. As for market risk, off-site supervision of IRRBB is quite developed and performed on a regular basis by CBI. This risk domain is mostly handled by a single risk specialist, the same person as mentioned under CP22 EC1, with the same concern about possible “key person” risk and limited staffing at CBI on IRRBB too. CBI’s data, dashboards, and supervisory tools on banks’ IRRBB exposures are in Icelandic only. The impact of the change of housing loan practices on banks’ exposures to IRRBB is monitored by CBI, and subsequent supervisory requirements on IRRBB management are adjusted through the SREP (on a yearly basis for major banks). As CBI has highlighted it for BCP assessors (slight typo edits): “The capital requirement for IRRBB and indexation risk is on average almost twice larger than for market risk. The IRRBB due to FX is most often minimal. When it comes to ISK, assets are mostly corporate loans, and since recently housing loans with relatively short maturity (fixing periods for interest rates), due to lack of long-term ISK funding. Traditionally, most housing loans were long term index-linked ISK, due to availability of long-term index-linked funding. Recently, many of them have been converted to normal short-term ISK loans.” Beyond close off-site supervision of IRRBB by the IRRBB risk specialist within the Banking department, there is unclear material evidence of a supervisory action plan implemented by CBI on major banks aimed at checking that risk management policies and frameworks have been adequately upgraded to manage IRRBB under the current volatile interest rate and inflation environment, beyond calculating Pillar 2 additional capital requirements on IRRBB through the annual SREP performed on major banks. In that regard, no thematic on-site inspection on IRRBB management in the banking sector has been performed by CBI for the last 5 years. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Act No. 161/2002, article 54(a), states that banks’ boards shall approve risk policies, risk appetite, and the implementation of risk management. Banks’ boards must ensure that risk management processes, such as risk taking and risk limitation, are reviewed at least once a year. Article 77(a) requires that banks’ boards be adequately informed of risk topics. CBI assesses the involvement of banks’ boards in setting and monitoring IRRBB management processes through the annual SREP process. The main objective of the ICAAP reports, subject to the SREP, is to ensure that banks’ boards and management understand banks’ risk profile on IRRBB, and that there is a system in place to assess, quantify, and monitor banks’ IRRBB exposures. CBI requires that each bank’s board endorse the business plan, the business policy, and the risk policy inherent to the ICAAP report, as well as the whole ICAAP report. Banks’ risk management and policies for IRRBB are reviewed by CBI in the SREP by reviewing risk reports to the board of directors and other available information. Several times a year, CBI requests and reviews banks’ risk reports and risk dashboards, which are regularly presented to the board of directors and the senior management of banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI reviews regulatory reports (COREP, FINREP) as well as other reports (CBI IRRBB report, financial statements, internal risk reports to board, etc.) to assess the quality of measurement and information systems, as well as internal monitoring and reporting of IRRBB. The ICAAP report includes information on banks’ IRRBB limits which is reviewed on a yearly basis when the Pillar 2 additional capital requirement for IRRBB is determined by CBI. Supervisors examine and discuss internal reporting tools and dashboards of major banks during their annual SREP. They also review their internal models dedicated to IRRBB management. Yet CBI/FSA has not performed on-site inspections of banks on IRRBB for long. Therefore, the accuracy and reliability of banks’ IT systems on IRRBB management have not been verified thoroughly. On supervisory powers of CBI on IRRBB, Act No. 161/2002, article 81 has been modified in 2022 to upgrade requirements to banks on monitoring IRRBB (streamlined excerpt): “In the review and evaluation, the Financial Supervisory Authority shall check the effect of interest rate risk relating to non-trading book items. The Financial Supervisory Authority shall [...] demand changes in the assumptions for assessing the effect of interest rate changes on the economic value of a financial undertaking’s own funds [...], if a sudden and unexpected change in interest rates results in the economic value of the undertaking’s own funds decreasing by more than 15 percent of Tier 1 capital, according to one of the six shock scenarios of the regulator, or in the net interest income of the undertaking decreasing significantly, according to one of the two shock scenarios of the regulator.” On banks’ internal models on IRRBB, Act No. 161/2002, article 78(f), states that (streamlined excerpt): “The Financial Supervisory Authority may require the undertaking to use the standard method if the undertaking’s internal processes are not adequate. The Financial Supervisory Authority may require that a small and non-complex financial undertaking use the standard method if the simplified standard method does not sufficiently meet the interest rate risk due to the undertaking’s non-trading book transactions.” Off-site supervision of IRRBB includes thorough and interactive desk reviews, as well as regular monitoring, that cover most of items listed in EC3, though supervisory tasks are not segregated based on the same five categories. CBI/FSA is using a rigid framework to evaluate IRRBB and indexation risk under Pillar 2 (disclosed as Annex 2 on supervisory benchmarks). Banks’ internal reports on IRRBB are examined and discussed. Asset/liability classifications and maturity estimations are reviewed, as well as risk measurement systems and risk exposure’s limits. The CBI/FSA’s supervisory handbook includes a specific chapter and to-do tasks on supervision of IRRBB. Regular monitoring is performed quarterly, using a detailed methodology that addresses main aspects of IRRBB, such as repricing risk, yield curve risk, basis risk, and option risk, using key risk indicators as well as qualitative assessment criteria on IRRBB risk management. Based on their analytical work and desk review of banks’ dashboard and other materials, CBI/FSA supervisors discuss with banks’ specialists in charge of IRRBB management to challenge banks’ estimates, mitigation measures, and risk management policies. Supervisory benchmarks and conclusions are discussed during SREP meetings. CBI/FSA has not performed on-site inspections of IRRBB management for years. Therefore, CBI/FSA has not verified the accuracy and reliability of IT systems and risk management framework and practices relating to IRRBB thoroughly, in view of doublechecking the assessment resulting from desk reviews made by off-site supervisors. Whenever a bank introduces a new IRRBB internal model or makes changes to an existing model, it is reviewed by CBI risk-specialist on IRRBB and discussed with model developers within the bank. Back-testing and “sanity checks” are included in the review. As there are only 3 major banks, and CBI has its own supervisory benchmark models for IRRBB, model effectiveness and suitability is frequently discussed with the banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to maintain an internal IRRBB model for ICAAP purposes to measure and monitor IRRBB. The model and any changes to the model is reviewed and criticized by CBI, and the banks are required to provide extensive documentation as well as stress testing to support it. Until such information has been provided, CBI will discount the use of the bank’s model in the ICAAP report. Act No. 161/2002, article 77(a) stipulates that banks must perform regular stress tests and that banks’ boards should be provided with their results and outcome at the next meeting after stress test results are available. Banks are also required to operate according to EBA guidelines on institutions’ internal stress testing (GL 2018/04), which include requirements on stress testing IRRBB exposures in overall stress testing programs. Furthermore, CBI has issued own guidelines No. 2/2015 on best practices for stress testing (in Icelandic only): https://www.fme.is/media/leidbeinanditilmaeli/LT-um-bestu-framkvaemd-vid-alagsprof-til-stjornar.pdf). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 23 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision of interest rate risk in the banking book (IRRBB) has been carefully implemented in recent years with demonstrated technical expertise, including daily monitoring of major banks’ IRRBB exposures, as well as reviewing banks’ internal models for IRRBB management, banks’ stress testing process and outcome, and banks’ overall risk management policies and documentation. Yet global effectiveness of banking supervision of IRRBB may still be upgraded because CBI has not performed any on-site banking inspection covering the overall IRRBB management framework of major banks comprehensively nor thoroughly. Given the materiality of IRRBB for the Icelandic banking sector, the coverage of this risk domain throughout a reasonable multi-year on-site supervisory cycle is inadequate. In addition, given that CBI has only one risk specialist of IRRBB, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in IRRBB. Therefore, CBI should develop comprehensive and thorough on-site inspections to directly ensure that major banks’ IRRBB management frameworks and practices are effectively adequate, not only from a quantitative perspective focused on calculating Pillar 2 additional capital adequacy requirements on IRRBB, but also from a qualitative perspective aimed at verifying the adequate implementation of IRRBB management. In addition, the potential source of concern about the adequacy of supervisory human resources on IRRBB should be addressed globally, considering overall CBI needs of staffing and expertise for banking supervision, risk-based supervisory priorities, and proportionality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 24 |
Liquidity Risk The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
The CBI/FSA have adopted binding liquidity requirements for credit institutions, including the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR). Although the CBI/FSA is of view that it has adopted Basel III liquidity requirements in the past, with the transposition of the EU framework into Iceland’s banking legislation, however, there exists some deviations from the Basel standards. The EU rules (CRR/CRD) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. Please see below an overview of Iceland’s liquidity requirements for credit institutions, with reference to the BIS BCBS’s RCAP assessments which outline the deviations between the EU rules and the Basel standards as well as assessor’s views on the materiality of these deviations/gaps with respect to the specific jurisdiction of Iceland. The CBI/FSA Rules on Credit Institutions’ Liquidity Ratios, no. 266/2017, took effect on 31 March 2017 and superseded the previous CBI/FSA Rules, no. 1031/2014. The EU adopted Rules for liquidity requirements in 2017 (EU Directive no. 2013/36 (CRD VI) and EU regulation no. 575/2013 (CRR)). The adoption of the CBI/FSA Rules in 2017 harmonized the Icelandic regulatory framework with the current EU framework as provided for in the Commission Delegated Regulation (EU) 2015/61. According to the CBI, these EU Rules are based on the liquidity criteria in the Basel III standards, however, the regulatory framework in the EU pertaining to liquidity, which was adopted by Iceland into its legislative framework, is not necessarily fully compliant with Basel III standards (LCR and NSFR requirements). The EU’s LCR framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III LCR regulations in 2017103. The EU framework was found to be overall largely compliant with the Basel LCR standard, reflecting the fact that most but not all provisions of the Basel standard were incorporated in the EU LCR framework. The RCAP found one material deviation and four potentially material deviations. The material deviation, which is considered relevant for Iceland, is driven by the EU’s boarder definition for HQLA. The HQLA component grade is driven mainly by one material finding. The EU LCR regulations permit the inclusion of certain financial instruments that do not fulfil the HQLA requirements stipulated in the Basel LCR standard. Specifically, the EU recognizes high-quality covered bonds and assets issued by certain EU credit institutions as Level 1 HQLA. By contrast, the Basel LCR standard have a strict definition of Level 1 HQLA, which are limited mainly to instruments such as central bank reserves and 0% risk-weighted sovereigns. Iceland includes covered bonds in its calculation for HQLA and this deviation from Basel LCR standard is deemed by assessors as relevant, meaning not material at this time but could become more material in the future. As at Q3 2022, total covered bonds for all credit institutions included in the HQLA calculation in Iceland, amounted to 63.2 billion ISK, up from 9.5 billion ISK in 2019, representing an increase from 2.1 percent to 11 percent of total HQLA (of note the remaining amount of HQLA is mainly represented of central bank and government securities - Q3 2022: 571.4 billion ISK). The treatment of certain inflows is also less stringent than under Basel, while the opposite is true for some outflows. The four potentially material deviations are related to HQLA Level 2B: EU covered bonds and asset backed securities, definition of operational deposits, treatment of operational deposits and LCR disclosure. The BCBS disclosure standards is based on daily observations when calculating average LCR values, while in Iceland it is based on the simple average of month-end observations over the 12 months preceding the end of each quarter. The EU’s NSFR framework was subject to a BCBS RCAP review by the BCBS regarding Basel NSFR regulations in July 2022104. The EU framework was found to be overall largely compliant with the Basel NSFR standard, reflecting the fact that three of the four components of the Basel NSFR standard (scope, minimum requirements, and application issues; available stable funding (ASF); and disclosure requirements) were assessed as compliant. The remaining component, required stable funding (RSF), was assessed as largely compliant (which took into consideration the cumulative impact of nine “not material findings”). The EU regulations state that unencumbered covered bonds included in Level 1 HQLA as per the EU LCR framework are subject to a 7% RSF. These covered bonds are subject to a 15% RSF under the Basel NSFR Standard as they are classified as Level 2A HQLA for LCR purposes. Given the RCAP assessment found that the average impact of this deviation on the NSFR across the sample banks assessed at that was 0.04%, with a maximum impact on the NSFR of 0.81% for the most affected bank, the impact of this deviation is not considered relevant for Iceland. While the Basel LCR105 is required to be met in one single currency, in order to better capture potential currency mismatches, banks and supervisors should also monitor the LCR in significant currencies (e.g., if aggregate liabilities denominated in that currency amount to 5% or more of the bank’s total liabilities). As the foreign currency LCR is not a standard but a monitoring tool, it does not have an internationally defined minimum required threshold. This will allow the bank and the supervisor to track potential currency mismatch issues that could arise. Commission Implementing Regulation (EU) 2016/322 of 10 February 2016 amending Implementing Regulation (EU) no 680/2014 laying down implementing technical standards with regard to supervisory reporting of institutions of the liquidity coverage requirement, following Article 415(2) of Regulation (EU) no 575/2013, requires separate reporting of the LCR items denominated in a significant currency to all institutions at an individual and consolidated level and on a monthly basis - which Iceland abides by. The CBI/FSA adopted the net stable funding requirements for individual currencies above a specified threshold, referred to as significant currencies. National options have been implemented by the CBI/FSA regarding LCR ISK and LCR FX combined (see below), however no national options have been exercised for the NSFR. The Rules on Liquidity Ratios are intended to ensure that credit institutions always have sufficient liquid assets to cover foreseeable and conceivable payment obligations over a specified period. Regulation (EU) No: 2019/876 (CRR 2) and Directive (EU) 2019/878 (CRD V) of the European Parliament and of the Council entered into force 27 June 2019, however, the application of the provisions (main rules) began 29 December 2020 (CRD V) and 28 June 2021 (CRR 2). For CRR 2, this specifies that credit institutions must maintain a net stable funding ratio of at least 100% for all currencies combined. The NSFR rules cover a longer horizon than liquidity rules (LCR) and aim to limit maturity mismatches. CBI/FSA ’s liquidity and funding regime is largely based on the following: 1. Quantitative requirements: A mandatory liquidity reporting scheme (monthly) that allows for the calculation of regulatory LCR, with the minimum requirement in LCR ISK (40 percent106), LCR FX (100 percent) and LCR Total (100 percent) is in effect. Also, a mandatory NSFR reporting scheme (quarterly) used for analyzing medium to long term liquidity risk, with minimum requirement of NSFR 100 percent. In addition to these reports, credit institutions shall submit deposit and funding summaries (additional monitoring metrics reports, or AMM) for informational purposes. Banks also provide all the information that CBI/FSA requires in order to better access and analyze the liquidity position of the credit institution concerned or to conduct stress testing. 2. Qualitative requirements: Guidelines No. 2/2010 on Best Practices for Sound Liquidity Risk Management and Supervision, issued by BCBS in 2008, as well as other requirements in Article78(h) Act No. 161/2002 specify rules on Credit Institutions’ Liquidity Ratios and Rules on Credit Institutions’ Minimum Net Stable Funding Ratios. Article 117(b), paragraph 3, of Act No. 161/2002 states that CBI/FSA is authorized to set rules on credit institutions’ minimum or average liquid assets, in ISK and foreign currencies. These rules may prescribe different provisions for different classes of credit institutions. Furthermore, CBI/FSA is authorized to set rules on financial institutions’ minimum stable funding in ISK and foreign currencies, cf. same article. These rules may prescribe different provisions for different classes of credit institutions. The rules cover a longer horizon than liquidity rules and aim to limit maturity mismatches. According to the Rules on LCR and the Rules on NSFR, banks are required to observe the prescribed liquidity and stable funding requirements daily. If the bank, at any time, is below or can be reasonably expected to fall below the minimum requirements of LCR total, LCR FX, LCR ISK, or the NSFR, the bank shall immediately notify CBI and shall submit without undue delay a plan for the timely restoration of compliance with the minimum requirements. Until the LCR or NSFR has been restored to the appropriate level, the credit institution shall report daily by the end of each business date (COB) unless CBI authorizes lower reporting frequency and a longer reporting delay. Banks can be subject to further supervisory actions if compliance is not restored. This includes but not limited to per diem fines until compliance is restored in accordance with Act No. 87/1998. Administrative fines can also be applied by CBI/FSA, e.g., if non-compliance is ongoing, cf. Art. 110, Paragraph 1, item 67, 74 and 75 of Act No. 161/2002. The FSA issued Guidelines No. 2/2010 on “Best Practices for Sound Liquidity Risk Management and Supervision” with reference to Art. 8, paragraph 2, of Act 87/1998. The Guidelines are based on the Basel Committee’s liquidity principles that were published in September 2008. The Guidelines refer to the Basel Committee’s guidance for further clarification. CBI annually performs a comprehensive assessment of banks overall liquidity risk management framework and positions to determine whether a bank delivers an adequate level of resilience to liquidity stress given the bank’s role in the financial system through SREP, cf. Art. 80 of Act No. 161/2002. The SREP approach is consistent with the EBA Guidelines on SREP, relevant EU Directives provisions as transposed into national laws and rules, as well other relevant EBA guidelines and regulatory technical standards, is periodically updated to ensure alignment with the EBA Guidelines on SREP and to reflect new regulations and is applied in a proportionate manner to financial undertakings, considering the nature, scale, and complexity of their activities. (see CP8 for additional details). CBI/FSA has implemented certain thresholds in the monitoring of liquidity and funding risks. The system is on a 1-4 scale, where green level means “business as usual” and red level is “high risk”. When an indicator is at a yellow level CBI reacts immediately and monitors liquidity and funding risks more frequently e.g., a D-SIB would have to submit liquidity reports on a weekly basis or even daily, if the situation calls for that. The financial undertaking in question is also required to submit a plan on how (and what time is takes) to restore liquidity or funding to the green level. After a dialogue with the banks in recent years, the indicators for liquidity and funding (in Contingency Funding Plan and Recovery Plan) are calibrated in a certain way to ensure banks are above the “green level” or business as usual which is (e.g., 20 percent above the minimum requirements). This is to lower the risk that a financial undertaking would breach the minimum requirements, unless (of course) there would be a stressful tail event, either idiosyncratic or a systemic one. Some of the supervisory powers in relation to the SREP are listed in Article107(a) of Act No. 161/2002 and are in line with the supervisory powers listed in CRD IV. According to Article107 (a), paragraph 1, CBI/FSA shall demand that a financial undertaking take the necessary corrective measures in a timely manner if the financial undertaking does not comply with the provisions of this Act as well as the regulations and rules established based on them e.g., imposing specific requirements for maintaining liquidity, including due to maturity mismatch in the financial undertaking’s assets and liabilities. Article 107(c) covers early intervention measures. The FSA can apply early intervention measures if e.g., it is due to worsening financial situation, including deteriorating liquidity and require that the financial undertaking should act according to the recovery plan or update the recovery plan and conduct actions according to the updated plan. (See CP11 for more detail). All banks must adhere to CBI/FSA’s LCR, NSFR and liquidity risk management requirements. However, as per CBI/FSA’s SREP proportionality approach for lower or medium impact banks, financial supervisors monitor quarterly monitoring for liquidity and take the necessary action, as prescribed, should a bank get close to its minimum liquidity requirements. At this time, smaller banks have reported very high liquidity levels. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
The liquidity requirements reflect the economic environment in which they operate, mainly in Iceland, and country specific requirements are in place. Liquidity requirements in Iceland include both on and off-balance sheet risks. See EC1 for additional detail regarding the prescribed liquidity requirements that reflect the liquidity risk profile of banks. The Rules on Credit Institutions’ Liquidity Ratios, no. 266/2017, took effect on 31 March 2017 and superseded the previous Rules, no. 1031/2014. National options have been implemented regarding LCR ISK and LCR FX combined due to markets and macroeconomic conditions. In addition to LCR and NSFR reports, credit institutions shall submit deposit and funding summaries (additional monitoring metrics reports, or AMM) for informational purposes. They shall also provide all the information that CBI/FSA requires to better access and analyze the liquidity position of the credit institution concerned or to conduct stress testing. A forward looking NSFR ratio for 3 years is monitored. Qualitative requirements take account of the risk-based approach used in supervision within CBI and proportionality as well, as required in EBA SREP GL. The CBI/FSA issued Guidelines No. 2/2010 on “Best Practices for Sound Liquidity Risk Management and Supervision” with reference to Article 8, paragraph 2, of Act 87/1998. In addition to the LCR, NSFR and country specific requirements already imposed, banks are closely monitored for liquidity trends and individual banks’ liquidity and funding risk is reviewed in the SREP process at least once a year for D-SIBs and less frequently for less significant institutions. CBI/FSA can impose additional capital, liquidity, or funding requirements depending on market and macro-economic conditions. The Governor of CBI is a member of both the FMEN and FSN. When decisions are taken on the adoption of rules of procedure and on entrusting the DG for Financial Supervision with taking non-major decisions and decisions concerning D-SIBs capital, liquidity, and funding, the Governor takes a seat on the FMEN as chair, and the DG for Financial Supervision serves as vice-chair. The DG for Financial Supervision is also a member of the FMEN, and the Director of the Banking Department participates in FSN meetings as an observer. Micro- and macroprudential functions within the CBI coordinate on a regular basis. The supervision of liquidity and funding risk is a shared responsibility of the CBI Macroprudential and Microprudential functions. Data collection and analysis on for example LCR, AMM and NSFR, is the responsibility of the Financial Stability Department. Microprudential function is responsible for SREP of individual institutions, including e.g., analyzing funding plans (3-5 years), financial statements, internal auditors’ reports, Pillar 3 and asset encumbrance levels and there is a working group between the Financial Stability Department and the Banking Department to discuss inherent liquidity risk. The macroprudential analysis and assessments provide an analysis of financial stability threats that can be used for updating the focus of risk-based supervision so that it remains current and forward-looking. The priorities may result in intensifying supervision of specific institutions or groups of entities designated as D-SIBs, or topics for examination across a broader range of entities. Both macroprudential and microprudential supervision have a common objective of mitigating the sources of systemic risk and therefore collaboration is essential. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Banks are required to operate a sound risk management system as per Article 17 of Act No. 161/2002 and must address liquidity and funding risk in their operations in accordance with Article 78(h) of the same Act. The board of directors (BOD) and managing director of an institution shall regularly assess the institution’s liquidity and funding needs based on its level of risk. This process is carried out via the ILAAP which is approved by the BOD, results of which D-SIBs report annually. The ILAAPs are used as a basis for the review and assessment pertaining to liquidity and funding risk for the SREP process. For less significant banks ILAAP results are assessed less frequently and based on a categorization (low to high impact (1-4)) of that bank. CBI/FSA’s SREP methodology includes an assessment of risks to liquidity and adequacy of liquidity resources to cover these risks. CBI/FSA’s methodology is based on the EBA SREP GL, which specifically provides guidance on the assessment of liquidity and funding risk pertaining to the follow topics: Title 8. Assessing risks to liquidity and funding
Title 9. SREP liquidity assessment
The specific elements of CBI/FSA’s SREP framework are assessed and scored on a scale of 1 to 4. The outcome of the assessments, both individually and considered as a whole, forms the basis for the overall SREP assessment, which represents the up-to-date supervisory view of the institution’s overall viability. It also forms the basis for supervisory measures and dialogue with the bank. Regular monitoring of key quantitative and qualitative indicators supports the SREP by flagging changes in the bank’s financial conditions and risk profile. Should CBI/FSA discover material liquidity/funding issues, the financial supervisor, together with liquidity experts, have the ability to update the SREP elements where it highlights new material information outside of planned supervisory activities. Most of the staff’s time is allocated to the D-SIBs since they pose the most threat to financial stability and given the concentrated banking system in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Banks are required to comply with guidelines No. 2/2010, for Sound Liquidity Risk Management and Supervision, issued by the BCBS in 2008. In 2014 and 2018 the FSA required all D-SIBs to do a self-assessment based on all the requirements in the Guidelines No. 2/2010. The banks are also required to comply with EBA Guidelines on ILAAP information collected for SREP purposes, issued in 2016. In 2016 the FSA carried out an on-site of all D-SIBs where the bank’s contingency funding plans (CFPs) were assessed. The observations were twofold: assessment of the structure and content of the CFPs and management response to emergencies and their enforcement of the CFP. This was done by submitting a hypothetical scenario that the banks had to respond within a day. Staff of FSA and CBI was present at the exercise. Both projects were very successful and increased the banks’ awareness of liquidity and funding risks. CBI/FSA regularly makes assessments of a bank’s liquidity and funding risk management frameworks (e.g., overall liquidity risk appetite and liquidity and funding risk management practices), including the monitoring of bank’s liquidity positions through the review of internal reports, prudential reports, and market information to determine whether banks are complying with bank’s liquidity risk appetite (also outlined in the ILAAP) . Through its SREP process when reviewing bank’s ILAAP, CBI/FSA annually conducts a comprehensive assessment of banks overall liquidity and funding risk management framework to determine whether the bank delivers an adequate level of resilience to liquidity stress given the bank’s role in the financial system. The ongoing evaluation of the effectiveness of risk management and control for liquidity and funding risk is mainly focused on specific requirements such as stress tests, governance, monitoring systems, reporting, contingency funding plans and public disclosure. Supervisory manuals on liquidity and funding risk assist financial supervisors with guidance on assess the adequacy of bank’s liquidity and funding risk management. Assessors note that an on-site for liquidity risk is planned for late 2022/beginning of 2023 that will assess D-SIBs liquidity and funding risk management policies and practices, strength of IT systems, adequacy of oversight of the Board/senior management. CBI/FSA’s approach to its assessment to bank’s liquidity and funding risk is fairly seasoned, however it is critical from time to time to assure itself of bank’s day to day operational capabilities (e.g., information systems are accurately identifying, aggregating, monitoring and controlling liquidity and funding exposures); and that Board oversight is effective. Carrying out the planned thematic review for the D-SIBs will help accomplish this. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Banks are required to operate a sound risk management system, as per Article 17 of Act No. 161/2002, and must address liquidity and funding risk in their operations in accordance with Article7 (h) of the same Article. Article78(h) states that, a financial undertaking shall develop a methodology to identify, measure, manage and monitor funding sources. The methodology shall consider significant cash flows, current and projected, arising from assets, liabilities, and off-balance sheet items, including contingent liabilities and the potential impact of reputational risk. There is a guidance on funding risk strategy, concentration limits and diversification of funding in the Guidelines, the financial undertakings need to comply with:
Funding strategy, concentration and diversification is monitored monthly within CBI/FSA (e.g., Risk Dashboard) for all banks. CBI/FSA also assesses these issues at least yearly in the SREP dialogue after the D-SIBs submit their ILAAPs; less often for smaller banks. Banks are required to submit monthly prudential reports on LCR, NSFR and AMM, on a consolidated basis and parent of the group as well. The AMM report includes information beyond the 30-day period that is calculated in LCR, as well as information about funding concentration, cost of funding and concentration of liquid assets. Funding risk is evaluated through NSFR reports. In addition, CBI also collects reports on deposit concentrations which credit institutions return to CBI on monthly basis. The main liquidity metrics that are calculated from these reports is LCR ratio, forward looking LCR ratio for the next 3 and 6 months, NSFR ratio and forward looking NSFR ratio for the next 3 years. From the AMM report a survival period for each bank is calculated. There is an “early warning system” in place if a bank’s LCR is less than 120 percent, that bank is required to deliver LCR reports on a weekly basis and explain formally how it is going to resolve the issue. To supplement the prudential reports, market information and other public information is monitored regularly, and internal reports are requested ad hoc if needed (they are part of ILAAP/SREP and dialogues with the banks). At least annually for D-SIBs CBI conducts a comprehensive assessment of overall liquidity and funding risk management framework and whether the bank delivers an adequate level of resilience to liquidity stress give the bank’s role in the financial system. In particular, CBI checks if reports and information within the bank are within best practices as described in the guidelines. During Covid-19 market developments were uncertain and more frequent reporting was requested. At the time (April 2020) all banks were required to submit LCR reports on a weekly basis until the end of 2021. To be able to have a holistic view on liquidity and funding risk, including relevant market information both locally and outside Iceland because of refinancing risk in the foreign exchange market, a risk dashboard is in place and shared at least monthly with the relevant staff within CBI, including top management at CBI. Close collaboration is between the banking division and financial stability division within CBI in monitoring banks’ liquidity and funding position and general conditions in financial markets. The D-SIBs are active in the funding markets in issuing senior unsecured bonds and secured bonds (covered bonds), both locally and abroad, and are therefore able to maintain good relationships with liability holders. The main liquidity assets banks hold are deposits in CBI and government bonds, that are considered by the CBI to be highly liquid. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
According to Article 78.h. on Act No. 161/2002, a financial undertaking must have a CFP in place and test it at least annually and update it considering the results from the scenarios specified in article 78.h. A financial undertaking must also comply with the Guidelines on Principles for Sound Liquidity Risk Management No. 2/2010. A financial undertaking must also have a Recovery Plan in place and the CFP needs to complement the Recovery Plan in the risk management framework. CBI requires the results of testing of CFPs annually, reviews them and comments on them, if needed. CBI has also been invited to some of the exercises as an observer. The managing director of the financial undertaking must approve the CFP and ensure that internal processes are in accordance with the requirements of the provision. The financial undertaking must also take measures to ensure that a CFP can be implemented immediately. The CFPs must be submitted and vetted by the CBI annually in relation to SREP. Banks are informed of any deficiencies and required to make corrections. In SREP 2022 CFPs of all commercial banks were highly rated, or 1, on a 1-4 scale. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires banks to include a variety of short-term and protracted bankspecific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
The banks are required to comply with Guidelines on Principles for Sound Liquidity Risk Management No. 2/2010, and EBA Guidelines on institutions’ stress testing (EBA/GL/2018/04). CBI/FSA uses the EBA Guidelines on common procedures and methodologies for the SREP and supervisory stress testing (EBA/GL/2022/03), to assess management and control of liquidity and funding risk and internal manuals as well. Article 78(h) Act No. 161/2002 states that a bank must examine the impact of different scenarios on its liquidity position and risk mitigation, and the assumptions underlying the bank’s funding decisions must be revised at least annually. To that end, the scenarios must consider off-balance sheet items and other uncertain liabilities, including units on special projects in the field of securitization or other units on special projects according to regulation (EU) no. 575/2013 to which the banak acts as an administrative entity or provides significant liquidity support. In the scenarios, a bank must examine the effects of individual companies as well as the market environment, in addition to examining mixed scenarios. Within such scenarios, different periods and different stress situations should be considered by banks. A bank must adapt its plans, policies and limits for liquidity risk and develop an effective contingency plan regarding the results of the scenarios specified in the Act in response to liquidity problems. The plan must state how the bank intends to meet the lack of liquidity, including in branches in other member states where it operates. A bank must test the contingency plan at least annually and update it considering the results from the scenarios specified in the Act. The managing director of a bank must approve the plan and ensure that internal processes are in accordance with the requirements of the provision. A bank must take measures to ensure that a contingency plan can be implemented immediately. Those contingency plans are reviewed at least annually for D-SIBs and less frequently for less significant institutions. CBI/FSA’s comments or suggestions of improvement are submitted to the banks. When evaluating the management and monitoring of liquidity and funding risk, liquidity policy and liquidity tolerance limits, analysis, stress tests, contingency plans and financing plans are reviewed. Annually, CBI/FSA conducts a comprehensive assessment of a bank’s overall liquidity risk management framework through SREP. Stress testing is an important tool of the liquidity planning process. Liquidity stress test means the assessment of the impact of certain developments, including macro- or microeconomic scenarios, from a funding and liquidity perspective and shocks on the overall liquidity position of an institution, including on its minimum or additional requirements. In particular, CBI/FSA monitors how stress tests are used within the bank, if they cover market wide and idiosyncratic stress tests and their assumptions and how the results are communicated within the bank In their ILAAP reports, the banks must submit stress tests on liquidity and funding, as required in EBA Guidelines on ICAPP and ILAAP information collected for SREP purposes (EBA/GL/2016/10). The basis and results of the banks stress tests is part of the dialogue in the SREP. The banks also submit ad hoc stress test scenarios to CBI/FSA if requested. Stress tests of the banks’ liquidity and funding are conducted on a regular basis within CBI/FSA. The tests show, for example, when the banks pay all their foreign-denominated liabilities at maturity in the next 12 months and their largest depositors (large firms, financial institutions, and pension funds) withdrew their deposits, whether the banks would still have ample liquidity and considered as a sustainable and viable bank. Since there is a lot of turmoil in international funding markets (at the time of the BCP assessment) CBI/FSA had frequent discussions with the banks regarding re-financing risk, both in local currency (e.g., covered bonds) and especially in foreign exchange. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or-the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Credit institutions must submit reports and maintain a LCR requirement of 100 percent in all currencies combined and LCR requirement of 100 percent in FX total. Credit institutions must also submit reports and maintain a 100 percent NSFR in all currencies combined. According to both the EU Rules on LCR and NSFR, credit institutions shall monitor the ratios in significant currencies, i.e., individual currencies in which total obligations equal or exceed 5 percent of the institution’s total liabilities. According to both Rules, credit institutions are under a general obligation to ensure that the currency composition of their liquid assets/funding is aligned with the currency composition of their outflow/assets, with consideration given to weights as specified in the Rules. The Rules also authorize CBI to require that credit institutions minimize their currency mismatches by restricting the proportion of liquid assets/required stable funding in specified currencies that may be met with net liquidity outflows/available stable funding in other currencies. Such restrictions apply only to the reporting currency or any currency above the reference limits. No national options have been implemented relating to the NSFR, but CBI requires that credit institutions’ LCR FX combined be always at least 100 percent. Later this year, CBI intends to repeal the LCR FX total requirement and implement a LCR EUR requirement of 80 percent, if aggregate liabilities denominated in that currency amount to 10 percent or more of a bank’s total liabilities, as per Article117(b), paragraph 3 of Act No. 161/2002 and Article 6(8) of the Rules on Liquidity Coverage Ratio. This intention, to better align bank’s liquid assets/funding with the currency composition of their outflow/assets (ISK versus EUR), has been communicated to financial undertakings that fall within the scope of the rules. The credit institutions are required to comply with EBA Guidelines on ICAAP and ILAAP information collected for SREP purposes (EBA/GL/2016/10), and have a policy on funding in foreign currencies, including the most relevant assumptions regarding availability and convertibility of these currencies. Credit institutions are also required to comply with EBA Guidelines on institutions’ stress testing. Institutions’ analysis of risk factors should consider, but should not be limited to, e.g., the currency of assets and liabilities including off-balance-sheet items, to reflect the convertibility risk and possible disruptions in the access to foreign exchange markets. The Rules on Foreign Exchange Balance, no. 784/2018, took effect on 30 August 2018, and are issued in accordance with Article 24 of CBI Act No. 92/2019, which authorizes CBI to set rules on credit undertakings’ foreign exchange balance. Such a balance shall, in addition to exchange rate linked assets and liabilities, cover off-balance sheet exchange rate linked assets and liabilities, such as options and forward contracts. The Rules superseded the previous Rules on Foreign Exchange Balance, no. 950/2010 of 6 December 2010. The purpose of the rules is to limit foreign exchange risk by preventing credit institutions’ foreign exchange balances from exceeding defined limits. The rules apply to consolidated credit institutions and parent companies - i.e., commercial banks, savings banks, and other institutions and associations that have been granted operating licenses pursuant to Act No. 161/2002, with subsequent amendments, and are collectively referred to as financial undertakings in the Rules on Foreign Exchange Balance. Financial undertakings submit monthly reports on their foreign exchange balances; in addition, market makers in the interbank foreign exchange market submit daily reports on their foreign exchange balance. Each financial undertaking’s reporting includes itemized information on the current and forward balances of foreign assets and liabilities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additional Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AC1 |
The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re AC1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 24 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
The CBI/FSA have adopted binding liquidity requirements for credit institutions, including LCR and NSFR as well as adequate requirements for liquidity risk management policies, procedures, and practices. Although the CBI/FSA is of view that it has adopted Basel III liquidity requirements in the past, with the transposition of the EU framework into Iceland’s banking legislation, however, there are some deviations from the Basel standards. The EU rules (CRR/CRD) are applicable to all credit institutions, regardless of size or systemic importance or whether the jurisdiction has internationally active banks. The EU’s LCR framework was subject to a BCBS Regulatory Consistency Assessment Programme (RCAP) regarding the compliance with Basel III LCR regulations in 2017107. The EU framework was found to be overall largely compliant with the Basel LCR standard, reflecting the fact that most but not all provisions of the Basel standards were incorporated in the EU LCR framework. The RCAP found one material deviation and four potentially material deviations. The material deviation, which is considered relevant for Iceland, is driven by the EU’s broader definition for HQLA, which includes covered bonds. Although not considered material at this time for Iceland, there is a potential for increased materiality over time. As at Q3 2022, total covered bonds for all credit institutions included in the HQLA calculation in Iceland, amounted to 63.2 billion ISK, up from 9.5 billion ISK in 2019, representing an increase from 2.1 percent to 11 percent of total HQLA. The BCBS disclosure standards is based on daily observations when calculating average LCR values, while in Iceland it is based on the simple average of month-end observations over the 12 months preceding the end of each quarter. The EU’s NSFR framework was subject to a BCBS RCAP review by the BCBS regarding Basel NSFR regulations in July 2022108. The EU framework was found to be overall largely compliant with the Basel NSFR standard, reflecting the fact that three of the four components of the Basel NSFR standard (scope, minimum requirements, and application issues; available stable funding (ASF); and disclosure requirements) were assessed as compliant. The remaining component, required stable funding (RSF), was assessed as largely compliant (which took into consideration the cumulative impact of nine “not material findings”). The CBI/FSA adopted the net stable funding requirements for individual currencies above a specified threshold, referred to as significant currencies. National options have been implemented by the CBI/FSA regarding LCR ISK and LCR FX combined and LCR requirement of 100 percent in FX total109. Credit institutions must maintain 100 percent NSFR in all currencies combined. No national options have been exercised by CBI for the NSFR. CBI annually performs a comprehensive assessment of D-SIB’s overall liquidity risk management framework as part of the review of bank’s ILAAP during SREP. Further, CBI determines whether a bank can deliver an adequate level of resilience to liquidity stress given the bank’s role in the financial system through SREP. The Banking Department works closely with the Financial Stability Department in the assessment of both inherent liquidity risk of banks, but with respect to the assessment of current macro-economic conditions, including undertaking extensive stress testing. CBI is expected to assess D-SIB’s adequacy of risk management practices during the upcoming thematic review on liquidity risk later in 2022/23. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 25 |
Operational Risk The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk110 on a timely basis. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
According to Act No. 161/2002, banks shall operate secure risk management system for all activities and internal processes. Article 77(a) includes general requirements on risk management policies and frameworks expected from banks which cover all potential risk domains to which banks may be exposed, including operational risk. In addition, article 78(g) includes concise requirements on operational risk that call for implementation rules set by CBI: “A financial undertaking must have a policy and procedures for assessing and managing operational risk, including due to risk models and rare events that can have serious consequences. For this purpose, a financial undertaking must specify what is considered operational risk. A financial undertaking must have a contingency plan and a plan for continuous operations to ensure its continued operations and to limit losses in the event of a serious disruption to the undertaking’s operations. CBI of Iceland may set rules for the handling of operational risk and to elaborate on the obligations of a financial undertaking according to this Article.” These principles-based provisions constitute the legal base for supervision of banks’ operational risk management policies and frameworks, from a qualitative risk management perspective. Yet legal provisions of Act No. 161/2002 on operational risk are very generic, and not specific enough to cover the large scope of operational risk nor the wide range of qualitative requirements that are expected from banks on operational risk, according to the usual typology of operational risk categories defined in Basel standards, for instance on information and communication technology (ICT) risk management, accounting framework, quality of operations processing, fraud prevention and detection, human resources-related risks, legal risk, and so on. Act No. 161/2002, article 78(g) requires banks to specify what is considered operational risk. Such wording looks inappropriate because prudential regulations should directly define operational risk and provide banks with guidance for appropriate implementation of requirements on operational risk management. For the purpose of regulation and supervision of operational risk, from a risk management perspective, CBI refers to more detailed EU legislation and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1(c), and articles 117 to 117(b). Banks must adhere to the following EBA guidelines, as well as other relevant EBA guidelines and technical standards on risk assessment and management:
CBI’s supervisory policy stance on operational risk may be summarized as follows. EBA guidelines regarding operational risk cover the 2021 guidelines on “Principles for operational resilience” and the 2005 guidelines on “Outsourcing of financial services”. CBI requires banks to implement BCBS standards No. 239, Principles for effective risk data aggregation and risk reporting. CBI has not adopted any national options regarding operational risk, and plans to use EBA guidelines as main applicable requirements. In addition, the three large banks are required to comply with the NIS directive, but it adds little to the requirements put forward in the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). Therefore, CBI has not tailored regulations on operational risk to Iceland’s specific exposure to operational risk, for instance risks of natural disasters, risks related to the geographical position of Iceland as an island country (involving some potential vulnerabilities around submarine cables, for instance). CBI has not performed a horizontal analytical risk mapping work aimed at summarizing the inherent risk profile of the Icelandic banking sector regarding operational risk, as well as mitigation measures in place and/or remaining sensitive exposures to operational risk that would be classified as high-risk. As of now, CBI has not set regulatory requirements on climate-related financial risks applicable to banks, but this action is envisaged, though not precisely planned yet. CBI has drafted a supervisory handbook manual for operational risk monitoring and assessment of financial institutions, for internal use only. The handbook specifies risk management and control aspects which banking supervisors take into consideration in yearly SREP and quarterly operational risk assessments, notably: operational risk management and tolerance; the organizational framework; policies and procedures; risk identification, measurement, monitoring, and reporting; business resilience and continuity plans; and the internal control framework on operational risk. The risk assessment methodology considers both quantitative and qualitive aspects. The handbook also specifies how a risk rating (1 -4) is calculated; and what typology of supervisory measures may be taken to address identified deficiencies. Off-site supervision of operational risk is mainly implemented by CBI through the SREP and the review of ICAAP reports from banks. Banks provide supervisors with the following information, that is used to assess operational risk management: regular risk reports, yearly ICAAP reports, internal audit reports, reports on incidents and losses due to operational risk events, reports on material changes in the operating environment of the bank or in products or services. Supervisors regularly call banks for the loss database to assess the status of the operating environment. They also call for results of penetration testing exercises and vulnerability scanning. Based on the illustration case of a major bank provided by CBI, the SREP assessment process of operational risk management covers a large range of topics pertaining to operational risk, including legal risk, which demonstrates significant attention paid by off-site supervisors on operational risk when implementing the SREP exercise, yet CBI’s assessment is based on inputs from banks, and it is not supplemented nor cross-checked by direct investigations on site. CBI’s banking supervision teams include only 2 ICT specialists, who have expertise and experience on both ICT and audit, but have many duties to fulfill within financial supervision. Therefore, CBI’s human resources look scarce regarding ICT supervisors, who cannot engage in comprehensive and thorough on-site examinations of ICT risk management frameworks of banks. CBI has performed a limited number of on-site inspections of major banks for the last 5 years. On-site inspections have covered the following topics: “cyber-attacks”, “assessment of digital trends”, “compliance with GL outsourcing”, “TRS/TRS II”. CBI has also included in the list of on-site inspections on operational risk several missions which included a review of operational risk related to the main inspection topic, for instance model risk (main topic: electronic credit assessment system). Yet this extensive typology is far from globally covering full scope of operational risk of major banks. Therefore, considering the rising importance of operational risk in many areas (ICT security, cybersecurity, cloud computing, business continuity planning, data quality, and so on), CBI’s inspection program is not large nor thorough enough to reasonably cover the whole range of essential topics relating to operational risk, from a risk-based perspective, even if the banking sector only comprises 9 banks. At least the 3 major banks should deserve more hands-on on-site inspections on operational risk, including ICT risk as a whole (governance, processing, and security). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
According to Act No. 161/2002, article 54(a), banks’ boards shall approve strategies, policies, processes as well as the risk appetite and the implementation of risk management. Banks’ boards must also ensure that risk management processes, such as risk-taking and mitigation are reviewed at least once a year. Article 77(a) states that banks must have procedures that ensure the exchange of information between their risk management function and their board regarding all major risk factors in the bank’s operations and their evolution. The involvement of banks’ boards of directors in setting and monitoring banks’ operational risk management processes is partly determined when the annual SREP is conducted (on a yearly basis for major banks only). The main objective of ICAAP reports, subject to the SREP process, is to ensure that banks’ boards of directors, as well as senior management, understand banks’ risk profiles, and that there are systems in place to assess, quantify, and monitor banks’ operational risk exposures. CBI regularly requests a copy of the latest operational strategy when performing the SREP or on-site inspections, to assess that it has been reviewed and approved, and that the content of the strategy covers all governance requirements. The boards’ oversight of policy and process implementation on operational risk is verified by examining banks’-internal operational risk reports to board committees, reviewing the content of upper management risk dashboards, and interviewing board members. CBI also reviews banks’ internal risk reports, internal audit reports, and compliance reports to assess how operational risk deficiencies and incidents have been addressed. Data on losses resulting from operational risk events, and incidents databases pertaining to operational risk are also examined by CBI to see if patterns or concentration in operational risk are dealt with properly by banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
CBI refers to EBA Guidelines on SREP and ensures each year that policies and processes on operational risk are implemented effectively by banks and integrated into their overall risk management process. CBI is monitoring operational risk of D-SIBs through the annual SREP. Regarding operational risk, CBI has focused banking supervision during the pandemic on ICT risk, and ensured that resources, policies, and processes are in order. Overall, banks’ organizational framework and business continuity plans have been effective. Elaborating on banks’ exposure to operational risk, CBI has assessed that:
CBI collects information on operational risk losses from the three largest banks. The total amount of operational risk losses for 2021 has reached ISK 218 million, including ISK 175 million losses resulting from operational incidents pertaining to operation processing management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
CBI/FSA has enhanced off-site supervision of business continuity planning recently. Banks are required by CBI to comply with EBA Guidelines on ICT and security risk management (EBA/GL/2019/04) which cover business continuity planning and disaster recovery plans. These guidelines were implemented in 2021, and banks are expected to be fully compliant in 2022. Supervisory monitoring of banks’ policies and frameworks on business resilience and continuity plans has been incorporated in the annual SREP. CBI/FSA reviews relevant documentation provided by banks, and discussion with banks on existing frameworks, results of simulation exercises, and other topics pertaining to business continuity is engaged at least annually. The internal supervisory handbook includes to-do tasks in that regard, yet there is not much detail on the processing of concrete implementation of off-site supervision. CBI/FSA has not implemented any on-site inspection of business continuity planning in the banking sector for the last 5 years. When necessary, like during the COVID-19 pandemic, when teleworking disrupted normal operation processing of banks, CBI engages specific discussion with banks to evaluate if operational threats are dealt with properly. Furthermore, CBI intermittently requires banks to perform ad-hoc operational stress tests as a part of the SREP. For example, within the 2022 SREP, the impact of an extensive ransomware attack on business continuity was examined. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
CBI is adopting a similar supervisory approach as the one mentioned in CP25 EC4. Banks are required by CBI to comply with EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). These guidelines were implemented in 2021, and banks are expected to be fully compliant in 2022. This is reviewed in the SREP and through the assessment of banks’ internal audit reports that banks are required to share with CBI annually. Yet the supervisory handbook is not developing supervisory tasks on ICT risk supervision. CBI/FSA mostly rely on EBA guidelines for guiding supervisors on the methodological approach of risk assessment. Off-site supervisors rely on internal information provided by banks, such as internal audit reports. Also, the CBI/FSA banking inspection program has not covered ICT risk, although the supervision of such a risk domain would require implementing onsite inspections to assess the adequacy of banks’ systems and risk management, based on thorough examination in the field. CBI has included cybersecurity as an essential topic to focus on in the 2022-24 supervisory strategy: https://www.cb.is/library/Skraarsafn---EN/Financial-Supervision-Committee/Supervisory%20Strategy%202022-2024-final%20(002).pdf. Cyber-risk management is becoming a priority area of financial supervision globally. Increased focus is on banks’ digital services, partly due to the pandemic that has increased cyber-risk. Payments are almost exclusively made digitally in Iceland, so the market is extremely sensitive to any disruption of internet services and payment systems. Increased use of cloud services outside of Iceland, inside and outside the EU, is also a source of concern for CBI. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have appropriate and effective information systems to:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Banks send regular risk reports to CBI that cover operational risk. These reports are the same that banks’ senior management receive. These reports are reviewed to ensure that risk data exists, metrics are effective, and actions are taken where needed. CBI assesses the adequacy of reporting on operational risk mostly off-site during the SREP, based on information provided by banks. Because there has not been any on-site inspection by CBI/FSA on banks’ information systems dedicated to their oversight of operational risk, the off-site desk review performed during the annual SREP cannot fully achieve the objective of determining in a fully reliable way whether banks have appropriate and effective information systems to monitor operational risk, including compilation of operational risk data and internal reporting on operational risk. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Financial firms are required to report incidents pertaining to operational risk to CBI, based on CBI guidelines. This reporting framework is based on the PSD2 incident reporting framework issued by EBA. Further information is collected if needed, including from service providers that may have been involved in incidents. CBI has required banks to submit operational risk reporting via EBA’s COREP reporting framework since 2021. A draft risk dashboard with EBA KRIs has been made (OPR-1 to OPR-16) but it has not yet been officially disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:
Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
CBI requires banks to comply with EBA guidelines on outsourcing arrangements (EBA/GL/2019/02). CBI considers that these guidelines are extensive and cover most important items on outsourcing. EBA guidelines were implemented in 2021. CBI has developed banking supervision of operational risk pertaining to outsourcing recently.
Banks are required to register and report all outsourcing arrangements. CBI periodically requests this information to compile a list of banks’ external providers of essential services, and to examine related concentration risk amongst service providers within the financial system. Banks are also required to provide CBI with a checklist for all cloud service arrangements. On-site inspections on outsourcing have been performed in 2022 (ongoing thematic program) to ensure compliance. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 25 |
Materially Non-compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Substantial progress has been made by CBI on supervision of operational risk in the banking sector to move beyond the quantitative Pillar 2 approach of additional capital requirement to develop a more global qualitative assessment of banks’ operational risk management frameworks. Yet supervision of operational risk has not reached optimum level of coverage and thoroughness, even considering proportionality, given the intrinsic complexity of operational risk, and the universal banking model of major banks in Iceland. Prudential regulations on operational risk mostly rely on relevant EBA guidelines. Yet prudential requirements, at least supervisory expectations for proper implementation of EBA guidelines, have not been tailored to the specific risk profile on the Icelandic banking sector regarding operational risk, except 2019 CBI guidelines on information systems operated by banks. CBI should tailor EBA guidelines on operational risk to national specifics, either by setting specific qualitative prudential requirements into national regulations, or, at least, by issuing supervisory guidance to banks for appropriate implementation of EBA guidelines on operational risk management, comprehensively covering the large scope and typology of operational risk in a way that is proportionate and adapted to the country’s specific operational risk environment within the banking sector. CBI should build a global risk-based supervisory strategy on operational risk that would be based on thorough risk mapping and assessment of the banking sector’s exposure to operational risk typologies, causes, threats, and vulnerabilities, at banking system level, and each bank level. So far, despite more detailed and extensive assessments on operational risk performed during the SREP, specific monitoring of the pandemic’s impact on operational resilience of banks, and a few targeted inspections on specific risk domains such as outsourcing, which actions are quite commendable, CBI has not yet structured a strong enough capacity to implement global risk-based supervision of operational risk in major banks effectively, especially, but not only, on ICT risk, notably by conducting hands-on on-site inspections. Further enhancement of risk-based supervision of operational risk would require upgraded off-site supervision processes, as well as more comprehensive, thorough, and intensive on-site inspection of banks, requiring additional resources, notably on ICT risk (combining expertise of ICT systems, management, audit, and banking supervision). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 26 |
Internal Control and Audit The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent111 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Prudential requirements applicable to banks regarding their internal control framework are laid down in various legal and regulatory references that are dispatched in separated sets of norms, thus not easy to grasp. The legal and regulatory framework on internal control in the banking sector mostly relies on EU rules and EBA guidelines that are incorporated in Icelandic law, as already described. Such incorporation is made explicit in Act No. 161/2002, notably in article 1(c), and articles 117 to 117(b). EBA guidelines EBA/GL/2021/05 on internal governance sets out detailed requirements on internal controls, among which banks should have a clear, transparent, and documented decision-making process, and a clear allocation of responsibilities and authority within its internal control framework, including its business lines, internal units, and internal control functions. In addition, EBA guidelines, Title II on role and composition of the management body, set out detailed requirements on the role and responsibility of banks’ boards of directors, including arrangements aimed at ensuring the integrity of the accounting and financial reporting systems, as well as financial and operational controls, and compliance with relevant standards. Also, EBA guidelines, Title V set out detailed requirements on internal controls, requiring banks to have a clear, transparent, and documented decision-making process, as well as a clear allocation of responsibilities and authority within its internal control framework, including its business lines, internal units, and internal control functions. Act No. 161/2002 on Financial Undertakings includes provisions on internal control which are dispatched in various Chapters, notably on (i) corporate governance (Chapter VII on board of directors, corporate governance, and employees), (ii) risk management (Chapter IX on management of risk factors in the operations of a financial undertaking), and (iii) internal audit (article 16 on audit section; Chapter XI on annual financial statements, auditing, and consolidated financial statements). Legal provisions on internal control are quite generic. For instance, article 50 on governance states that banks must have “an adequate internal control system, including sound management and accounting arrangements, and a remuneration policy that are implemented in a manner that is consistent with and contributes to reliable and efficient risk management.” Legal provisions of Act No. 161/2002 don’t develop specific qualitative prudential requirements applicable to banks on internal control, covering the overall internal control framework that is expected to be structured with the usual so-called three lines of defense, that are quite important for banks, especially D-SIBs: (i) internal control units and processes embedded within operational (business and support) workstreams at first level; (ii) independent internal control functions in charge of risk management, compliance, and oversight of most risk-sensitive operational workstreams (checks and balances, and “four-eyes” principle) at second level; and (iii) a global and independent internal audit function at third level. On the role of bank boards in internal control, Iceland has implemented Article 88 of EU Directive 2013/36/EU into Article 54 of Act No. 161/2002 which states that the board is responsible for the company’s operations and strategy, robust governance arrangements, which include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility, risk strategy, adequate internal control mechanisms, including sound administration and accounting procedures. CBI/FSA supplemented Act No. 161/2002 by issuing national guidelines on internal audit in banks (2008): https://www.fme.is/media/leidbeinanditilmaeli/Leidbeinanditilmaeli2008 3.pdf. Yet these CBI/FSA guidelines are outdated and not aligned with latest international standards, not with EBA guidelines that are now enforceable in Iceland. For instance, the internal audit function reports to senior management, not to the board. CBI also applies Act No. 2/1995 on public limited companies, including regular requirements on the board of directors. This law is outdated and not adapted because more recent and specific international standards applicable to banks have been issued afterwards: 2015 BCBS guidelines No. 328 on corporate governance principles for banks; and 2012 BCBS guidelines No. 233 on the internal audit function in banks. The overall assessment of internal control is conducted by CBI via regular monitoring, mostly through off-site supervision, including the following tasks (not comprehensively listed below, for illustration):
CBI/FSA has not supplemented off-site supervision by performing on-site inspection of internal control in the banking sector globally and frequently for the last 5 years, while hands-on and thorough on-site inspection in the field would be the only way to double-check the outcome desk reviews performed through the SREP, and ensure that information provided by banks on internal control is reliable and accurate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding prudential rules on the first level of internal control, CBI essentially applies EBA guidelines. CBI refers to EBA guidelines GL/2021/05 on internal governance about requirements on the first level of internal control. Among requirements referred to by CBI from EBA guidelines:
CBI also refers to EBA guidelines GL/2021/06 on assessment of suitability which set out requirement for the banks’ framework assessment of suitability of key function holders which includes heads of internal control functions. Managers of compliance and risk management functions (second line of defense) report to CEOs but have direct access to banks’ board and committees. Banks’ boards of directors approve their appointment and charters relating to their functions, and boards must be notified in case of dismissal. Internal audit (third line of defense) directly reports to the board of directors. CBI has ensured that heads of internal control functions have direct and frequent access and communication with banks’ boards and board committees in all banks. Regarding the implementation of CBI’s supervisory policy on the first level of internal control, CBI mostly assesses the adequacy of banks’ internal control framework when performic the periodic SREP (yearly for major banks, only twice since 2016 for smaller banks), based on EBA guidelines. Resources of internal control functions are monitored closely and discussed frequently with major banks’ heads of internal control functions and board members. Monitoring includes reviewing annual reports of internal control functions, CVs of employees, meeting minutes of the board and committees. If necessary, CBI requires banks to ensure appropriate resources, either by increasing the number of employees or bringing in external resources. Yet no thematic on-site banking inspection of internal control frameworks has been planned nor completed for the last 5 years by CBI aimed at going beyond off-site supervisory dialogue, and assessing the effective implementation of sound internal control frameworks and practices globally and more thoroughly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks have an adequately staffed, permanent and independent compliance function112 that assists senior management in effectively managing the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding prudential rules on the compliance function, which is part of the second level of internal control, CBI also essentially applies EBA guidelines. CBI refers to EBA guidelines GL/2021/05 about requirements on the compliance function. Among requirements referred to by CBI from EBA guidelines, internal control functions, including the head of compliance, should be independent of the business lines and internal units it controls, and it should have sufficient authority, stature, and resources. To this end, heads of compliance should report and be directly accountable to banks’ CEOs and/or boards, and their performance should be reviewed by boards. Boards shall approve their appointment and compliance function’s charters, and they must be notified in case of dismissal. Compliance officers should possess sufficient knowledge, skills, and experience in relation to compliance and relevant procedures, and they should have access to regular training. Banks are not required to set up independent compliance committees reporting to boards of directors, as it is required for internal audit and risk management. Therefore, Icelandic banks don’t have any compliance committees. Regarding the implementation of CBI’s supervisory policy on the compliance function at second level of internal control, CBI mostly assess banks’ compliance during the SREP, based on EBA guidelines. CBI has provided explicit illustration of specific supervisory focus on the compliance function on AML/CFT (which is out of scope of CP26, but within the scope of CP29) when performing SREP tasks. On other topical aspects of compliance, CBI reviews annual reports of bank’s compliance officers, which content is discussed. CBI mentions that it had an issue with the competence of a compliance officer of a systemically important bank, which compliance reports and interviews indicated lack of capabilities in certain areas; this issue was discussed with board members and the CEO, and it resulted in the bank hiring a new compliance officer. No thematic on-site inspection of banks on compliance (except AML/CFT) has been planned nor completed for the last 5 years by CBI to go beyond supervisory dialogue involving off-site supervisors, and assess more thoroughly the effective structuration of a full-fledged compliance function, as well as the effective implementation of compliance processes (including whistleblowing and related protection of employees). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor determines that banks have an independent, permanent and effective internal audit function113 charged with:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding prudential rules on the internal audit function, which is the third level of internal control, CBI applies two sets of norms:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that the internal audit function:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the implementation of CBI’s supervisory policy on the internal audit function at third level of internal control, CBI mostly assess banks’ internal audit during the SREP, based on EBA guidelines. That includes reviewing reports and findings of banks’ internal audit, regular interviews and communication with banks’ internal auditors, boards, and in particular board members participating on audit and risk committees. More specifically, the scope of CBI’s supervision of banks’ internal audit covers the following tasks, referring to EC5 list of items:
In the past, CBI required improvements, mostly regarding bank boards’ and/or management’s lack of focus on closing unimplemented recommendations of internal audit reports. That issue was related to insufficient risk culture and risk awareness of the first line of defense which has been somewhat improving in banks, from CBI’s viewpoint. CBI mentions that supervisory action taken in recent years has increased awareness of the importance and value of internal control and the role of internal audit in ensuring sound banks’ operations, at least on major banks. For savings banks, the SREP is much less frequently implemented (2021, after 2016), impacting the coverage of their internal control frameworks by banking supervisors. Yet no thematic on-site inspection of banks on the internal audit function has been planned nor completed for the last 5 years by CBI to go beyond supervisory dialogue involving off-site supervisors, and assess more thoroughly the adequacy of the internal audit framework, as well as the effective and appropriate coverage of most risk-sensitive workstreams by internal audit. In that regard, the opinion provided by CBI in the BCP selfassessment on the overall quality of banks’ internal control is quite high-level. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 26 |
Largely-compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Off-site supervision annually reviews major banks’ internal control frameworks (including internal audit) during the SREP. Much commendable progress has been done since 2014 on concrete supervision of internal control through more intense supervisory dialogue and more thorough off-site reviews. Nevertheless, various specific weaknesses remain which may still undermine the overall CBI’s supervisory approach on banks’ internal control frameworks at some point, notably the lack of effective implementation of on-site inspections covering banks’ internal control frameworks globally for the last 5 years, and a much less frequent review of nonmajor banks. Scarce human resources within CBI allocated on internal control may be an issue. Also, national guidelines issued by CBI/FSA in 2008 on internal audit in banks are outdated. The lack of global coverage of internal control frameworks through regular onsite inspections is a significant weakness which should be addressed by CBI/FSA to supplement off-site supervision, which cannot by itself alone achieve the expected level of adequacy and effectiveness of supervision required in CP26. Building on the recent dynamic upgrade of off-site supervision in that regard would be key to fully comply with CP26. In all, a more globally structured supervisory strategy, as well as more thorough direct controls, would be expected from CBI regarding banks’ adequate implementation of prudential regulations, while supervisory expectations should usefully be tailored beyond the regular set of applicable EBA guidelines. Such supervisory strategy should aim at assessing the adequacy of banks’ internal control frameworks globally, covering the three lines of defense: (i) internal control units and processes embedded within operational (business and support) workstreams at first level; (ii) independent internal control functions in charge of risk management, compliance, as well as oversight of most risksensitive operational workstreams (checks and balances, and “four-eyes” principle) at second level; and (iii) a global and independent internal audit function at third level. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 27 |
Financial Reporting and External Audit The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
The supervisor114 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regarding the responsibility of banks’ boards of publishing banks’ financial statements, CBI refers to the general legislation on limited liability companies:
Act No. 161/2002 on financial undertakings, articles 87-92 adds specific requirements applicable to banks:
Act No. 87/1998 on official supervision of financial activities, article 10 states that if a regulated entity does not comply with laws or other rules governing their activities, CBI shall require corrective action within a reasonable period, especially if bank’s record keeping and data are not reliable, and if required reports are not submitted on a timely and accurate basis. For this purpose, CBI can apply fines and per diem fines (article 11). CBI holds banks’ senior management responsible and may demand corrective action. Major Icelandic banks have implemented IFRS, while smaller banks have not. According to Act. No. 3/2006, certain companies are obliged to apply IFRS whereas other companies are allowed to apply the generally accepted accounting standards (Icelandic GAAP). If a bank has securities registered on a regulated market in the European Economic Area, they are bound to use IFRS. Other banks are otherwise bound by provisions of the Act on annual accounts, as well as CBI Rules No. 834/2003 on the financial statements of credit institutions (https://en.fme.is/media/utgefid-efni/rules 834 2003.pdf), and Rules No. 102/2004 on the financial statements of securities companies and securities brokerages. CBI has not implemented any specific transposition of international standards on banks’ external audit function (2012 BCBS guidelines No. 280 on external audits of banks) into Icelandic legislation and regulation. Applicable to banks. CBI Rules No. 532/2003 on auditing of financial undertakings are much older: https://en.fme.is/media/utgefid-efni/rules-532 2003.pdf. Act No. 161/2002, article 88 states that CBI has power to issue specific accounting rules applicable to regulated financial institutions, including valuation and public disclosure requirements, in consultation with the Icelandic Accountancy Council. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding the requested opinion of external auditors on banks’ published financial statements, the legal and regulatory framework is well in place in Iceland. CBI refers to the following national legislation:
Major banks issue their audited annual financial statements on their website (webpages for investor relations), together with additional material like quarterly interim reports and presentation slides for investors:
Banks are obliged to return their audited annual statements through CBI’s report delivery system. CBI monitors the banks delivery within the required time limit. A warning is issued if the accounts are not delivered within the required time limit and penalties levied if the situation is not rectified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding rules on banks’ valuation practices, as mentioned under CP27 EC1, banks that compile their annual accounts in accordance with IFRS shall comply with the valuation methods described in IFRS, while other regulated financial institutions shall comply with valuation methods described in Act No. 3/2006 on annual accounts as well as CBI’s Rules No. 834/2003 on the financial statements of credit institutions. According to Act No. 161/2002, article 107(a), CBI may require a bank to take corrective action in a timely manner to comply with regulations, in view of publishing fair and accurate financial statements, including, for instance, depreciation of assets. CBI/FSA relies on opinions of banks’ external auditors, their reports, meetings with external auditors as well as on-site inspections to determine that banks use valuation practices consistent with accounting standards widely accepted internationally, for example: valuation of loans, valuation of collateral, application of IFRS 9, and loan forbearance. CBI/FSA also relies on banks’ internal audit reports that may cover accounting and valuation topics. No significant issue regarding banks’ valuation practices has been reported from external auditors to CBI/FSA, as indicated during the BCP assessment. CBI/FSA does not perform regular on-site inspection of banks’ accounting frameworks, methodologies, and practices to directly assess their valuation practices. As highlighted in many other risk domains for which off-site supervision is not adequately supplemented by on-site inspection, CBI/FSA should perform on-site investigations to directly ensure that valuation practices are adequate, at least on most sensitive bank accounts, notably credit exposures. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality-based approach in planning and performing the external audit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding the scope and standards of external audits performed by banks’ external auditors, CBI does not have legal power to decide the scope of external audit. But CBI Rules No. 532/2003 on the auditing of financial undertakings lay down detailed provisions on external audit of annual accounts of banks, and duties of banks’ external auditors: https://en.fme.is/media/utgefid-efni/rules-532 2003.pdf. Though rather old, these CBI rules clearly expect external auditors to perform risk-based checks on accounts that are most sensitive to valuation. In that regard, Article 8 states that: “In deciding on the execution and scope of surveys in relation to the auditing and endorsement of annual accounts, the auditor shall consider the importance of individual elements and risk. While conducting his survey, the auditor shall focus primarily on the most important items in the annual accounts and the elements of internal control where there is greatest danger of deviation.” Act No. 161/2002, article 94 enables CBI to require that a “special audit” of a bank be carried out if CBI sees any reason to expect audited accounts do not provide a clear picture of the bank’s financial position and operating results. CBI holds regular meetings with external auditors to get information on the outcome of their auditing work, in accordance with CBI guidelines No. 7/2015 on relationship between the supervisory Authority and the external auditors of regulated entities that are also entities of public interest. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding the topical coverage of external audits performed by banks’ external auditors, CBI refers to general laws and regulations applicable to external audit of banks’ financial statements. Per applicable rules, external auditors shall cover risk-related topics mentioned in CP27 EC5, especially classification and valuation of assets and liabilities and off-balance sheet items. There are no Icelandic-specific auditing standards. External auditors conduct their auditing and review in accordance with International Standards of Auditing (ISA). In that regard, CBI refers to the following norms:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
Regarding the supervisor’s ability to refuse the appointment of banks’ external auditors, CBI/FSA has been provided with legal power that may be further increased in view of providing CBI/FSA with full prudential oversight of external auditors, as explained below. CBI does not oversee external auditors nor have any legal power to bring legal action against auditors. The Auditors’ Council is the public body, which is responsible for supervision of certified public accountants (CPAs), as stated in Act No. 79/2019, article 35. If CBI is aware of any inadequate expertise or independence of auditors, CBI should inform the Auditors Council in view of taking appropriate action. In that regard, CBI does have the power to refer suspected violations of Acts that fall under the regulatory scope of CBI for criminal investigation. Therefore, if an external auditor is considered to have demonstrated negligence in his duties, the case can be referred to the Audit Council, which handles disputes relating to the duties of auditors, according to Act No. 94/2019 on auditors, Chapter VIII. Then the Audit Counsel can refer a case for criminal investigation which should be supported by a reasoned opinion. CBI has no legal power to directly reject and rescind the appointment of an external auditor. CBI is not in charge of licensing external auditors, nor can it disagree on licensing applications of external auditors. CBI doesn’t review letters of engagement and contracts of external auditors. It has not done any modification of the terms of engagement or rejected the appointment of an external auditor. Yet CBI mentions that it has not faced any issue regarding banks’ external auditors. The above-mentioned assessment that CBI has no direct power to object to the appointment of a bank’s external auditor is based on the following information: (i) the BCP self-assessment shared by CBI which mentions that “CBI does not have the direct power to reject and rescind the appointment of an external auditor”; and (ii) existing legal and regulatory provisions applicable to external auditors in the banking sector, notably Act No. 161/2002, article 92, and CBI Rules No. 532/2003, which don’t mention anything about this topic. Yet CBI has challenged BCP assessors on this point in a follow-up discussion during the BCP assessment mission:
On external auditors’ independence, CBI mentions that an external auditor in charge of auditing a bank’s financial statements may not be a member of the bank’s board or a bank’s employee, nor work on behalf of the bank in any respect except auditing, nor be a debtor to the bank, neither as a principal debtor nor as a loan guarantor. Such requirements are included in Rules No. 532/2003. Furthermore, the external auditor may not work on behalf of the bank on matters that may impair his independence towards the bank. Act No. 94/2019 on auditors, article 3 states that banks’ external auditors must have unblemished reputation and be CPAs. Article 9 states that the CPA is subject to continuous education. Article 14 states that an external auditor shall follow the code of conduct adopted by the Institute of State Authorized Public Accountants in Iceland. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
Regarding the rotation of banks’ external auditors, CBI has no legal power to request that banks rotate their external auditors. Banks are required to rotate their external auditors in accordance with Act No. 94/2019 on auditing and auditors, article 46, and regulation (ESB) 537/2014, article 17: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0537&qid = 1669979290420&from = EN. Per EU rules, neither the initial engagement of a particular statutory auditor or audit firm, nor this in combination with any renewed engagements therewith shall exceed a maximum duration of 10 years, or 20 years where a public tendering process for the statutory audit is conducted, or 24 years if more than one accounting firm is employed at the same bank. Such low frequency of rotation may not be recommendable as a legal provision. More frequent rotation should reasonably be required by laws or regulations, and enforced by CBI, if need be, to ensure that sound external audit of banks is supported by periodic turn-over of their external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Regular meetings are held on a bilateral basis by CBI with banks’ external auditors, in accordance with CBI guidelines No. 4/2015 on “meetings between external auditing of financial undertakings and the FME”. Meetings are held every year with external auditors for the three biggest banks before and after their auditing work regarding the annual financial statements. Additional meetings can be held if deemed necessary, as well as for other banks. CBI does not meet periodically with the whole community of banks’ external auditors to discuss issues of common interest relating to banks’ operations, valuation policies, and external audit. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
Regarding the duty of whistleblowing of banks’ external auditors to CBI, the law has laid down explicit provisions. Act No. 161/2002, article 92 states that if a bank’s external auditor becomes aware of substantial deficiencies in operations or matters concerning internal control, collateral loans, or other matters that weaken the financial position of the bank, or aspects that result in a refusal to certify financial accounts or endorse them with reservations, or if the auditor has any reason to believe that laws, regulations or rules that apply to the bank have been violated, the auditor must notify the board of directors and CBI. This applies also to comparable issues that come to the knowledge of the auditor in the course of auditing for a company with close links to the bank. Such notification made by the external auditor pursuant to article 92 does not constitute a breach of confidentiality. The person notifying shall not be subject to any liability with respect to the notification. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 27 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Prudential regulation specific to banks’ external auditors follows EU rules and national laws applicable to publicly listed companies. Banking legislation lays down some important principles, such as the independence of external auditors, the duty of external auditors to alert CBI, as well as bank boards’ accountability regarding the publication of financial statements. The 2014 ROSC pointed out that CBI lacked some important supervisory powers on banks’ external auditors, among which the definition of a risk-based scope of audit, the right of objection against the nomination or continuation of the mandate of external auditors that are not deemed suitable, as well as limitation of the duration of external auditors’ mandate. In that regard, despite amendments made to Act No. 161/2002 in 2019 and 2022, CBI still lacks fully adequate powers on banks’ external auditors as required by CP27 EC6 and EC7 on the two following points:
Therefore, Act No. 161/2002 and CBI’s application regulation should give CBI additional power to oversee banks’ external auditors, so that (i) CBI may have effective power of early objection against the appointment of an external auditor, and (ii) more frequent rotation of banks’ external auditors is required. Such further reform would enable CBI to implement an enhanced risk-based approach of banking supervision which scope would fully include external auditors., while more frequent rotation would ensure that sound external audit of banks is supported by periodic turn-over of their external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 28 |
Disclosure and Transparency The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws, regulations or the supervisor require periodic public disclosures115 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Regarding legal, regulatory, and supervisory requirements on public disclosure of information by banks, the Icelandic framework supports transparency. CBI refers to the following set of norms in that regard:
Major banks disclose quarterly financial statements, on a consolidated and solo basis. Their annual and half year financial statements are reviewed by external auditors. Other credit institutions shall submit annual financial statements audited by external auditors. Additionally, financial statements are presented in the FINREP report. Banks are also required to disclose Pillar 3 reports that include risk-based information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided, and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
Regarding the risk-based scope and content of information subject to disclosure by banks, from a supervisory perspective, CBI refers to EU rules and EBA guidelines on Pillar 3 requirements on financial disclosure which specifies expected public information relating to banking risks: EU regulation No. 575/2013 (CRR), Part Eight, and EBA guidelines No. 2016/11 on disclosure requirements. CBI has not introduced countryspecific norms in that regard. Banks are required to publicly disclose Pillar 3 regulatory reports, which templates are aligned with EBA requirements, and not tailored with any additional Icelandic requirements. In 2019, CBI made a thematic assessment of the quality of major banks’ Pillar 3 reports against EU rules and EBA guidelines on financial disclosure. Results highlighted large compliance but several kinds of gaps, requiring more detailed information, for example on risk management policies, use of external credit assessment institutions (ECAI), remuneration policies, capital adequacy, market risk on equities, IRRBB, counterparty credit risk, credit risk adjustments, and credit mitigation techniques. Major banks publish on their website annual reports on Pillar 3 disclosure, including information on risk management, capital management, credit risk, market risk, liquidity risk, operational risk, and other material risk, as well as remuneration. For illustration, major banks’ most recent reports on Pillar 3 risk disclosure for 2021 are accessible as follows:
In addition, since 2018 D-SIBs have participated to the EU-wide transparency exercise. Main indicators for Iceland can be viewed on the EBA’s website (latest year is 2021): https://tools.eba.europa.eu/interactive-tools/2021/powerbi/tr21 visualisation page.html. These indicators are quite useful for highlighting key prudential indicators on major Icelandic banks (D-SIBs) and benchmarking with other EEA jurisdictions accordingly. Financial disclosure of other banks, mostly savings banks, is in Icelandic only, and looks quite less detailed. It could not be assessed thoroughly during the mission. Therefore, though non-major banks represent a non-material part of the banking sector, their financial disclosure should be enhanced to facilitate external assessment. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
Regarding the disclosure of the consolidation perimeter based on which banks’ consolidated financial statements are disclosed, CBI relies on Act No. 3/2006, articles 4041 and Chapter V, as well as IFRS. Banking groups must therefore include all material subsidiaries in their consolidated financial disclosure. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
Regarding the role of CBI on reviewing and enforcing disclosure standards applicable to banks, CBI confirms that banking supervisors monitor adherence to Act No. 3/2006 on annual accounts. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
Regarding information disclosed on the banking system and banking supervision by CBI, acting as the Authority in charge of banking supervision, practices have been gradually upgraded. More materials with updated translation in English can now be found on CBI’s website, which were not disclosed comprehensively enough until quite recently. According to Act No. 92/2019, CBI shall compile economic and monetary data, provide opinions, and advise the Government on all foreign exchange and monetary issues. Main CBI publications pertaining to banking supervision may be summarized as follows:
There is much more specific information pertaining to the banking sector and banking supervision on CBI’s website, yet mainly in Icelandic, for instance on AML/CFT. CBI also discloses sensitive information on specific banks, such as SREP decisions on capital requirements, and sanctions (in Icelandic only). Besides, Statistics Iceland, a governmental institution, handles official statistics under the aegis of the minister. One role of Statistics Iceland, with other competent State institutions, is data collection for the generation of statistics on the Icelandic economy and society, the processing of these data, and the dissemination of statistical information to the public, businesses, institutions, and public authorities. Yet no specific database on the financial sector is disclosed by Statistics Iceland on its website: https://statice.is/. CBI’s disclosure of documentation in English on banking regulations is being progressively upgraded and updated: https://en.fme.is/about-us/supervisory-disclosure/. Yet specific CBI webpages in English on financial supervision are not fully intuitive: https://en.fme.is/. More detailed and updated documentation may be found directly on CBI’s webpages, which is not fully convenient nor reliable: https://www.cb.is/about-the-bank/central-bank-of-iceland/laws-and-rules/. Completion of upgrading CBI’s English website would be welcome in order to enhance transparency reasonably and proportionately, in view of ensuring more comprehensive and reliable information to foreign stakeholders on the framework of banking regulation and supervision implemented in Iceland. This project is under progress. CBI has disclosed a transparency policy (in Icelandic only): https://www.fme.is/um-okkur/gagnsaei-i-eftirliti/. The policy on the implementation of public publication of results in cases and observations, based on article 9 a of law No. 87/1998 on public supervision of financial activities, includes public publication of results in cases and observations, which purpose is to increase the credibility of CBI and the preventive effect of CBI’s actions. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 28 |
Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Major banks disclose detailed information, including Pillar 3 reports and ESG reports on their websites, in both Icelandic and English. Though non-major banks represent a nonmaterial part of the banking sector, their financial disclosure in Icelandic only should be enhanced to facilitate external assessment. Financial disclosure of D-SIBs’ financial statements is made annually with quarterly updates in Icelandic and English. Financial disclosure is less accessible and detailed for savings banks (Icelandic only). Supervisory disclosure by CBI looks quite rich in Icelandic, including regulation, guidance, general information, reports, even decisions on individual banks (for instance, Pillar 2 decisions, and sanctions). The recent disclosure of the financial supervision strategy for 2022-24 is a commendable achievement towards better transparency from CBI. Yet the quality of English-translated supervisory disclosure may still be enhanced for the benefit of foreign stakeholders, notably on the regulatory and supervisory framework and policies. No main finding has been identified. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Principle 29 |
Abuse of Financial Services The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.116 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Essential Criteria |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC1 |
Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC1 |
Icelandic banks are subject to a numerous and complex legal framework and guidelines, both at the national level and with respect to the EU requirements. Below is an overview of the various laws, regulations that establish the duties, responsibilities and powers of CBI. Legislation Act. No. 140/2018 on Measures Against Money Laundering and Terrorist Financing (the AML/CFT Act) covers AML/CFT requirements in Iceland, see in annexAML.CFTAct, and the referred Articles below refer to the Act, unless otherwise is stated. The Act is based on previous legislation regarding AML/CFT and was revised in its entirety in 2018. Since then, it has been updated several times in accordance with European legislation and FATF standards. According to paragraph 1 of Article 38, the FSA is responsible for supervising that the obliged entities referred to in subsections (a)-(k) in the first paragraph of Article 2 comply with the provisions of the Act and regulations and rules issued hereunder. The supervision shall be subject to the Act on Official Supervision of Financial Activities and the sectorial law governing the operations of obliged entities. Paragraphs 3-7 of Article 38 stipulates the following:
See further information on CBI’s powers with regards to coercive measures and sanctions in EC8. In addition, the Act on Freezing, listing and PF No. 64/2019, see annex Act on freezing, listing and PF 64-2019, is in force and covers obliged entities requirements with regard to targeted financial sanctions monitoring and CBI ’s supervisory role in that regard. Regulation The following regulation has been set by the Minister of Justice, based on the AML/CFT Act:
The regulations are further expansions of the AML/CFT Act and provide further guidance to obliged entities on how to comply with the relevant requirements. Rules The following rules have been set by CBI:
Guidelines from the European Banking Authority (EBA) CBI has implemented the following guidelines:
Guidance Material Domestic guidance material (besides guidelines from the ESA’s is generally twofold
In addition, the part of CBI’s website dedicated to AML/CFT, https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/, has detailed information on regulatory requirements and expectations set by CBI. See specifically information on the cycle of obliged entities’ risk-based measures, https://www.fme.is/eftirlit/eftirlit-med-adgerdum-gegn-peningathvaetti-og-fjarmognun-hrydjuverka/adgerdir-tilkynningarskyldra-adila/. Each aspect of the measures is described in further detail on the website. Domestic Coordination of AML/CFT Issues Steering Group on AML/CFT CBI is part of the Ministry of Justice’s steering group on anti-money laundering and terrorist financing measures according to Article 39 of the AML/CFT Act, with two representative (one from Compliance and Inspections and one from Financial Stability). Members of the steering group are representatives of the following parties, including CBI:
The steering group’s role is furthermore, as follows:
The steering group has monthly meetings at the minimum. As is explained in further detail in EC12, there are requirements for cooperation and information exchange that takes place between meetings, on behalf of members of the steering group. National Risk Assessment According to paragraph 1 of Article 4 of the AML/CFT Act, the National Commissioner of the Icelandic Police shall conduct a risk assessment that includes the analysis and assessment of the risk of money laundering and terrorist financing activities and identify means of mitigating the identified risk. The risk assessment shall be updated every two years, or more frequently if appropriate. All public authorities are obliged to provide the national commissioner with information necessary for the preparation of the risk assessment. A risk assessment based on this requirement has been conducted two times, in 2019 and the latest one in 2021, see here Ahaettumat-2021-lokautgafa.pdf (logreglan.is) Paragraph 3 and 4 of Article 4 states that the risk assessment shall take into account the risk assessment carried out by the European Commission, be based on comprehensive information, both from public authorities and other relevant sources in possession of information, and take into account other appropriate factors. The risk assessment under the first paragraph shall:
AML/CFT as a Supervisory Priority AML/CFT supervision has been a priority within CBI and formerly within the FSA (before the merger) for the last 5 years. CBI/FSA publishes its supervisory strategy every 3 to 4 years (link to the latest one is here: https://www.cb.is/libra ry/Skraarsafn---EN/Financial-Supervision-Committee/Supervisory Strategy 2022-2024-final (002).pdf). Based on the supervisory strategies, priorities of European Banking Authority (EBA)and more factors the Deputy governor of financial supervision as well as the Governor of the Central Bank decide on yearly priorities every year. In yearly priorities for 2022 emphasis was put on cooperation between the AML team and the prudential supervision as well as obliged entities IT systems used for AML/CFT purposes. Based on the yearly priorities, risk assessments of the market as well as risk assessment of each obliged entities and supervisory engagement model a yearly working plan is made. The AML/CFT work schedule is reviewed quarterly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC2 |
The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC2 |
CBI has implemented a risk-based approach to AML/CFT supervision based on EBA’s GL on risk-based AML/CFT supervision, see further in Policy on risk based AMLCFT supervision.doc. CBI’s approach is also influenced by the FATF Guidance on Risk-based supervision, see https://www.fatf-gafi.org/media/fatf/documents/Guidance-Risk-Based-Supervision.pdf. In addition CBI follows the EBA’s work on the subject, an example of that is the following report: CBI reports suspected activities to the appropriate authorities (as described under EC1). The policy is supported with processes and procedures, including:
CBI’s risk-based approach is based on a methodology that entails assessing the risk of money laundering and terrorist financing in the financial market and prioritizing supervisory measures in accordance with the results of that assessment. To this end, CBI conducts on the one hand a sectoral risk assessment of the financial market and on the other hand individual risk assessments of all obliged entities. Sectoral Risk Assessment CBI has divided the financial market into the following sub-markets:
The risk associated with the above categories is assessed every two years; furthermore, an assessment is made of whether the information in the National Commissioner of the Police’s risk assessment (NRA) is sufficient for CBI to use in its risk assessment, or whether CBI should carry out its own risk assessment of the type of entity concerned. CBI has determined that the NRA suffices in all instances, except with regard to commercial banks, savings banks, and payment service providers, in which CBI has carried out specific risk assessments. Individual Risk Assessment Annually a risk assessment is carried out on all obliged entities in order to determine the likelihood that their operations will be used for money laundering or terrorist financing. The risk assessment is divided into two parts:
In order to be able to assess the aforementioned aspects of obliged entities’ activities, all obliged entities provide an annual AML/CFT questionnaire (irrespective of their risk rating) to CBI/FSA. The questionnaire, which has been collected since 2018, contains both quantitative and qualitative information regarding the bank’s activities of which CBI utilizes as part of its off-site risk based assessment that assists with determining if further on-site inspection work is needed, including:
This information on the entity’s operations provided in the questionnaire, including the risk classification of its customers and any business the entity conducts with customers engaged in high-risk activities. Obliged entities’ responses give indications of the risks each entity faces and how it defends itself against them. The risk assessment also takes into account the results of supervisory measures that have been carried out towards the obliged entity, including on-site inspections and other proactive checks, and interviews with money laundering reporting officers (MLRO). Finally, consideration is given to information from prudential supervisors; i.e., changes to the business plan and information on governance practices. On the basis of the risk assessment results - i.e., the risk assessment score - CBI divides obliged entities into four risk categories: high, medium-high, medium-low, and low. A high score (4) indicates that there is significant risk that the entity’s activities will be used for money laundering and terrorist financing, whereas a low score (1) indicates limited risk. Further information on how the risk assessment is conducted can be found in Work procedures for risk assessment on obliged entities. In order to determine the frequency and scope of supervisory actions, based on obliged entities’ risk score, CBI has developed and implemented the following minimum supervisory engagement model:
As the model shows, the intensity and intrusiveness of supervision is decided based on the risk category of each obliged entity. The higher the ML/TF risk is identified, the more likely it is that the intensity and the intrusiveness of the supervision will be greater. The exact intensity and intrusiveness are determined on a case-by-case basis and can depend on underlying information on the obliged entity, the previously identified deficiencies and information from external counterparts, such as the FIU. As stipulated in the above risk assessment model, Assessors noted that CBI/FSA has undertaken additional supervisory work with higher intensity and intrusiveness depending on the risk category. In addition, CBI has carried out extensive on-site inspection work for the D-SIBs, given the systemic importance of these banks. Further, see the assessors’ views at the end of this section, wherein it is recommended that the minimum engagement model go beyond contact with “only the MLRO” to include the senior management of the bank (e.g., CEO/CRO) as well at members of the Board. Following is further information on CBI’s supervisory measures, based on the aforementioned engagement model:
Information from risk assessments of obliged entities also give CBI indications on further supervisory engagement necessary in the following year, such as whether inquiries shall be made, educational meetings or seminars held, and circulars or other information sent to obliged entities. Following are examples of such actions on behalf of CBI:
Further information about the connection between the EU supranational risk assessment, NRA, and CBIs risk assessment, both individual and on the financial sectors: The EU publishes the Supranational risk assessment as required by the 4th Anti-Money laundering Directive and is supposed to update the assessment every two years. In October 2022 the assessment was updated, and it can be found here. As stated in the Policy on Risk Based Supervision (CP29 EC2) the NRA is based on the EU risk assessment and CBI risk assessments, both on financial market and individual risk assessment are based on the NRA. See picture below from the Policy on risk-based Supervision. When an updated Supranational risk assessment is published it can have effect on CBI’s risk assessments.
One of the updates that were made concerning the financial market was a higher risk score for crypto assets. Since the individual risk assessment is still underway at CBI it will take the updated assessment into consideration regarding the service providers. The NRA will be updated in the Q2 of 2023 and that work will reflect the most recent EU Supranational Risk assessment. An updated EU Supranational risk assessment is not information that CBI considers it is obliged to introduce to the market due to the fact that the market should be aware of this information. Assessors noted that beyond carrying out off-site risk assessments of each of the DSIBs on an annual basis (savings banks, self-assessment collected annually and reviewed), the AML/CFT on-site inspectors carried out approximately 9 on-site inspections beginning in 2018, but a very focused effort after the AML Act came into force. Therefore, an in-depth review of all three D-SIBs in 2020 together with several follow-up inspections was undertaken to ensure that banks addressed all deficiencies on a timely basis. For savings banks, an inspection was carried out in 2019/2020 and there is one currently on-going. Part of the FATF Mutual Evaluation Report for Iceland (2018) report highlighted the need for the FME (previous to the merger between CBI and the FSA) to improve its risk identification techniques, analysis, and assessment across all market sectors entities that it regulated reflected in the “non-compliant” rating. Since this observation, the FATF MER updated the ratings in 2029 and 2020 to “partially compliant”. Assessors note that for banks, FME and post-merger with the CBI, the FSA has implemented its risk based supervisory model for AML/CFT risk, introduced the annual collection from all banks of critical data to support its analysis (questionnaire), undertaken several on-site inspections of the high impact banks (DSIBs) plus the 4th commercial bank as well as undertaken 2 on-site inspections, conducted individual bank risk assessments on the DSIBs, an assessment on all commercial banks, an assessment on all savings banks and a sectoral assessment (partially based on the individual assessments) that included not only all banks, but other critical market participants (e.g. payments entities) - all of which CBI now regulates. It was noted that the CBI utilizes a minimum engagement model, wherein it is possible that the low impact banks would not be afforded the same scrutiny or level of supervisory work annually, but up to every three years. Given Iceland has only a total of 9 banks, it is recommended that an on-site review be conducted at each of the savings’ banks to ensure CBI has an in-depth view of each of the savings banks’ compliance with the legal and supervisory requirements. Further, it is noted that when CBI undertakes an on-site inspection, the results of which are only discussed with the Compliance Officer and the MLRO. CBI need to change the level of contact with the Board, and senior management (CEO and CRO) with respect to results of on-site inspections and the follow-up of any outstanding deficiencies noted as part of the supervisory review. Assessors recommend that CBI re-assess how long it takes to communicate findings to the bank post inspection. In a few cases, assessors noted that although inspection reports are provided to the management of banks upon completion of the on-site review, CBI delayed issuing the formal letters that included remedial/corrective actions to the Board of Directors as it was deemed unwise to do so prior to having completed all three on-site inspections involved in the thematic review. Specifically, management receives the inspection report at the exit meeting, with a formal letter that goes to bank’s Board outlining requirements/recommendations (tied to legal requirements) at a much later date. CBI should provide not only discuss the results with the CEO and CRO, it should meet with the Board as well as ensure reports are directly to the Board to ensure immediate awareness of findings. CBI’s risk assessment program for AML/CFT results in a risk score that should be rolled into the overall SREP assessment for banking supervision. This is in line with the EBA draft guidelines that will come into force January 2023: BoS 2018 xx Revised SREP GL including amendment for reference.docx (europa.eu) Specifically, the EBA has taken an integrated approach to incorporating ML/TF risks into the SREP, rather than creating a separate risk category with a separate risk score. In that respect, there will only be an impact on the SREP scores in so far as there is a prudential impact of the AML/CFT risks on the related banking risks. With regard to the proposed hybrid solution, the EBA notes the point and wishes to clarify that the integrated approach has been taken in order to avoid overlaps with the AML/CFT supervisory function that is responsible for the supervision, assessment and scoring of ML/TF risks. Assessors note that AML experts have already begun discussion with the Banking Department with respect to implementing the draft EBA guidelines. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC3 |
In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.121 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC3 |
In Article 25 of the AML Act states that supervisors shall have in place mechanisms to receive and follow up on reports on violations, possible violations and attempted violations of the AML Act and of regulations and rules issued hereunder, and reports of suspicions of money laundering and terrorist financing. Mechanisms under this provision shall:
On CBI’s website there is a mechanism for anonymous reporting of suspicious activity, other violations, possible violations and attempted violations. (see Uppljostrun | Fjarmalaeftirlitid (fme.is) and Hafa samband | Fjarmalaeftirlitid (fme.is). for the direct reporting channel. The banks are not legally obliged to report suspicious activities reports (SAR/STR) to CBI, only to the FIU. However, CBI has close cooperation with the FIU and discusses the reports sent by the banks, for example the quality of STR’s and if there is some specific risk that the FIU has encountered based on the reports. Besides regular and ad hoc meetings with the FIU, the onsite team has meetings with the FIU before each onsite where the STR reports are discussed. Furthermore, the banks are required to set a risk appetite regarding operational risk and serious incidents stemming, for example from fraud. The banks are required to have in place policies and procedures in that regard and notify CBI of activities/incidents that are material to the safety, soundness or reputation to the bank, cf. Article 77 a and 78 g of Act No. 161/2002 on financial undertaking. Thera are also more specific requirement in relation to activities stemming from payment service based on Act No 114/2021 on payment service, guidelines 1/2019 and following EBA guidelines; Final-Report-on-EBA-Guidelines-on-fraud-reporting-Consolidated-version.pdf (fme.is) and EBA BS 2021 xx (Final revised GL on major incident reporting under PSD2).docx (fme.is). Guidance on notification can be found here for unfortunately only in Icelandic: SI 4.1.13 Leidbeiningar umtilkynningu fravika.indd (fme.is). The AML/CFT team is notified by the prudential supervisors in instances where fraud and suspicious activity could have impacted materially to the safety, soundness or reputation of the banks. Furthermore, there is a special policy with regard to cooperation and exchange of information between AML/CFT supervision and the banking department. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC4 |
If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC4 |
In accordance to Article 23 CBI shall if, in course of their work, they become aware of transactions that may be related to money laundering or terrorist financing, or if CBI receives information on such transactions, inform the FIU immediately. On the basis of Article 23 CBI informs the FIU of suspicious transactions stemming from on-site inspections. For example, in 2020, CBI reported 2 cases following an inspection at savings bank and in 2021, CBI reported 5 cases following one inspection at a creditor and one inspection at a payment institution. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC5 |
The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC5 |
See response to EC 2 regarding CBI ’s risk-based supervision of obliged entities. Regarding the requirements stated in EC5 on CDD policies and processes, reference is made to Article 5 a., paragraph 2, point a, of the AML Act 140/2018 where it is stipulated that obliged entities shall have policies, controls and processes on CDD. In paragraph 3 of the same Article, it says that the policies shall be approved by the board and that processes shall be approved by senior management. It then states that senior management shall supervise the implementation of the policies, controls and processes and shall require additional controls if necessary. Article 5 of the AML Act requires obliged entities to conduct a business-wide risk assessment. The business-wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing based on the main weaknesses of the activity and threat to it. According to Article 5, the business-wide risk assessment shall include a complete analysis and shall take account of, among other things, risk factors relating to customers, countries or regions, products, services, transactions, technology, and delivery channels. The business-wide risk assessment shall be updated every two years, and more frequently if appropriate. According to Article 5 a. of the AML Act, policies, controls, and procedures shall be based on the risk assessment under Article 5. (a) As stipulated above the findings from the business-wide risk assessment should inform their AML/CFT policies, controls, and procedures, according to Article 5 a. of the AML Act. The policies of the obliged entities, approved by the board, should include the customer acceptance policy or the risk appetite of the obliged entities. This is further elaborated on in the ML/TF Risk Factor Guidelines EBA/GL/2021/02 (Article 4.7. (Point g) and Article 1.18). (b) The detailed requirements on CDD are put forth in chapter III, including requirements to identify and verify customers on an ongoing basis. Article 10, paragraph 2, specifically, states that the obliged entities shall at all times obtain information on the customer and the beneficial owner and take appropriate actions to verify information. It then says that the obliged entity shall make an independent assessment of whether the information about the beneficial owner is accurate and adequate and must understand the ownership, operations and administrative structure of those customers that are legal persons, trusts or other similar arrangements. Article 10, paragraph 4, point e, states that obliged entities shall update their customer information regularly and obtain further information in accordance with the Act as necessary. The requirements on CDD are further stipulated in regulation 745/2019 on customer due diligence. In paragraph 5 of Article 20 of the regulation it states that in the risk assessment or policies of the obliged entities shall say how frequent the updates of CDD of a customer shall be in relation to the risk assessment of the customer. (c) Article 10, paragraph 4, point a, specifies that obliged entities shall conduct on-going monitoring of their business relationships. Requirement regarding on going monitoring is further explained in Article 20 of Regulation 745/2019 on customer due diligence. The Article specifies that obliged entities shall have automated monitoring systems that flag transactions and/or processes and methods to identify unusual or suspicious transactions. (d) Requirements for enhanced due diligence on high-risk accounts are stipulated in Article 13, paragraph 1, point c) and d) of the AML Act. This includes cases where the risk assessment shows increased risk or where the risk is in other ways increased. Article 14 includes a requirement to conduct enhanced due diligence where there are transactions or a business relationship relating to high-risk third countries. In that case an EDD includes getting an approval from senior manager before establishing the business relationship. (e) Requirement on enhanced due diligence on politically exposed persons are stipulated in Article 13 and 17 of the AML Act. In Article 17, Paragraph 2, Point a, obliged entities must get approval from senior management before entering or continuing a business relationship or transaction with politically exposed persons. (f) Article 28 requires obliged entities to retain data and information for at least five years from the end of a business relationship or the date of an occasional transaction. This includes documents and information relating to customer due diligence. Article 5 a, paragraph 2, point a. of the AML Act includes a requirement for obliged entities to include a provision on data retentions in their written processes. CBI has thoroughly inspected the fulfillment of these requirements at banks in the past and in recent years, see Reviews of credit institutions_15.9.2019 to 15.10.2022. Even if the scope of these inspections did not specifically point to each of these requirements, the findings during this period covered all points a.-f. in EC 5. In 2018-2020 CBI conducted inspections in the four large banks, and one savings bank (and other obliged entities), with a focus on CDD, specifically the ultimate beneficial owner, and the requirement to obtain verification of the information on the beneficial owner and make an independent assessment of the information, AML/CFT training of staff, politically exposed persons, investigation, and reporting of suspicious transactions, as well as international sanctions. Findings of the inspections included insufficient information on the beneficial owners, insufficient processes on customer due diligence, information on customers not updated regularly and insufficient investigations of suspicious transactions. It should be noted that at the time the AML Act of 64/2006 did not give the FSA powers to impose administrative sanctions based on breaches of the Act. The findings of the onsite inspections were published after each onsite on the website of the FSA in a transparency report. One of these inspections, the savings bank SparisjoSur Strandamanna, severe breaches were found, and CBI made a settlement with the savings banks (see further in EC8). The detailed settlement was published on the website of CBI. The thematic inspections on the risk-based approach from 2020-2022, based on the new AML Act nr. 140/2018, focused on the risk assessment (Article 5 - A) and policies, controls, and procedures. It also focused on risk assessment of business relationships and occasional transactions (Article 5 - B) and a risk-based approach to CDD and ongoing monitoring. The findings included insufficient risk assessment, inadequate risk classification of customers, insufficient enhanced due diligence, and unsatisfactory ongoing monitoring and weaknesses in the transaction monitoring system. The findings were published in a report after each inspection presented to each obliged entity. A decision was made not to publish a transparency report after each onsite inspection, but to publish a Best Practice Report on the risk-based approach based on these onsite inspections, where the findings were presented (but anonymized) (see annex Best Practice Report April 2022). Because of the decision to publish the Best Practice Report and to include a more detailed guidance in each inspection report and the new requirements in AML Act 140/2018, it was decided that CBI would not impose sanctions unless there were serious and strategic breaches of the AML Act. In a few banks, because of the severity of the findings, CBI assessed in a Memorandum, whether there were grounds to impose sanctions, see annex Memorandum following the on-site inspection of Islandsbanki. In the Memorandum CBI compares the findings to previous findings in similar institutions, whether the findings are repeated and of a systematic nature and assesses the severity of the findings. Following one inspection of a credit undertaking, Salt Pay llB hf., where severe breaches had been found, that were deemed to be strategic and where previous two onsite reports at the same institutions had also included findings of a serious nature, CBI made a settlement (see further in EC8). In all inspections CBI has demanded corrective actions before a certain date and has demanded that the banks provide an action plan where it is clearly stated what the bank intends to do and when it intends to complete the corrective action. CBI has followed up on the action Plan with meetings with the banks. CBI also demands that the corrective actions are reviewed by the internal auditor of the bank. In one bank, where there were severe breaches of the AML Act, CBI followed up on the report from the internal auditor with an off-site inspection. The findings, however, were of the nature that they needed to be followed up on with follow-up onsite inspection. As stated above, because of the severity of the findings, CBI decided to immediately follow up with an inspection in all the banks. The scope of the inspection was to examine issues related to previous on-site inspections of the bank’s risk assessment and mitigation methods, as part of a follow-up. But also, to examine the registration and traceability of information relating to, among other cash transactions and international bank transfers. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections. The focus of the onsite inspection was in part, in response to a memorandum from the FIU, on weaknesses within the large commercial banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC6 |
The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC6 |
See response to EC 2 with regard to the basis of CBI’s AML/CFT supervision. Article 15 describes requirements with regard to transactions with correspondent banks and states the following: In cross-border correspondent relationships with institutions in non-member states, obliged entities referred to in subsections (a)-(k) of the first paragraph of Article 2 shall, in addition to the customer due diligence measures required under Article 10, meet all the following conditions when establishing business relationships:
Article 16 states a prohibition of transactions with shell banks and banks that is in relationship with shell banks and states the following: Obliged entities referred to in subsections (a)-(k) of the first paragraph of Article 2 may not enter into, or continue, correspondent relationships with shell banks. They are moreover not permitted to have business relationships with respondents who permit shell banks to make use of their accounts. If business relationships have been established with such respondents or shell banks, they shall be terminated immediately. CBI is currently conducting on-site inspections at the four commercial banks (one after the other). The first inspection commenced on 12 April 2022 with an initial letter. The onsite inspection took place from 17 May 2022 to 15 June 2022. The scope of the inspection was to examine the registration and traceability of information, in addition to examining issues related to previous on-site inspection of the bank’s risk assessment and mitigation methods, as part of a follow-up. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections The on-site inspection was finalized with a report on 12 October 2022. The following observations were made with regard to correspondent banking:
The report is currently being examined by off-site supervisors in the Compliance team, with regard to the next steps in the case. With regard to the other three banks, a draft report is being finalized for the second bank, the on-site inspection in finalized and a draft report is being written for the third bank and in the case of the fourth bank, the on-site inspection will commence in the beginning of 2023. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC7 |
The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC7 |
See also response to EC 2 and EC 5. CBI assesses whether banks have sufficient controls and systems mainly through onsite inspections. During the onsite the control and systems are assessed by walkthroughs, sample testing and interviews with key employees like the MLROs and front-line employees. The annex Reviews of credit institutions_15.9.2019 to 15.10.2022 covers all on-site and off-site inspections conducted during the time period and included in the document is the scope of each inspection. It is evident that all onsite inspections during this time have covered controls and systems. Furthermore, the assessment of controls and systems is part of some off-site inspections in addition to them being part of the application process of an operating license as a bank. Checklists for review of policies, controls and processes, Checklist for review of risk-based measures and Template of questions in on-site inspections were all provided to the Assessors as part of the on-site BCP assessment. Risk-based sample testing During an inspection the on-site team takes risk-based samples according to the procedure here below:
Supervision of transaction monitoring systems and flags: The on-site team has investigated transaction monitoring and flags in the following manner:
Supervision of suspicious transaction reporting: CBI files a STR related to transactions if CBI deems it suspicious. As noted in EC4 CBI reported 5 cases in 2021 and 2 cases in 2020. None of the reports were related to the commercial banks. However, in most cases CBI does not have sufficient information to decide whether there are reasonable grounds to report or not since the obliged entities have not investigated flags adequately. Under such circumstances the on-site team points out in the report that flags have not been investigated sufficiently which can than result in a STR. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC8 |
The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC8 |
Regarding the requirements stated in EC5 on CDD policies and processes, reference is made to Article 5 a., paragraph 2, point a, of the AML Act 140/2018 where it is stipulated that obliged entities shall have policies, controls and processes on CDD. In paragraph 3 of the same Article, it says that the policies shall be approved by the board and that processes shall be approved by senior management. It then states that senior management shall supervise the implementation of the policies, controls and processes and shall require additional controls if necessary. Article 5 of the AML Act requires obliged entities to conduct a business-wide risk assessment. The business-wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing based on the main weaknesses of the activity and threat to it. According to Article 5, the business-wide risk assessment shall include a complete analysis and shall take account of, among other things, risk factors relating to customers, countries or regions, products, services, transactions, technology, and delivery channels. The business-wide risk assessment shall be updated every two years, and more frequently if appropriate. According to Article 5 a. of the AML Act, policies, controls, and procedures shall be based on the risk assessment under Article 5. (a) As stipulated above the findings from the business-wide risk assessment should inform their AML/CFT policies, controls, and procedures, according to Article 5 a. of the AML Act. The policies of the obliged entities, approved by the board, should include the customer acceptance policy or the risk appetite of the obliged entities. This is further elaborated on in the ML/TF Risk Factor Guidelines EBA/GL/2021/02 (Article 4.7. (Point g) and Article 1.18). (b) The detailed requirements on CDD are put forth in chapter III, including requirements to identify and verify customers on an ongoing basis. Article 10, paragraph 2, specifically, states that the obliged entities shall at all times obtain information on the customer and the beneficial owner and take appropriate actions to verify information. It then says that the obliged entity shall make an independent assessment of whether the information about the beneficial owner is accurate and adequate and must understand the ownership, operations and administrative structure of those customers that are legal persons, trusts or other similar arrangements. Article 10, paragraph 4, point e, states that obliged entities shall update their customer information regularly and obtain further information in accordance with the Act as necessary. The requirements on CDD are further stipulated in regulation 745/2019 on customer due diligence. In paragraph 5 of Article 20 of the regulation it states that in the risk assessment or policies of the obliged entities shall say how frequent the updates of CDD of a customer shall be in relation to the risk assessment of the customer. (C) Article 10, paragraph 4, point a, specifies that obliged entities shall conduct on-going monitoring of their business relationships. Requirement regarding on going monitoring is further explained in Article 20 of Regulation 745/2019 on customer due diligence. The Article specifies that obliged entities shall have automated monitoring systems that flag transactions and/or processes and methods to identify unusual or suspicious transactions. (d) Requirements for enhanced due diligence on high-risk accounts are stipulated in Article 13, paragraph 1, point c) and d) of the AML Act. This includes cases where the risk assessment shows increased risk or where the risk is in other ways increased. Article 14 includes a requirement to conduct enhanced due diligence where there are transactions or a business relationship relating to high-risk third countries. In that case an EDD includes getting an approval from senior manager before establishing the business relationship. (e) Requirement on enhanced due diligence on politically exposed persons are stipulated in Article 13 and 17 of the AML Act. In Article 17, Paragraph 2, Point a, obliged entities must get approval from senior management before entering or continuing a business relationship or transaction with politically exposed persons. (f) Article 28 requires obliged entities to retain data and information for at least five years from the end of a business relationship or the date of an occasional transaction. This includes documents and information relating to customer due diligence. Article 5 a, paragraph 2, point a. of the AML Act includes a requirement for obliged entities to include a provision on data retentions in their written processes. CBI has thoroughly inspected the fulfillment of these requirements at banks in the past and in recent years, see Reviews of credit institutions_15.9.2019 to 15.10.2022. Even if the scope of these inspections did not specifically point to each of these requirements, the findings during this period covered all points a.-f. in EC 5. In 2018-2020 CBI conducted inspections in the four large banks, and one savings bank (and other obliged entities), with a focus on CDD, specifically the ultimate beneficial owner, and the requirement to obtain verification of the information on the beneficial owner and make an independent assessment of the information, AML/CFT training of staff, politically exposed persons, investigation, and reporting of suspicious transactions, as well as international sanctions. Findings of the inspections included insufficient information on the beneficial owners, insufficient processes on customer due diligence, information on customers not updated regularly and insufficient investigations of suspicious transactions. It should be noted that at the time the AML Act of 64/2006 did not give the FSA powers to impose administrative sanctions based on breaches of the Act. The findings of the onsite inspections were published after each onsite on the website of the FSA in a transparency report. One of these inspections, the savings bank SparisjoSur Strandamanna, severe breaches were found, and CBI made a settlement with the savings banks (see further in EC8). The detailed settlement was published on the website of CBI. The thematic inspections on the risk-based approach from 2020-2022, based on the new AML Act nr. 140/2018, focused on the risk assessment (Article 5 - A) and policies, controls, and procedures. It also focused on risk assessment of business relationships and occasional transactions (Article 5 - B) and a risk-based approach to CDD and ongoing monitoring. The findings included insufficient risk assessment, inadequate risk classification of customers, insufficient enhanced due diligence, and unsatisfactory ongoing monitoring and weaknesses in the transaction monitoring system. The findings were published in a report after each inspection presented to each obliged entity. A decision was made not to publish a transparency report after each onsite inspection, but to publish a Best Practice Report on the risk-based approach based on these onsite inspections, where the findings were presented (but anonymized) (see annex Best practice report April 2022). Because of the decision to publish the Best Practice Report and to include a more detailed guidance in each inspection report and the new requirements in AML Act 140/2018, it was decided that CBI would not impose sanctions unless there were serious and strategic breaches of the AML Act. In a few banks, because of the severity of the findings, CBI assessed in a Memorandum, whether there were grounds to impose sanctions, see annex Memorandum following the on-site inspection of Islandsbanki. In the Memorandum CBI compares the findings to previous findings in similar institutions, whether the findings are repeated and of a systematic nature and assesses the severity of the findings. Following one inspection of a credit undertaking, Salt Pay llB hf., where severe breaches had been found, that were deemed to be strategic and where previous two onsite reports at the same institutions had also included findings of a serious nature, CBI made a settlement (see further in EC8). In all inspections CBI has demanded corrective actions before a certain date and has demanded that the banks provide an action plan where it is clearly stated what the bank intends to do and when it intends to complete the corrective action. CBI has followed up on the action Plan with meetings with the banks. CBI also demands that the corrective actions are reviewed by the internal auditor of the bank. In one bank, where there were severe breaches of the AML Act, CBI followed up on the report from the internal auditor with an off-site inspection. The findings, however, were of the nature that they needed to be followed up on with follow-up onsite inspection. As stated above, because of the severity of the findings, CBI decided to immediately follow up with an inspection in all the banks. The scope of the inspection was to examine issues related to previous on-site inspection of the bank’s risk assessment and mitigation methods, as part of a follow-up. But also to examine the registration and traceability of information relating to, among other cash transactions and international bank transfers. The focus areas with regard to risk factors were :(1) Correspondent banking (2) International bank transfers (3) Cash transactions (4) Payments from custody accounts (5) Debt securities collections. The focus of the onsite inspection was in part, in response to a memorandum from the FIU, on weaknesses within the large commercial banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC9 |
The supervisor determines that banks have:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC9 |
AML on-site inspectors review the due diligence practices of banks when on-site to specifically review correspondent banking practices. Additionally, see further information regarding each point:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC10 |
The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC10 |
Supervisors determines that obliged entities shall have in place a policy, controls, and procedures for suspicious transaction reporting in accordance with Art. 5. a. of the AML act nr. 140/2018. It states that obliged entities shall have in place policies, controls, and procedure on suspicious transaction reporting among other. In addition to the legal requirement to have in place internal policies on suspicious transaction reporting there is a legal requirement in article 25 of the AML act nr. 140/2018 for Obliged entities to have in place documented procedures, to encourage their employees or individuals in comparable positions to report violations of this Act and of regulations and rules issued hereunder. Iceland has a two-tier board structure. The management board which is the CEO according to Icelandic legislation is responsible for the day-to-day management of the bank and the board which has a supervisory role/supervises the management of the banks as well as setting policies and take major decisions, cf. Article 68 of Act on 2/1995 on Public Limited Companies and Article 1 b and Article 54 of Act No. 161/2002 on Financial Undertakings. In accordance to the interpretative notes to article 34 of the AML act 140/2018 the MLRO shall among other tasks receive notifications of suspected money laundering or terrorist financing from employees, record them and store them together with other data in an adequate manner, take measures to obtain the necessary information in connection with notifications from employees, submit an annual report to the supervisory board of directors. Additionally, he is tasked with the responsibility to ensure that the supervisory board is sufficiently informed about risks in relation to anti-money laundering and terrorist financing measures and that the board is actively involved in reducing and managing such risks. Before conducting the annual MLRO interviews CBI requests a copy of the annual MLRO report to the board of directors and other AML audit reports either conducted by the internal or external auditors. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC11 |
Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC11 |
According to Article 26 an individual which, in good faith, reports suspicion of money laundering or terrorist financing, whether this is done to the FIU, a supervisor or within the obliged entity of his employment, shall be protected against retaliatory actions. The same applies regarding reports of violations of the Act. Furthermore, the Article stipulates that, amongst other things, the first paragraph shall entail that the person in question shall enjoy anonymity, in addition to which his employer may not abridge his rights and entitlements, terminate, or cancel his contract of employment or take any other retaliatory actions against him for having reported a suspicion of money laundering or terrorist financing. If the circumstances in the second paragraph arise after an individual has reported a suspicion under the first paragraph, the employer shall demonstrate that the decision is based on grounds other than the reporting by the individual of a suspicion of money laundering or terrorist financing. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC12 |
The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC12 |
Domestic Cooperation Reference is made to point 2 on Domestic coordination of AML/CFT issues in EC1. The legal framework for domestic cooperation with regard to AML/CFT issues can be found in chapter XI, Coordination and cooperation, of the AML/CFT Act. Furthermore, paragraph 1 of Article 40 states that supervisors (including CBI) and other competent authorities (members of the steering group), including the tax authorities and the police who, due to their duties, have responsibilities related to anti-money laundering and terrorist financing, are obliged, on their own initiative or upon a request, to share information and data which fall within the scope of the act with each other, if the matter concerned involves information or data that may fall under the competence of the authority they are shared with. Authorities shall in the same manner, provide mutual assistance related to anti-money laundering and terrorist financing. Further stipulation of the obligations with regard to domestic cooperation can be found in paragraphs 2-6 of Article 40. Additionally, Article 42 of the AML/CFT Act, stipulates cooperation and dissemination of information by the FIU. Based on the cooperation that is stipulated in the AML/CFT Act, the steering group has two sub-groups which CBI is a member of: 1) a cooperation platform with the supervisor for DNFBP’s, Iceland Revenue and Customs and the FIU. The supervisors meet monthly to discuss supervisory matters such as risk assessments, guidance and feedback, administrative sanctions cases, international cooperation, and legislative issues. In at least every other meeting, the FIU joins the meeting to discuss typologies, trends and methods that have been observed. 2) a cooperation platform with the supervisor for DNFBP’s, Iceland Revenue and Customs and the Ministry of Foreign Affairs. The group meets at least bi-annually to discuss issues regarding Act No. 64/2019 on freezing of assets. Therefore, the main topics are targeted financial sanctions and supervision of the requirements in that regard. Due to the recent sanctions in relation to the war on Ukraine, the group has met more frequently. Both platforms are based on MoU’s that have been signed between the relevant parties. The agreements were initially made in 2019, however one of them was materially updated recently and is yet to be formally signed. Reference is made to MoU btw FSA, Internal Revenue and FIU, Annex to MoU btw FSA, Skattur and FIU and MoU btw FSA, Skattur and MoFa. In addition, CBI has very frequent communications with the FIU, both through e-mail communications, meetings, phone calls and other informal communications. The FIU also regularly sends CBI memorandums which highlight issues at obliged entities that need to be brought to the attention of CBI. This type of information from the FIU has in some cases triggered inspections, which is the case with the current thematic inspections at banks. An overview of the main cooperation with the FIU since 2019 can be found in the document Cooperation with FIU. Unfortunately, CBI does not have detailed information on cooperation with the FIU, before that time. In addition to the previous information, CBI meets with the FIU before each on-site inspection to discuss specific issues and concerns regarding the inspected entity. Lastly CBI meets annually with the FIU before completing the authorities risk assessment. Foreign Cooperation Article 41 states without prejudice to non-disclosure obligations, parties involved in supervision under this Act and other competent authorities, e.g., tax authorities, which in the course of their activities have obligations related to measures against money laundering and terrorist financing, shall provide their sister institutions in Member States with the assistance they request unless the circumstances described in the third paragraph of Article 42 are applicable. Such information may only be provided it is subject to a non-disclosure obligation in the state in question or within the institute involved. Subject to the same conditions, supervisors and competent authorities may, on their own initiative, disseminate information to their sister institutions in other Member States if the information concern the Member State in question. The presence of branches and agents of foreign obliged entities is limited in Iceland and no branch in Iceland from foreign banks. Branches and agents are obliged entities according to Article 2 of the AML/CFT Act, cf. point f and g and supervision of these entities is conducted based on a risk-based approach. Based on that, the most extensive supervision is of the agent of Western Union Payment Services Ireland Limited (WUPSIL), as the services provided by the agent are high-risk according to CBI’s risk assessment. In that regard, CBI is part of the WUPSIL AML college123, led by the Central bank of Ireland and has signed a MoU to that extent. See annex MoU with regard to WUPSIL. Otherwise, cooperation with competent authorities in other EU Member States is of a general nature, mainly through the AMLSC at the EBA124 and the Nordic Baltic Working Group. In addition, there are instances in which CBI sends specific queries to other competent authorities in relation to certain cases. Last, the UK branch of the 4th commercial bank, is subject to an MOU between the CBI/FSA and the UK banking supervisory authorities, where in general, the supervisory cooperation and information sharing is formalized. The MOU covers among other tasks, AML/CFT supervision. The UK branch is part of CBI’s consolidated supervision and CBI can therefore request information and documentation regarding the UK branch from either the commercial bank or from the UK branch directly, according to Article 9 of Act No. 87/1998 and Act No. 161/2002. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EC13 |
Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description and Findings re EC13 |
Expertise of Resources All employees that are involved in AML/CFT tasks have considerable work experience in the field and have enhanced their knowledge to a greater extent in the last few years. Following are some examples of training and knowledge seeking on behalf of CBI employees:
Information on Risk CBI uses a range of tools to provide banks with information on risks, mainly the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Assessment of Principle 29 |
Largely Compliant |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comments |
Since 2018, the CBI/FSA has implemented a risk based supervisory model for AML/CFT risk, introduced the annual collection, from all banks of critical quantitative and qualitative data to support its analysis (questionnaire), undertaken several on-site inspections of the high impact banks (DSIBs) plus the 4th commercial bank as well as undertaken 2 on-site inspections of savings banks, conducted individual bank risk assessments on the DSIBs, a risk assessment on all commercial banks, a risk assessment on all savings banks and a sectoral assessment (partially based on the individual assessments) that included not only all banks, but other critical market participants (e.g. payments entities) - all of which CBI now regulates. CBI has made great efforts to build up the area of expertise in AML/CFT (9 FTEs) to implement a risk based supervisory assessment model for banks and has carried out deep on-site inspections to assure itself of the effectiveness of bank’s risk management practices regarding compliance with applicable AML/CFT legislative and supervisory requirements. CBI has released a “lessons learned” paper, engaged the banking industry through conferences and has built a very detailed website outlining applicable laws, regulations, guidelines, etc. Given the extent of various requirements, guidance, legislation, etc. applicable to banks, CBI needs to develop AML/CFT guidance to ensure that banks know, understand and comply with the extensive CBI AML/CFT regulatory and supervisory requirements for banks. CBI’s minimum engagement model focuses on the bank’s MLRO and Compliance Officer, when it needs to meet with Board members and senior management (CEO/CRO) as well as provide the results of inspection reports directly to not only management but to the Board, to ensure adequate bank accountabilities are in place with respect to this key risk. Further, it is noted that based on the current minimum engagement model, the frequency of on-site supervisory work occurs only every 2 years for high impact banks and every 3 years for low/medium impact banks. Although CBI is currently engaged with DSIBs, the 4th commercial banks and the savings banks in practice well beyond what this model indicates, it is critical that CBI updates its model to reflect the continued need to have adequate supervisory coverage. CBI needs to incorporate the results of the AML/CFT risk assessment (adequacy of bank’s compliance with AML/CFT regulatory and supervisory requirements) into the bank’s overall SREP score of the bank. A bank should not have a positive (e.g., low SREP score) if material deficiencies have been identified with a bank’s compliance with AML/CFT requirements. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Compliance Table Summarizing the Results of the Assessment
Principle |
Grade |
Comments and Main Findings |
1. Responsibilities, objectives, and powers |
LC |
Although the EU regulatory framework for banks was transposed into law, CBI needs to issue supervisory guidance that is not only tailored to the Icelandic jurisdiction but provides additional clarity to the banking industry on CBI’s supervisory expectations across the material risk areas. CBI needs to have the power to initiate and propose legislation regarding the prudential regulation and supervision of banks. |
2. Independence, accountability, resourcing, and legal protection for supervisors |
MNC |
CBI’s independence is challenged with the government representation on FMEN as CBI needs to a) have the discretion to make the necessary decisions regarding the prudential supervision of banks and b) to avoid conflicts of interest given three of the D-SIBs are either state owned banks or banks with a significant government interest. CBI’s operational independence lacks a formal legal delegation of authorities that is needed to clarify roles and responsibilities for legal decision-making purposes within CBI (e.g., from the Governor to others). CBI’s lack of key human resources (financial supervisors, risk person risk specialists on market risk/IRRBB, operational risk, etc.) may impede its ability to effectively deliver on its mandate for banking supervision. CBI’s funding model for FSA is overly complicated and lacks the ability to fund banking resources on a timely basis. The CBI Act does not clearly indicate the process and reasons for dismissal of the Governor and/or a member of the supervisory Board. Nor does the Act provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. |
3. Cooperation and collaboration |
C |
No main finding. The legal framework for cooperation and collaboration is in place. Bilateral and multilateral arrangements for banking supervision have been developed, though not critical for Iceland, given that the banking system is largely domestic-oriented, and cross-border banking activities through entities are very limited in both ways. |
4. Permissible activities |
C |
No main finding. The Icelandic legal and regulatory framework is aligned with the extensive EU definition of the scope of permitted activities, covering a large range of banking and payment services. The legal definition of banks (commercial banks and savings banks) is included into the broader category of credit institutions, derived from EU rules. Such large scope of regulation and supervision provides CBI with strong legal capacity to effectively control banks, and credit institutions more globally. |
5. Licensing criteria |
C |
No main finding. A limited number of banks has been licensed for many years. The legal framework for licensing provides CBI with adequate powers to implement thorough examination of applications for a banking license and of appointments of natural persons at board member or senior management positions. The risk-based licensing supervisory policy implemented by CBI for credit institutions considers quantitative and qualitative criteria carefully. CBI has legal power to require adjustments of proposed plans, or to reject applications. |
6. Transfer of significant ownership |
C | No main finding. CBI has got adequate powers to approve significant changes of banks’ shareholdings. Yet Act No. 161/2002 does not clearly request that banks must report any material information to CBI which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
7. Major acquisitions |
C |
No main finding. The legal regime of major acquisitions is restrictive to banks, which have not developed a significant development strategy through major acquisitions. Regulation of major acquisitions envisaged by banks has been enhanced with the introduction of the criteria of significant influence in addition to standardized quantitative thresholds, which enables more flexibility for implementing risk-based supervision of major acquisitions. Act No. 161/2002 does not include a specific Section on “major acquisitions” explicitly but the combination of legal provisions on ancillary activities, mergers, equity interest arising from the work-out of problem exposures, and regular prudential requirements on large exposures, may compensate. CBI has adequate powers to examine and possibly reject any major acquisition envisaged by a bank. |
8. Supervisory approach |
LC |
CBI/FSA’s SREP methodology is robust for D-SIBs, however more work needs to done to ensure that its minimum engagement model is working/appropriately for the low/medium-low impact banks. Further, CBI/FSA’s SREP methodology does not reflect early intervention measures to be taken well before a bank reaches capital and/or liquidity minimum prudential requirements. CBI should not wait until the overall SREP score or the viability score for one of the main risk elements is rated 4 to take intervention measures as this would not be deemed “early intervention”. |
9. Supervisory techniques and tools |
LC |
CBI’s mix of off- and on-site inspections needs to be re-assessed. The off-site supervision function undertakes the full SREP assessments, however the scope for the on-site program needs to encompass a broader scope of review work (not just thematic reviews focusing on specific risk areas of concern), covering material risks as well as deeper assessments of corporate governance including the quality of risk management and internal control functions, with a risk-based approach over a multi-year cycle. While on-site inspectors carry out their inspections on a timely basis (e.g., inspection reports provided to management upon completion), formal letters to the Board, which include the remedial/corrective actions are at times delayed as supervisors wait for the results of all bank inspections involved in the thematic review to ensure consistency of legal requirements. This current process is undermining the effectiveness of CBI’s communication which needs to be done on a timely basis. CBI’s internal standard of 30 days should be adhered to consistently in practice. |
10. Supervisory reporting |
C |
No main finding. CBI collects various supervisory data (FINREP, COREP, LPA, KRIs, risk reports) and has built fit-for-purpose interfaces that have greatly assisted banking supervisors’ ability to use the data effectively (Power BI, Viki, etc.). |
11. Corrective and sanctioning powers of supervisors |
LC |
CBI tends to make use of Pillar 2 additional capital requirements instead of making better use of existing supervisory tools or measures in its legislative framework in view of enhancing banks’ risk strategies and management. CBI has a draft escalation handbook that needs to be finalized to ensure a well-established process is in place to deal with problem financial institutions. |
12. Consolidated supervision |
C |
No main finding. The legal framework is in place to ensure consolidated supervision of banking groups, which is implemented by CBI in supervisory processes. |
13. Home-host relationships |
C |
No main finding. An appropriate legal and institutional framework is in place on home-host relationships. Cross-border banking activities through branches and subsidiaries are limited in both ways, which has made the set-up of supervisory colleges, as well as the conduct of on-site inspections abroad, unnecessary so far. |
14. Corporate governance |
LC |
CBI’s minimum engagement framework for low and medium-low impact banks does not provide enough assurance given the current frequency of contacts with their key control functions and boards. CBI needs to re-assess whether it will permit a combined audit and risk committee, while Basel standards have indicated these two committees should remain distinct. CBI should implement a framework to ensure it is assessing board members’ “duty of care” and “duty of loyalty”. |
15. Risk management process |
MNC |
CBI/FSA does not necessarily determine if banks have appropriate risk limits in line with the bank’s risk appetite, risk profile, capital strength as CBI/FSA typically does not challenge bank’s risk limits (CBI/FSA does challenge banks through the ICAAP/ILAAP process with respect to the levels/quality of capital and liquidity - but not necessarily on the risk limits put in place by banks). CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit exposures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices - this is especially critical for the D-SIBs. CBI/FSA does not necessarily determine if risk management practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). CBI/FSA had not assessed the adequacy of information (e.g., strength of IT management information systems) regarding the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. Further, CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes and practices around the use of models, including whether banks perform regular and independent validation and testing of such models. CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function (all D-SIBs at a minimum) to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. CBI/FSA should also ensure whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). CBI/FSA should clarify in legislation or procedures that the dismissal of a bank’s CRO be disclosed publicly. CBI should develop a process to undertake a review, on a risk based supervisory cycle, of banks’ internal pricing frameworks. |
16. Capital adequacy |
LC |
Iceland adheres to the CRR requirements (definition of capital, eligible components of capital and Pillar 1 and Pillar 3 capital requirements of banks) and does not make use of any national discretions available, therefore more in line with the Basel framework. Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process is considered extensive and consistently utilized by the supervisor. Icelandic capital buffer requirements for banks are considered adequate (given the nature, size and complexity of Icelandic banks that are not internationally active) resulting in high levels of Tier 1 and total capital (D-SIBs greater than 23 percent). Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (one of the most egregious deviations from Basel standards according to the 2014 EU RCAP) is not applicable/utilized at this time for its three D-SIBs. |
17. Credit risk |
MNC |
CBI has undertaken several off-site inspections and some “thematic” credit risk on-site inspections over the past five years covering important topics (large borrowers, stage 3 loan classification, FINREP reporting, etc.). Banking supervisors together with credit risk specialists do not necessarily undertake deep assessments of the effectiveness of bank’s credit administration policies/processes (especially for all D-SIBs) across a variety of products (e.g. real estate back loans, personal loans, corporate loans, etc.), that would include how banks are treating in practice and in accordance with board approved credit policies/risk limits regarding: a) existing exposures, new exposures and the renewing/refinancing/rescheduled of loans in practice; b) the borrower’s ability and willingness to repay loans; c) whether the documentation (including legal covenants, contractual requirements; d) collateral and other forms of credit risk mitigation (e.g. bank’s loan valuation methodologies); e) whether asset classification systems are adequate; and f) the quality of bank’s information systems, (e.g. whether such systems in practice provide accurate and timely identification, aggregation and reporting of credit risk exposures). CBI’s Supervisory Handbook is outdated and should reflect at a minimum the current guidelines Icelandic banks are expected to adhere too on loan origination and monitoring and any other requirements that the banks are subject to. Further, CBI has not issued a prudential standard to ensure the banking industry know and understands CBI’s supervisory expectations, especially given the extent of newly issued guidance on credit risk banks are expected to follow. CBI’s supervisory staff (including the financial supervisors) do not necessarily have adequate time to undertake the necessary training on credit risk. |
18. Problem assets, provisions, and reserves |
LC |
CBI should ensure a deeper dive into asset valuation of banks’ exposures to ensure an adequate awareness of the use of collateral and guarantees across various loan products. CBI needs to reassess its ability to “require” banks to increase additional specific provisions on loans where it deems there is an issue rather than making use of additional Pillar 2 capital requirements to deal with problem assets. |
19. Concentration risk and large exposure limits |
LC |
CBI/FSA does not undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BOD’s are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank and whether bank’s information systems adequately identify and aggregate risk concentrations and large exposures. Although banks comply with EU LEX rules, certain deviations from the Basel LEX framework exist (e.g., for trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit). |
20. Transactions with related parties |
MNC |
Although data is collected for related party transactions, CBI’s definition of a related party as well as the definition of a related party transaction is not broad enough (referring to Basel’s definition) and inappropriately exempts certain parties (e.g., state owned related parties). In addition, CBI/FSA should require bank Boards to review and approve related party transactions over a certain threshold (specified by the bank Boards) as well as undertaking deeper supervisory reviews to determine if banks’ policies and processes in fact prevent persons from benefiting from such transactions and/or persons related to such a person from being part of the process of granting and managing the transaction. Moreover, CBI/FSA should require banks to set limits on the aggregation of total exposures to related parties and that such limits are at a minimum as strict as those for single counterparties or groups of connected counterparties. |
21. Country and transfer risks |
MNC |
Though country risk and transfer risk are considered as minor risk domains to which Icelandic banks have low exposure, the legal and regulatory framework applicable to banks relating to prudential requirements on risk management of country risk and transfer risk, as well as supervisory policies and processes implemented by CBI for these risk domains, are not explicitly structured. |
22. Market risk |
LC |
Though thorough off-site supervision of market risk is effectively implemented on major banks, the global adequacy of banking supervision of market risk is still undermined by two specific points: (i) CBI has not performed any on-site inspection covering the overall market risk management framework of major banks comprehensively nor thoroughly; (ii) given that CBI has only one risk specialist of market risk, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in that risk domain. |
23. Interest rate risk in the banking book |
LC |
Thorough implementation of off-site supervision of major banks on IRRBB is commendable, yet the global adequacy of banking supervision of IRRBB is still be undermined by two specific points similar to market risk: (i) CBI has not performed any on-site inspection covering the overall IRRBB management framework of major banks comprehensively nor thoroughly; (ii) given that CBI has only one risk specialist of IRRBB, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in that risk domain. |
24. Liquidity risk |
LC |
CBI annually performs a comprehensive assessment of banks overall liquidity risk management framework as part of its SREP process. Although banks comply with LCR, NSFR and other reporting requirements in line with the EU framework, certain deviations from the Basel standards exist (e.g., the inclusion of covered bonds as part of HQLA). |
25. Operational risk |
MNC |
On operational risk, EBA guidelines have been incorporated in the Icelandic legislation, but prudential requirements (at least supervisory guidance from CBI for appropriate implementation by banks) have not been tailored to the specific risk profile of the Icelandic banking sector, except on ICT risk (2019). So far, despite more thorough and extensive off-site supervision of operational risk through the annual SREP (for major banks only), as well as specific monitoring of banks’ operational resilience during the pandemic, and a few targeted inspections on specific operational risk areas such as outsourcing, CBI has not yet structured a strong-enough capacity to implement a comprehensive and hands-on risk-based supervision of operational risk management in the banking sector directly through on-site inspections, especially in major banks, notably, but not only, on ICT risk. |
26. Internal control and audit |
LC |
Despite substantial progress made on off-site supervision of internal control frameworks of banks, various specific weaknesses remain which may still undermine the overall supervisory approach implemented by CBI at some point, notably: (i) the lack of effective implementation of on-site inspections covering whole internal control frameworks of banks for the last 5 years; (ii) a much less frequent review of non-major banks in that domain; and (iii) scarce human resources within CBI allocated to supervision of internal control. |
27. Financial reporting and external audit |
LC |
Welcome amendments have been made to Act No. 161/2002 on banks’ external auditors to enable CBI to request the replacement of any external auditor that missed to implement their duty of alert, yet CBI still lacks adequate powers on external auditors on the two following points: (i) CBI cannot object to the appointment of banks’ external auditors for any valuable reason, for instance if external auditors are deemed to have inadequate expertise or independence; and (ii) the rotation requirement of banks’ external auditors, though aligned with EU rules, reasonably looks too low in the Icelandic context, with durations of external auditors’ mandates possibly set at maximum 10 years, 20 years, even 24 years. |
28. Disclosure and transparency |
C |
No main Finding. Major banks disclose their financial statements annually with quarterly updated information, including Pillar 3 and ESG reports, in Icelandic and English. Financial disclosure of savings banks is in Icelandic only. Supervisory disclosure by CBI looks quite rich in Icelandic, including regulation, guidance, general information, reports, even decisions made on individual banks. The recent disclosure of the financial supervision strategy for 2022-24 is a commendable achievement towards better transparency from CBI. |
29. Abuse of financial services |
LC |
CBI’s minimum engagement model only focuses on contact with the MLRO, instead of contact with the bank’s Board and senior management (CEO, CRO). Further, the results of any on-site inspection reports or formal letters needs to be addressed to not only management, but the Board. Moreover, the length of time between when an on-site inspection begins and the formal communication to the bank takes way too long (can go beyond a year) undermining the effectiveness of CBI’s supervisory work/findings. Last, CBI’s minimum engagement model frequency for low/medium low impact banks should be reassessed to ensure adequate supervisory coverage of savings banks. CBI lacks AML/CFT supervisory guidance that would provide an overview on CBI’s supervisory expectations regarding the numerous laws, regulations and guidance banks need to adhere. CBI does not incorporate the results of the AML/CFT risk assessment (adequacy of bank’s compliance with AML/CFT regulatory and supervisory requirements) into the bank’s overall SREP methodology and scoring. A bank should not have a positive SREP score if material deficiencies have been identified with the bank’s compliance with AML/CFT requirements. |
Principle |
Grade |
Comments and Main Findings |
1. Responsibilities, objectives, and powers |
LC |
Although the EU regulatory framework for banks was transposed into law, CBI needs to issue supervisory guidance that is not only tailored to the Icelandic jurisdiction but provides additional clarity to the banking industry on CBI’s supervisory expectations across the material risk areas. CBI needs to have the power to initiate and propose legislation regarding the prudential regulation and supervision of banks. |
2. Independence, accountability, resourcing, and legal protection for supervisors |
MNC |
CBI’s independence is challenged with the government representation on FMEN as CBI needs to a) have the discretion to make the necessary decisions regarding the prudential supervision of banks and b) to avoid conflicts of interest given three of the D-SIBs are either state owned banks or banks with a significant government interest. CBI’s operational independence lacks a formal legal delegation of authorities that is needed to clarify roles and responsibilities for legal decision-making purposes within CBI (e.g., from the Governor to others). CBI’s lack of key human resources (financial supervisors, risk person risk specialists on market risk/IRRBB, operational risk, etc.) may impede its ability to effectively deliver on its mandate for banking supervision. CBI’s funding model for FSA is overly complicated and lacks the ability to fund banking resources on a timely basis. The CBI Act does not clearly indicate the process and reasons for dismissal of the Governor and/or a member of the supervisory Board. Nor does the Act provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. |
3. Cooperation and collaboration |
C |
No main finding. The legal framework for cooperation and collaboration is in place. Bilateral and multilateral arrangements for banking supervision have been developed, though not critical for Iceland, given that the banking system is largely domestic-oriented, and cross-border banking activities through entities are very limited in both ways. |
4. Permissible activities |
C |
No main finding. The Icelandic legal and regulatory framework is aligned with the extensive EU definition of the scope of permitted activities, covering a large range of banking and payment services. The legal definition of banks (commercial banks and savings banks) is included into the broader category of credit institutions, derived from EU rules. Such large scope of regulation and supervision provides CBI with strong legal capacity to effectively control banks, and credit institutions more globally. |
5. Licensing criteria |
C |
No main finding. A limited number of banks has been licensed for many years. The legal framework for licensing provides CBI with adequate powers to implement thorough examination of applications for a banking license and of appointments of natural persons at board member or senior management positions. The risk-based licensing supervisory policy implemented by CBI for credit institutions considers quantitative and qualitative criteria carefully. CBI has legal power to require adjustments of proposed plans, or to reject applications. |
6. Transfer of significant ownership |
C | No main finding. CBI has got adequate powers to approve significant changes of banks’ shareholdings. Yet Act No. 161/2002 does not clearly request that banks must report any material information to CBI which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. |
7. Major acquisitions |
C |
No main finding. The legal regime of major acquisitions is restrictive to banks, which have not developed a significant development strategy through major acquisitions. Regulation of major acquisitions envisaged by banks has been enhanced with the introduction of the criteria of significant influence in addition to standardized quantitative thresholds, which enables more flexibility for implementing risk-based supervision of major acquisitions. Act No. 161/2002 does not include a specific Section on “major acquisitions” explicitly but the combination of legal provisions on ancillary activities, mergers, equity interest arising from the work-out of problem exposures, and regular prudential requirements on large exposures, may compensate. CBI has adequate powers to examine and possibly reject any major acquisition envisaged by a bank. |
8. Supervisory approach |
LC |
CBI/FSA’s SREP methodology is robust for D-SIBs, however more work needs to done to ensure that its minimum engagement model is working/appropriately for the low/medium-low impact banks. Further, CBI/FSA’s SREP methodology does not reflect early intervention measures to be taken well before a bank reaches capital and/or liquidity minimum prudential requirements. CBI should not wait until the overall SREP score or the viability score for one of the main risk elements is rated 4 to take intervention measures as this would not be deemed “early intervention”. |
9. Supervisory techniques and tools |
LC |
CBI’s mix of off- and on-site inspections needs to be re-assessed. The off-site supervision function undertakes the full SREP assessments, however the scope for the on-site program needs to encompass a broader scope of review work (not just thematic reviews focusing on specific risk areas of concern), covering material risks as well as deeper assessments of corporate governance including the quality of risk management and internal control functions, with a risk-based approach over a multi-year cycle. While on-site inspectors carry out their inspections on a timely basis (e.g., inspection reports provided to management upon completion), formal letters to the Board, which include the remedial/corrective actions are at times delayed as supervisors wait for the results of all bank inspections involved in the thematic review to ensure consistency of legal requirements. This current process is undermining the effectiveness of CBI’s communication which needs to be done on a timely basis. CBI’s internal standard of 30 days should be adhered to consistently in practice. |
10. Supervisory reporting |
C |
No main finding. CBI collects various supervisory data (FINREP, COREP, LPA, KRIs, risk reports) and has built fit-for-purpose interfaces that have greatly assisted banking supervisors’ ability to use the data effectively (Power BI, Viki, etc.). |
11. Corrective and sanctioning powers of supervisors |
LC |
CBI tends to make use of Pillar 2 additional capital requirements instead of making better use of existing supervisory tools or measures in its legislative framework in view of enhancing banks’ risk strategies and management. CBI has a draft escalation handbook that needs to be finalized to ensure a well-established process is in place to deal with problem financial institutions. |
12. Consolidated supervision |
C |
No main finding. The legal framework is in place to ensure consolidated supervision of banking groups, which is implemented by CBI in supervisory processes. |
13. Home-host relationships |
C |
No main finding. An appropriate legal and institutional framework is in place on home-host relationships. Cross-border banking activities through branches and subsidiaries are limited in both ways, which has made the set-up of supervisory colleges, as well as the conduct of on-site inspections abroad, unnecessary so far. |
14. Corporate governance |
LC |
CBI’s minimum engagement framework for low and medium-low impact banks does not provide enough assurance given the current frequency of contacts with their key control functions and boards. CBI needs to re-assess whether it will permit a combined audit and risk committee, while Basel standards have indicated these two committees should remain distinct. CBI should implement a framework to ensure it is assessing board members’ “duty of care” and “duty of loyalty”. |
15. Risk management process |
MNC |
CBI/FSA does not necessarily determine if banks have appropriate risk limits in line with the bank’s risk appetite, risk profile, capital strength as CBI/FSA typically does not challenge bank’s risk limits (CBI/FSA does challenge banks through the ICAAP/ILAAP process with respect to the levels/quality of capital and liquidity - but not necessarily on the risk limits put in place by banks). CBI/FSA’s on-site inspection program does not include a review of whether bank’s risk management policies and procedures are being adhered to in practice, looking at both bank’s individual business lines and business units. Some aspects of this determination are looked at during thematic on-site reviews, but are limited to the type of credit exposures of focus for such review. This is a key component of the supervisor’s determination regarding the quality and effectiveness of bank’s risk management practices - this is especially critical for the D-SIBs. CBI/FSA does not necessarily determine if risk management practices associated with exceptions to policies have adequate policies and limits in place (senior management/board sign off for established thresholds). CBI/FSA had not assessed the adequacy of information (e.g., strength of IT management information systems) regarding the measurement, assessment and reporting of bank’s size, composition, and quality of risk exposures on both a bank wide basis and across all risk types, products, and counterparties. Further, CBI/FSA does not necessarily undertake a deep assessment of banks’ risk management processes and practices around the use of models, including whether banks perform regular and independent validation and testing of such models. CBI/FSA should undertake a more comprehensive and frequent review of the bank’s risk management function (all D-SIBs at a minimum) to ensure bank’s risk management functions are covering all material risks with sufficient resources, independence, authority and access to the banks’ BODs and that IA is “required” to regularly review the risk management function. CBI/FSA should also ensure whether Senior Management and/or the Board representatives know and understand the limitations of the risk management information that they receive (including risk measurement uncertainties). CBI/FSA should clarify in legislation or procedures that the dismissal of a bank’s CRO be disclosed publicly. CBI should develop a process to undertake a review, on a risk based supervisory cycle, of banks’ internal pricing frameworks. |
16. Capital adequacy |
LC |
Iceland adheres to the CRR requirements (definition of capital, eligible components of capital and Pillar 1 and Pillar 3 capital requirements of banks) and does not make use of any national discretions available, therefore more in line with the Basel framework. Further, CRD application of Pillar 2 requirements assessed through the CBI/FSA’s SREP process is considered extensive and consistently utilized by the supervisor. Icelandic capital buffer requirements for banks are considered adequate (given the nature, size and complexity of Icelandic banks that are not internationally active) resulting in high levels of Tier 1 and total capital (D-SIBs greater than 23 percent). Icelandic banks follow the standardized approach for credit, market and operational risk. Although the application of the IRB approach for credit risk (one of the most egregious deviations from Basel standards according to the 2014 EU RCAP) is not applicable/utilized at this time for its three D-SIBs. |
17. Credit risk |
MNC |
CBI has undertaken several off-site inspections and some “thematic” credit risk on-site inspections over the past five years covering important topics (large borrowers, stage 3 loan classification, FINREP reporting, etc.). Banking supervisors together with credit risk specialists do not necessarily undertake deep assessments of the effectiveness of bank’s credit administration policies/processes (especially for all D-SIBs) across a variety of products (e.g. real estate back loans, personal loans, corporate loans, etc.), that would include how banks are treating in practice and in accordance with board approved credit policies/risk limits regarding: a) existing exposures, new exposures and the renewing/refinancing/rescheduled of loans in practice; b) the borrower’s ability and willingness to repay loans; c) whether the documentation (including legal covenants, contractual requirements; d) collateral and other forms of credit risk mitigation (e.g. bank’s loan valuation methodologies); e) whether asset classification systems are adequate; and f) the quality of bank’s information systems, (e.g. whether such systems in practice provide accurate and timely identification, aggregation and reporting of credit risk exposures). CBI’s Supervisory Handbook is outdated and should reflect at a minimum the current guidelines Icelandic banks are expected to adhere too on loan origination and monitoring and any other requirements that the banks are subject to. Further, CBI has not issued a prudential standard to ensure the banking industry know and understands CBI’s supervisory expectations, especially given the extent of newly issued guidance on credit risk banks are expected to follow. CBI’s supervisory staff (including the financial supervisors) do not necessarily have adequate time to undertake the necessary training on credit risk. |
18. Problem assets, provisions, and reserves |
LC |
CBI should ensure a deeper dive into asset valuation of banks’ exposures to ensure an adequate awareness of the use of collateral and guarantees across various loan products. CBI needs to reassess its ability to “require” banks to increase additional specific provisions on loans where it deems there is an issue rather than making use of additional Pillar 2 capital requirements to deal with problem assets. |
19. Concentration risk and large exposure limits |
LC |
CBI/FSA does not undertake a thorough review of bank’s policies, procedures and practices regarding credit concentration risk and large exposures to determine if bank BOD’s are kept adequately informed, that thresholds established by the BOD (risk appetite) are adhered to by senior management of the bank and whether bank’s information systems adequately identify and aggregate risk concentrations and large exposures. Although banks comply with EU LEX rules, certain deviations from the Basel LEX framework exist (e.g., for trading book exposures, the EU regulations allow for the LEX limit to be exceeded up to 600% of a bank’s Tier 1 capital while the Basel LEX framework sets a 25% limit). |
20. Transactions with related parties |
MNC |
Although data is collected for related party transactions, CBI’s definition of a related party as well as the definition of a related party transaction is not broad enough (referring to Basel’s definition) and inappropriately exempts certain parties (e.g., state owned related parties). In addition, CBI/FSA should require bank Boards to review and approve related party transactions over a certain threshold (specified by the bank Boards) as well as undertaking deeper supervisory reviews to determine if banks’ policies and processes in fact prevent persons from benefiting from such transactions and/or persons related to such a person from being part of the process of granting and managing the transaction. Moreover, CBI/FSA should require banks to set limits on the aggregation of total exposures to related parties and that such limits are at a minimum as strict as those for single counterparties or groups of connected counterparties. |
21. Country and transfer risks |
MNC |
Though country risk and transfer risk are considered as minor risk domains to which Icelandic banks have low exposure, the legal and regulatory framework applicable to banks relating to prudential requirements on risk management of country risk and transfer risk, as well as supervisory policies and processes implemented by CBI for these risk domains, are not explicitly structured. |
22. Market risk |
LC |
Though thorough off-site supervision of market risk is effectively implemented on major banks, the global adequacy of banking supervision of market risk is still undermined by two specific points: (i) CBI has not performed any on-site inspection covering the overall market risk management framework of major banks comprehensively nor thoroughly; (ii) given that CBI has only one risk specialist of market risk, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in that risk domain. |
23. Interest rate risk in the banking book |
LC |
Thorough implementation of off-site supervision of major banks on IRRBB is commendable, yet the global adequacy of banking supervision of IRRBB is still be undermined by two specific points similar to market risk: (i) CBI has not performed any on-site inspection covering the overall IRRBB management framework of major banks comprehensively nor thoroughly; (ii) given that CBI has only one risk specialist of IRRBB, whose mandate is quite larger than banking supervision only, CBI may be exposed to a significant “key-person” risk, as well as possibly limited human resources and expertise in that risk domain. |
24. Liquidity risk |
LC |
CBI annually performs a comprehensive assessment of banks overall liquidity risk management framework as part of its SREP process. Although banks comply with LCR, NSFR and other reporting requirements in line with the EU framework, certain deviations from the Basel standards exist (e.g., the inclusion of covered bonds as part of HQLA). |
25. Operational risk |
MNC |
On operational risk, EBA guidelines have been incorporated in the Icelandic legislation, but prudential requirements (at least supervisory guidance from CBI for appropriate implementation by banks) have not been tailored to the specific risk profile of the Icelandic banking sector, except on ICT risk (2019). So far, despite more thorough and extensive off-site supervision of operational risk through the annual SREP (for major banks only), as well as specific monitoring of banks’ operational resilience during the pandemic, and a few targeted inspections on specific operational risk areas such as outsourcing, CBI has not yet structured a strong-enough capacity to implement a comprehensive and hands-on risk-based supervision of operational risk management in the banking sector directly through on-site inspections, especially in major banks, notably, but not only, on ICT risk. |
26. Internal control and audit |
LC |
Despite substantial progress made on off-site supervision of internal control frameworks of banks, various specific weaknesses remain which may still undermine the overall supervisory approach implemented by CBI at some point, notably: (i) the lack of effective implementation of on-site inspections covering whole internal control frameworks of banks for the last 5 years; (ii) a much less frequent review of non-major banks in that domain; and (iii) scarce human resources within CBI allocated to supervision of internal control. |
27. Financial reporting and external audit |
LC |
Welcome amendments have been made to Act No. 161/2002 on banks’ external auditors to enable CBI to request the replacement of any external auditor that missed to implement their duty of alert, yet CBI still lacks adequate powers on external auditors on the two following points: (i) CBI cannot object to the appointment of banks’ external auditors for any valuable reason, for instance if external auditors are deemed to have inadequate expertise or independence; and (ii) the rotation requirement of banks’ external auditors, though aligned with EU rules, reasonably looks too low in the Icelandic context, with durations of external auditors’ mandates possibly set at maximum 10 years, 20 years, even 24 years. |
28. Disclosure and transparency |
C |
No main Finding. Major banks disclose their financial statements annually with quarterly updated information, including Pillar 3 and ESG reports, in Icelandic and English. Financial disclosure of savings banks is in Icelandic only. Supervisory disclosure by CBI looks quite rich in Icelandic, including regulation, guidance, general information, reports, even decisions made on individual banks. The recent disclosure of the financial supervision strategy for 2022-24 is a commendable achievement towards better transparency from CBI. |
29. Abuse of financial services |
LC |
CBI’s minimum engagement model only focuses on contact with the MLRO, instead of contact with the bank’s Board and senior management (CEO, CRO). Further, the results of any on-site inspection reports or formal letters needs to be addressed to not only management, but the Board. Moreover, the length of time between when an on-site inspection begins and the formal communication to the bank takes way too long (can go beyond a year) undermining the effectiveness of CBI’s supervisory work/findings. Last, CBI’s minimum engagement model frequency for low/medium low impact banks should be reassessed to ensure adequate supervisory coverage of savings banks. CBI lacks AML/CFT supervisory guidance that would provide an overview on CBI’s supervisory expectations regarding the numerous laws, regulations and guidance banks need to adhere. CBI does not incorporate the results of the AML/CFT risk assessment (adequacy of bank’s compliance with AML/CFT regulatory and supervisory requirements) into the bank’s overall SREP methodology and scoring. A bank should not have a positive SREP score if material deficiencies have been identified with the bank’s compliance with AML/CFT requirements. |
Recommended Actions
Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of the Banking Regulatory and Supervisory Framework
Principle |
Authorities |
Recommended Actions |
1. Responsibilities, objectives, and powers |
CBI, MoFEA |
|
2. Independence, accountability, resourcing, and legal protection for supervisors |
CBI, MoFEA, Prime Minister |
|
3. Cooperation and collaboration |
N/A |
No recommendation. |
4. Permissible activities |
N/A |
No recommendation. |
5. Licensing criteria |
N/A |
No recommendation. |
6. Transfer of significant ownership |
CBI, MoFEA |
|
7. Major acquisitions |
N/A |
No recommendation. |
8. Supervisory approach |
CBI |
|
9. Supervisory techniques and tools |
CBI |
|
10. Supervisory reporting |
N/A |
No recommendation |
11. Corrective and sanctioning powers of supervisors |
CBI |
|
12. Consolidated supervision |
N/A |
No recommendation |
13. Home-host relationships |
N/A |
No recommendation |
14. Corporate governance |
CBI |
|
15. Risk management process |
CBI |
|
16. Capital adequacy |
CBI |
|
17. Credit risk |
CBI |
|
18. Problem assets, provisions, and reserves |
CBI |
|
19. Concentration risk and large exposure limits |
CBI |
|
20. Transactions with related parties |
CBI MoFEA |
|
21. Country and transfer risks |
CBI MoFEA |
|
22. Market risk |
CBI |
|
23. Interest rate risk in the banking book |
CBI |
|
24. Liquidity risk |
CBI |
|
25. Operational risk |
CBI |
|
26. Internal control and audit |
CBI |
|
27. Financial reporting and external audit |
CBI, MoFEA |
|
28. Disclosure and transparency |
CBI |
|
29. Abuse of financial services |
CBI |
|
Principle |
Authorities |
Recommended Actions |
1. Responsibilities, objectives, and powers |
CBI, MoFEA |
|
2. Independence, accountability, resourcing, and legal protection for supervisors |
CBI, MoFEA, Prime Minister |
|
3. Cooperation and collaboration |
N/A |
No recommendation. |
4. Permissible activities |
N/A |
No recommendation. |
5. Licensing criteria |
N/A |
No recommendation. |
6. Transfer of significant ownership |
CBI, MoFEA |
|
7. Major acquisitions |
N/A |
No recommendation. |
8. Supervisory approach |
CBI |
|
9. Supervisory techniques and tools |
CBI |
|
10. Supervisory reporting |
N/A |
No recommendation |
11. Corrective and sanctioning powers of supervisors |
CBI |
|
12. Consolidated supervision |
N/A |
No recommendation |
13. Home-host relationships |
N/A |
No recommendation |
14. Corporate governance |
CBI |
|
15. Risk management process |
CBI |
|
16. Capital adequacy |
CBI |
|
17. Credit risk |
CBI |
|
18. Problem assets, provisions, and reserves |
CBI |
|
19. Concentration risk and large exposure limits |
CBI |
|
20. Transactions with related parties |
CBI MoFEA |
|
21. Country and transfer risks |
CBI MoFEA |
|
22. Market risk |
CBI |
|
23. Interest rate risk in the banking book |
CBI |
|
24. Liquidity risk |
CBI |
|
25. Operational risk |
CBI |
|
26. Internal control and audit |
CBI |
|
27. Financial reporting and external audit |
CBI, MoFEA |
|
28. Disclosure and transparency |
CBI |
|
29. Abuse of financial services |
CBI |
|
Authorities’ Response to the Assessment
89. The Icelandic authorities welcomed the assessment of the regulation and supervision of the Icelandic banking sector based on the Basel Core Principles. The Icelandic authorities broadly shared the views and assessment expressed in the detailed assessment report. Observations and recommendations will be used to further improve the work with regulation and supervision in Iceland. Moreover, they welcomed the IMF’s endorsement of Iceland’s continued progress in strengthening regulation, supervision, and the financial oversight framework since the last BCP assessment in 2014. They are grateful for the dedication of IMF staff to the process and the cooperation which was exemplary.
This Detailed Assessment Report (DAR) has been prepared by Alexis Boher (IMF), and Geraldine Low (IMF external expert).
Minimum ISK LCR requirement was upgraded to 50 percent as of January 1, 2023, after the BCP assessment.
CBI data - BCP Assessment Questionnaire.
The Single Supervisory Mechanism (SSM), composed of the European Central Bank (ECB) and the National Competent Authorities (NCAs), is the legislative and institutional framework that grants the ECB a leading supervisory role over banks in the EU. The ECB, working closely with the NCAs, is directly responsible for the supervision of SIs and oversees the supervision of less significant institutions (LSIs) as conducted by the NCAs. Iceland is subject to the European Economic Area (EEA Agreement) which unites the EU member States and the three EFTA EEA states (Iceland, Liechtenstein and Norway) into one single market governed by the same basic rules.
The European Banking Authority (EBA) is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. The main task of the EBA is to contribute to the creation of the European Single Rulebook in banking supervision for NCAs. EBA also plays an important role in promoting convergence of supervisory practices and is mandated to assess risks and vulnerabilities in the EU banking sector. Iceland, being a party to the EEA, has moved towards adopting EU laws directly into its national laws and requiring banks to adhere to EBA guidelines.
Assessors acknowledge that the legislation does refer to the need for banks to adhere to the accounting definition of a related party and a related party transaction, however this definition should be explicit in the legislation.
This section of the report based on: CBI Financial Stability Report (FSR) https://www.cb.is/library/Skraarsafn---EN/Financial Stability/2022/Financial Stability 2022 2.pdf; and related databases used for figures included in the FSR https://www.cb.is/library/Skraarsafn---EN/Financial Stability/2022/ en FS 2022 2 kaflar.xlsx.
Included under non-life insurance companies: 4 non-life + Nat Cat fund + 1 run off reinsurers.
This number also includes the total pension savings held within the other providers (domestic banks + Allianz/Bayern). The figure excluding them is 6.738,46 and 207,3 percent. When considering the pension system as a whole CBI includes these providers.
Included under asset management companies: UCITS firms, authorized alternative investment fund managers, and registered alternative investment fund managers.
Total assets of all the funds managed by asset management companies (updated Q2 2022).
Sources:
- IMF: Article IV reports on Iceland, post-program monitoring reports on Iceland, and specific papers, for example: https://www.imf.org/en/News/Articles/2018/09/15/sp091518-ragnarok-iceland-s-crisis-its-successful-stabilization-program-and-the-role-of-the-imf.
- BIS: The Banking Crisis in Iceland (2020), https://www.bis.org/fsi/fsicms1.pdf.
Sources:
- Pillar 2 methodology: https://en.fme.is/media/vidmid-fme/Common Criteria SREP.pdf.
- Capital adequacy requirements: https://www.cb.is/financial-stability/macroprudential-policy/capital-buffers/.
Sources (selected information available on CBI’s website: https://www.cb.is/):
- CBI 2021 annual report: https://www.cb.is/publications/publications/publication/2022/03/31/Annual-Report-2021/.
- CBI November 2022 Financial Stability Review: https://www.cb.is/publications/publications/publication/2022/09/28/Financial-Stability-2022-2/.
- CBI 2022-24 supervisory strategy: https://www.cb.is/publications/publications/publication/2022/08/16/Supervisory-Strategy/.
- Laws and rules pertaining to CBI’s missions: https://www.cb.is/about-the-bank/central-bank-of-iceland/laws-and-rules/ is more updated than the FSA’s website (under upgrading): https://en.fme.is/published-material/rules/.
- CBI 2022 report on Economy of Iceland: https://www.cb.is/publications/publications/publication/2022/10/12/Economy-of-Iceland-2022/.
Referring to recent official sources of information on financial stability, that is the IMF 2022 Article IV Consultation Staff Report20 and CBI’s November 2022 Financial Stability Review
Source, Technical Note on Crisis Management, December 2022
Source: Technical Note on Crisis Management, December 2022
Note that Directive 2014/49/EU on Deposit Guarantee Schemes has not yet been adopted into the EEA Agreement, therefore Iceland is not obliged to transpose it into Icelandic Law. However. Act 98/1999 has aligned certain elements, e.g., the increase in coverage up to the equivalent of EUR 100,000 Icelandic ISK.
Source : https://nefndir.is/english/.
In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation.
The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles.
Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification.
In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank.
In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011.
Please refer to Principle 1, Essential Criterion 1.
Assessors note that CBI announced a new organizational structure/chart dated 12 Jan 2023, after the on-site BCP assessment was undertaken. For further information please see CBI’s website for more detail.
Note this draft bill of legislation has now been put forward to parliament.
CBI does have the ability to call a special FMEN committee meeting to deal with a problem bank and therefore deal with a crisis situation on a timely basis.
Information from CBI/FSA. Additional information, post on-site BCP assessment mission, indicates that a total of four on-site inspectors have a background in credit while 4 on-site inspectors have a background in operational risk (no increase in the total number of 13 FTEs in total).
Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29).
The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system.
This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction.
Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003).
Please refer to Principle 14, Essential Criterion 8.
Please refer to Principle 29.
While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority.
In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank.
On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow-up on supervisory concerns, etc.
Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off-site and on-site work, etc.
Please refer to Principle 10.
Based on EBA Guidelines on management of non-performing and forborne exposures (EBA/GL/2018/06) and related legal requirements such as CRR.
In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27.
Please refer to Principle 2.
Please refer to Principle 1, Essential Criterion 5.
Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.
Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts.
Please refer to Principle 1.
Please refer to footnote 19 under Principle 1.
Please refer to Principle 16, Additional Criterion 2.
See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected.
Please refer to footnote 27 under Principle 5.
Item 68 and 71 of the BCBS Guideline on Corporate Governance Principles for Banks, July 2015, be required for systemically important banks and is strongly recommended for other banks based on a bank’s size, risk profile or complexity.
The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.”
“Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously.
For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group.
To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents.
It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management.
New products include those developed by the bank or by a third party and purchased or distributed by the bank.
The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it.
Regulation (EU) No: 2019/876 (CRR 2) and Directive (EU) 2019/878 (CRD V) of the European Parliament and of the Council entered into force 27 June 2019, however, the application of the provisions (main rules) began 29 December 2020 (CRD V) and 28 June 2021 (CRR 2).
The following key measures were introduced with CRR II and CRD V as follows: a leverage ratio requirement for all institutions as well as a leverage ratio buffer for all global systemically important institutions; a net stable funding requirement; a new market risk framework for reporting purposes; a requirement for third-country institutions having significant activities in the EU to have an EU intermediate parent undertaking; revised rules on capital requirements for counterparty credit risk and for exposures to central counterparties; a revised Pillar 2 framework; an updated macro-prudential toolkit; the exclusion of certain banks from the scope of application of the CRR and the CRD; a number of measures aimed at reducing the administrative burden related to reporting and disclosure requirements for small non-complex banks, as well as simplified market risk and liquidity rules for those banks; a new discount on capital requirements for investments in infrastructure and a more generous discount on capital requirements for exposures to SMEs; targeted amendments to the credit risk framework to facilitate the disposal of non-performing loans and to reflect EU specificities; targeted amendments related to the incorporation of environmental, social and governance aspects into prudential rules; enhanced prudential rules in relation to anti-money laundering; a new total loss absorbing capacity (TLAC) requirement for global systemically important institutions; enhanced Minimum Requirement for own funds and Eligible Liabilities (MREL) subordination rules for global systemically important institutions (G-SIIs) and other large banks referred to as top-tier banks; a new moratorium power for the resolution authority; restrictions to distributions in case of MREL breaches; and Home-host related measures.
CRD V summary changes to Pillar 2 requirements, as follows: distinguishing Pillar 2 requirements which are minimum requirements, from Pillar 2 guidance which creates an additional capital buffer; clarify where Pillar 2 requirements and guidance sit in the capital ’stack’; specify the application of Pillar 2 requirements by supervisors; and require granular disclosures by firms on the Pillar 2 requirements applied by supervisors.
Source: Euro Area Policies FSAP BCP assessment July 2018 (IMF country report No. 18/233), footnote #84: The EU Standardized Approach and the Internal Ratings-Based approach for credit risk diverged in the permanent partial use exemptions for various types of credit exposures in the IRB Approach for credit risk. Concessionary risk weights were extended to small- and medium-sized enterprise (SME) exposures for customers located in both the EU and abroad. The splitting of residential mortgage loans into lending qualifying for a 35 percent risk weight and lending not qualifying for this preferential treatment, as permitted under EU law, did not meet the Standardized Approach for credit risk. The treatment of CCR deviated with respect to the credit valuation adjustment (CVA) exemptions provided for various obligor exposures. Other cited deviations included the treatment of investments in the capital instruments of insurance company subsidiaries in the definition of the capital component of the Basel framework, and in the credit risk components. Eight of the 14 components assessed were compliant with the Basel framework, and four components (definition of capital and calculation of minimum requirements, Standardized Approach for credit risk, credit risk (securitization framework) and Standardized Measurement Method for market risk) were deemed largely compliant; one component (IRB approach for credit risk) was materially non-compliant; while the CCR component was rated non-compliant.
The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis.
Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006.
In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses.
“Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing.
Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.
Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities.
Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments.
“Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments.
Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.
Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit).
It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled.
When re-negotiation of the credit terms of a particular loan results in a substantially lower value of the loan in question than of a loan carrying market interest rates, the difference shall be booked as lost loans and/or, as required, debited to previously recorded revenue within the financial year. Borrowers who have renegotiated terms of loans in arrears, for example extension of loans by debt restructuring, shall be assessed specifically in view of probable credit losses.
Point m of 36(1): the applicable amount of insufficient coverage for non-performing exposures;
Article 178 is about default of an obligor.
Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof.
This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies.
“Connected” called related in the English translation.
The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see ”Measuring and controlling large credit exposures, January 1991).
Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration.
Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies.
Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party.
An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates).
Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered.
Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics -Guide for compilers and users, 2003.)
Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22.
Minimum ISK LCR requirement was upgraded to 50 percent as of January 1, 2023, after the BCP assessment.
Later in 2022/23, CBI intends to repeal the LCR FX total requirement and implement a LCR EUR requirement of 80 percent (if aggregate liabilities denominated in that currency amount to 10 percent or more of a bank’s total liabilities).
The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.
In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee.
The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance that should be independent from business lines.
The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative.
In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors.
For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor.
The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle.
Iceland’s Financial intelligence unit (FIU) was moved from the National Commissioner’s Office in July 2015 and is now an independent unit within the District Prosecutors Office. The FIU receives STRs from reporting entities and obtains necessary additional information to conduct further analysis. The FIU performs operational analysis which are disseminated to the relevant competent authorities e.g., the District Prosecutors office, the Metropolitan Police, and the Tax Authorities. The FIU also conducts strategic analysis.
Note that the regulation is a direct implementation of regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R0847&from=EN)
Note that the regulation is a direct implementation of regulation (EU) 2022/229
Note that the regulation is a direct implementation of regulation (EU) 2018/1108 on the criteria for the appointment of central contact points for electronic money issuers and payment service providers.
Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU.
These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.
This is the only AML college CBI is currently a member of.
The CBI has signed an MOU with the ECB in 2019 regarding information sharing based on Paragraph two of Article 57a of Directive (EU) 2015/849. It should be noted that the ECB does not supervise any Icelandic commercial or savings banks.