The European Banking Federation (EBF) welcomes the steps taken by the European Banking Authority (EBA) to revise the templates for resolution planning. The EBF supports the pragmatic approach and direction in which the templates have evolved.
Before we share our detailed responses to questions raised in the consultation paper, we kindly draw your attention to the following remarks:
- Avoiding duplication:
The supervisory authorities’ objective of not duplicating the information requests is welcomed as the draft ITS states that information already available for other purposes will not be requested for resolution planning. This measure promotes a more efficient and less complex exercise, avoiding information dispersion and duplication, thus leading to a smaller number of templates. Since the 2014-2015 ITS on information for resolution plans, resolution authorities have developed and gained broad experience in preparing and refining their information requirements. Entities are subject to intense and broad information requirements. Being ready for producing this information is among the top priorities of banks. As mentioned above, we appreciate the EBA’s intention to avoid duplicating reporting as this is one of the most time consuming risks entities currently face. However, we would like to receive more clarification with regards to how a revision to the EBA templates changes this scenario and avoids duplication. Referring in particular to the following sentence in paragraph 30 “as long as the minimum information items are collected in line with the definitions, instructions and specifications as set out in the ITS, resolution authorities will be able to collect additional information at the same time”; it is not clear whether these EBA templates are for minimum information, how they foresee potential additional requests being ready if not included in the minimum set. Besides, the ITS collects data from institutions whereas they are directly available from competent authorities e.g. own funds requirement. This is in contradiction with the laudable EBA objective to minimize duplicate reporting.
- Coordination with resolution authorities:
Currently, some resolution authorities are in the process of developing several templates. In this context, and with regards to banks under the remit of the SRB, the EBF would like to mention as a general remark the importance of clarity for these templates vis-à-vis the SRBs internally developed templates. The EBA templates overlap with the templates issued by the SRB in respect of: 2 LIAB, 3 OWN, 4 IFC, 7.1 FUNC 1, 7.2 FUNC 2, 9.1 FMI, 9.2 FMI 2 and 9.3 FMI 3. The BRRD Article 11 state that “Competent authorities in the relevant Member States shall cooperate with resolution authorities in order to verify whether some or all of the information referred to in paragraph 1 is already available. Where such information is available, competent authorities shall provide that information to the resolution authorities”. The same principle should apply between resolution authorities with regards to exchange of information in order to avoid unnecessary double reporting. The EBF therefore encourages EBA to initiate a dialogue with the SRB to agree on a common approach. Moreover, we would like to recall paragraphs 1 and 4 of Article 5 of the Treaty on European Union", that clearly emphasis both, the principles of subsidiarity and proportionality governing European competences. Also, we want to highlight that the reporting requirement defined by the SRB and in particular the Liability Data Template (LDT) goes beyond the template "R 02.00 - Liability Structure (R-LIAB)" of the EBA Discussion paper n°EBA-DP-2017-15 which illustrates the non-compliance with this principle of proportionality. The reporting charge of the LDT template seems therefore disproportionate and we call for the SRB to use the templates defined by the EBA and not to add additional requirements at a time when the European Commission is launching its consultation on supervisory reporting requirement.
- MPE and SPE resolution strategies
We further appreciate the effort of the EBA (as compared to the previous ITS of 2015) to distinguish between MPE and SPE resolution strategies. However, paragraph 2 is confusing when applied to MPE resolution strategies as it concedes a relevant role to the group level resolution authority. Our understanding of the BRRD is that, although it envisages a key role for the Group Level Resolution Authority (GLRA) in the collection of resolution information via the union parent undertaking (a13(1)), it also allows for a balance in this for MPE firms. The GLRA should only collect information relating to group entities to the extent that this is required [for resolution planning at EU level] (a13(1)). Moreover, the Directive is clear that resolution authorities of subsidiaries have a key role to play in the drawing up of group-level resolution plans (a12(1)) and allows resolution authorities responsible for subsidiaries to make their own decision on resolution plans for the entities under their jurisdiction (a13(6)) if a joint decision cannot be reached. Therefore, in the case of MPE firms this means that the resolution authority of the subsidiary (the local resolution authority) should take the lead in collecting information and share this with the GLRA. The GLRA can ask for additional information if it is required and justified. The scope of the data collection - and diagram 1 in the CP - is totally unclear. It is essential that the EBA be more specific about which firms it is expecting to submit which templates and for what purpose. Clarity is essential prior to any investment being made to enhance data collection and submission systems. In our view the default should be that information relevant to the setting of the resolution strategy, drawing up a plan and setting MREL at the local resolution group level should be collected by the local resolution authority. Additional information should only be requested by the GLRA where there is a clear rationale for this. In addition the BRRD is clear that where information is already submitted to competent authorities, resolution authorities should seek this directly from the competent authorities (a11(2)).
- The level of compliance needs to be clarified:
Different levels of compliance are mentioned throughout the document: at union parent undertaking level, resolution entity level on an individual basis, consolidated or sub-consolidated basis for the resolution group. Furthermore, the consultation should clarify whether it refers to resolution plans of resolution groups or if it refers to group resolution plans.
We must stress the clear need to stabilize the number of templates as well as their layout, scope, granularity and details of the data requested, as a means of standardizing the methodologies for producing the information to be reported and to allow a more timely answer. Stabilization is also crucial to allow banks to calibrate their IT systems correctly to produce the information needed. In fact, successive changes to the templates or additional requests represent a cost for banks and should, therefore, be duly considered before such a decision is taken.
In view of the possibility of the submission date being set for 31st March, attention should be given to the fact that, during the first quarter, the departments involved in the exercise of the resolution plan are overloaded with the annual accounts closing and other reporting to the ECB e.g. ILAAP, ICAAP, Funding and Capital Plan, among others. Moreover, for the majority of the Eurozone institutions and the UK institutions the business models might change after 31st March 2019 as Brexit kicks in. In light of this we believe an updated set of financials for a post-Brexit model will only be available after the June 2019 quarter (albeit not a whole year of financials). Hence we believe a longer timeline should be accorded for banks to start operating and reporting data based on their post-Brexit model. We would very much welcome the revision of the resolution planning remittance dates being moved to the second half i.e. H2 2019. This would help towards both limiting heavy reporting supervisory requests in the early part of the year as well as aligning submissions to the new business models, existing in a post-Brexit environment. Furthermore, especially for templates included in Block 3, a remittance date in H2 2019 would facilitate the banks in carrying out the related analysis on the basis of data as of 30th June 2019 being more updated to include post-Brexit view.
We suggest the existence of specific guidelines for each template, with a view to the harmonization of concepts and unambiguous interpretation to fill them. Instructions should be far more detailed and self-explanatory, as it will avoid sending, repeatedly, ad-hoc questions to the supervisor.
- FMI services:
A list of typical FMI services and enabling services should preferably be carried out by the SRB and EBA as they have access to the information provided by the banks over the last few years. Given the time-consuming features and costs associated with adapting IT systems in conformity with the FMI templates, a transition period would be welcome. As noted previously, the stabilization of information requests is therefore crucial for the initiation of IT developments.
This is mentioned a few times in the consultation paper, however it would be more useful to have concrete examples of what applies and does not apply to smaller firms.
Moreover, we think that resolution authorities should as a general rule not require additional or more detailed reportings than those established by the EBA in order to take into account the EBA objective that we share to limit the burden on institutions.
- Frequency of reporting (annual reporting vs. every two years) :
For example, current UK regulations (PRA supervisory statement 19/13) only require firms to update every two years unless there has been a material change to their structure or business activities. As such, the current regulation is sufficient, in this respect, and a requirement for annual reporting, where there has been no material change, would be excessive.
- Missing data:
On page 23 of the consultation paper, Article 4 letter (e), is missing the reference of the template. Does it refer to template R 06.00?
* * *
RESPONSE TO QUESTION 1
Prior to our comments, we believe the remittance date indicated in paragraph 1 and 2 of Article 9 ‘Transitional period’ is erroneous. The referred dates should be respectively 31st May 2019 and 30th April, 2020.
With regard to timing, the EBF considers it tight. Submission of new data via XBRL, with built-in validations, will require some elements of IT built and greater data governance than has previously been the case. This needs to be designed, built and tested prior to use and, depending on the size of the institution, it is estimated this would take a minimum of 18 months from the publication of the final standards. Ordinarily, firms would also want to dry run data submissions on the new system prior to it becoming live. If other work is going on to the same timescales firms will be stretched. Based on this, we believe that submission in 2019 using the new templates and with the new system is too soon.
Generally speaking, the target remittance date of 31st March, in respect of the year ending 31st December of the preceding year, remains binding if all resolution templates are required at this date. We propose the following solution:
- the time requirement should be more flexible by postponing the remittance date from 31st March to 31st May;
- reporting relative to "Core business lines, critical functions and related information systems and financial market infrastructure" i.e. R 07.01 to R 10.02, is very stable; it does not require an annual reporting and could be reported every three years, except in the event of significant modification estimated by the credit institution. The remittance of this reporting could be spread out as follows:
o Year 1: remittance of R 07.01 to R 08.00;
o Year 2: remittance of R 09.01 to R 09.03;
o Year 3: remittance of R 10.01 and R 10.02.
The proposed EBA resolution templates should constitute the exhaustive list of reporting which credit institutions will have to send to the Single Resolution Mechanism (SRM). In a proportional approach, the SRM could waive some credit institutions categories of irrelevant resolution templates. Lastly, the proposed EBA remittance dates should be endorsed by the SRM."
- While this template has a better design than the previous one, it unfortunately remains difficult to complete for cross-border banking groups with subsidiaries and branches located outside the European Union.
- We would like to draw your attention to the fact that the following data is already required in other reporting, we suggest removing these three columns from R 01.00 template:
o The “risk exposure amount” (REA; column 090) is already asked in COREP reporting C06.
o The “contribution to total consolidated assets” (column 110) is already asked in FINREP reporting C40.01.
o The “contribution to total consolidated REA” (column 120) is already asked in COREP reporting C06.
- We also note that the level and scope of the entities is defined as EU Parent level - all entities in the accounting consolidation and exceeding minimum relevance thresholds (0.5 % of group total assets, total liabilities, total RWA or total CET1) calculated on a prudentially consolidated level." These thresholds appear too low if compared with the purposes of a Banking Group resolution. Therefore, we consider thresholds should be higher e.g. they could be in line with the threshold already set by SRB for the Liability Data Template (5% of the group's risk exposure amount, leverage exposure or total operating income). We would also appreciate further clarification on the level of consolidation.
- Further clarification is also required concerning the definition in column 170 "Amount of share capital held by the direct parent in the Entity." Does this mean we need to list the amount of equity including reserves?
- With regard to the scope, in article 4 of the draft ITS it is stated that template R1.00, at the level of the Union parent undertaking, needs to include ‘(i) all group entities included in its consolidated financial statements which exceed 0.5% of total assets or total liabilities of the group’, we draw attention to the SRB templates being on the basis of the prudential consolidation scope and not including non-financial and insurance entities. Those entities are not reported separately in the SRB templates, though included in the 'Intragroup'.
- In annex II ‘Instructions’ – the instructions for column 060 ‘Included in the Prudential Perimeter’ requires that it should be specified whether the legal entity is included in the prudential perimeter. This column is unfortunately missing in the excel file.
- Lastly, it is not clear to us what code the EBA is asking for in column 020 and 150 as well as in other tabs of the template. If this code should refer to identifying legal entities, EBF questions the added value of including this code as well as the LEI code."
R 02.00 - Liability Structure (R-LIAB)
- For SRM banks it needs to be clarified what the relationship is between this template and the SRBs internally developed template for liability data reporting.
- We further ask for the removal of column 090 of which: intragroup" and the inclusion of a global row dedicated to intragroup transactions at the end of reporting. We consider it useless to report detailed information in a column dedicated to intragroup transactions.
- The accounting standard of “Resolution reporting” is specified in paragraph 1.4 of the annex II ‘Instructions’. Nevertheless, it should be specified how to report subsidiaries’ data in the “Resolution reporting” when the subsidiary is waived of supervisory requirements.
- Furthermore, a line should be added to report "senior non preferred liabilities". Otherwise it could be said if "senior non preferred liabilities" should be reported in line 370 “Subordinated liabilities (not recognised as own funds)".
- Cells that should not be filled in because the data requested are not regulatorily possible should be shaded e.g. covered deposits with credit institutions counterparties.
- Lastly, counterparty segmentation in this template is slightly different from SRB e.g. households vs. natural persons. This could be an issue as some SMEs may be classified as households. We note the SME split is clear in SRB but not in the EBA templates (partly under households and partly under non-financial corps). Counterparty segmentation is thus the main difference between R 02.00 template and SRB-LDT T01.00.
R 03.00 - Own funds requirement (R-OWN)
- Some credit institutions are dispensed of own funds requirements on a solo basis. Nevertheless, they have to report an own funds’ requirements template in the R 03.00 template of their “Resolution reporting". In this context, we welcome further information as to which data must be reported in this template. Indeed, the instructions state that those institutions must report their contribution to the prudential own funds, but it is unclear what it means regarding own funds requirements.
- Also, for all credit institutions subject to own funds’ requirements, data required in the template is already sent to the ECB and EBA, or even is data provided by the ECB to institutions e.g. Pillar 2 requirements. We suggest, then, deleting this template which is in essence redundant with COREP reporting.
R 04.00 - Intragroup financial interconnections (R-IFC)
- There is lack of clarity with regards to whether all intragroup financial interconnections should be reported or if instead only intragroup financial interconnections with a resolution entity (in particular for SPE). The EBF considers only the latter should take place i.e. report only where resolution entity engaged.
- In this template we have to list ‘Intragroup liabilities and guarantees involving the EU parent as issuer or underwriter’. In contrast to ‘Liability structure’, contains counterparty-by-counterparty information. Is it correct that banks only have to list information regarding entities that are listed in R 01.00 - Organisational structure (R-ORG)?
- The instructions should clarify that the expected amounts to be filled in must be aggregated by counterparties and not reported for each transactions, and that resolution authorities should not ask for transactional data in the objective to limit the burden on institutions.
- There are some banks that issue numerous relatively small transactional-based intercompany guarantees. In this context, it is not clear whether these kinds of guarantees have to be included in the overview, or instead only the full guarantees. If all intercompany guarantees do need to be listed, we query whether it is possible to set a threshold. Furthermore, and with regard to the intercompany liabilities within a bank, should all kinds of intercompany liabilities be listed? We consider this definition could be improved further.
- Lastly on this point, it remains unclear what code the EBA asks for in column 020.
R 05.01 - Major counterparties (Liabilities)
- We consider this template should be deleted given that this information has already been requested and is available in the additional liquidity monitoring metric (ALMM) COREP n°C.67.00.
- Moreover, we consider column 060 “Type” should be deleted since it is too complex and useless to report the data required in this column.
R 05.02 - Major counterparties (off-balance sheet)
- We further draw attention to the need of a grouping of clients (like large exposure reporting) to be developed, hence causing additional costs.
R 06.00 - Deposit insurance (R-DIS)
- We stress that National Deposit Guarantee Funds (DGF) already have the requested information. National DGF should thus be in charge of the reporting of this information.
- It is not clear what code the EBA asks for in column 020."
Prior to our comments on the particular templates, we draw attention to Article 4 - Level of application" of the draft implementing regulation, where data of third countries i.e. countries which are not Member States, should be excluded (if the entities operating in those countries are not included in the resolution group/resolution entities) or a longer delay should be granted. To this regard page 26 of annex II ‘Instructions’ already seems to limit the template to Member States.
R 07.01 - Criticality assessment of economic functions
- We find missing the definition and the calibration of buckets to fill the column 020 "Market share". In addition to this point, the market share is very difficult to determine for internationally active credit institutions. The denominator used for the calculation of the market share should be clearly defined for each economic function and should be provided by the Authorities e.g. it could be a national, continental or worldwide geographical zone and data could not be available to the institutions or sources could differ, not ensuring comparability.
- Also, for this template it must be provided “for each country in which the group is active”. The document however does not specify which entities must submit it. A logical approach would be to ask this at resolution group/material entity level, but authorities should avoid asking the information based on the criteria of template 01.00 (entities which exceed 0.5% of total assets or total risk exposure or CET1 on a group consolidated basis) or the requirement might become too burdensome.
- The proposed level of analysis alongside geographical areas (countries?) across legal entities seems to be neither practicable nor reasonable. The criticality assessments should be performed for material legal entities and solely mapped to their key (also regional) markets. Reporting for geographical areas would pose several issues of reconciliation with FINREP/COREP reports of the branch/entities operating in that country, also considering the difficulty in allocating/treating the cross-border activities.
- The term ‘geographical area’ needs to be further defined. If the intention is that one template is filled for each country in which the bank operates, this must be clarified and the important issues above should be considered. It should also be clarified if one report shall be populated per legal entity/branch or if operations in the same ‘geographical area’ shall be reported together e.g. in the case where a branch and a subsidiary operates in the same country.
- There is a striking resemblance with SRB-LDT and SRB-CFT, however when EBA issues its own taxonomy (and own XBRL format) this will be doubling the development costs for almost the same, if not the same information. CF templates have a different structure in the sense that EBA requires data by geographic area (country) whereas SRB requires entity-level data. If the intention is to have one R 07.01 per legal entity, as per current SRB-CFT, we would find template R 07.02 redundant.
- As a matter of proportionality, the scope of the template should be limited to Member States in which banks do a minimum volume of business. Where it is obvious that the banks’ business volume (or any other criteria) in a Member State is so negligible that the bank does not perform a critical function, the bank should not be obliged to fill in the template. Such data requests would pose a disproportionate administrative burden on banks while at the same time the resolution authorities would not gain any relevant insight from such an exercise. Besides, it might prove difficult to allocate cross-border activities to certain member states, e.g. if domestic clients are doing business abroad in other European Member States. Furthermore, booking locations may be in another Member State compared to where the actual business is being carried out.
- Lastly, while the instructions provide references to FINREP in some cases, the difficulty comes that using the ‘geographical area’ approach the reconciliation with FINREP is difficult.
R 07.02 - Mapping of critical functions to legal entities
- The heading in column 010 ‘Country’ does not match with the one in annex II ‘Instructions’ i.e. Geographical area. Furthermore, mapping critical functions to single countries (= single country break-down) is neither practicable nor reasonable. The legal entities should be solely mapped to their key (also regional) markets depending on the type of economic function.
- Some economic functions may be assessed as critical in a given country, but some legal entities performing them may be material only if considered as a group and not when considered individually. It is therefore important that template R 07.01 does not have entities as a starting point.
- The heading in column 060 ‘Bank assessment’ also does not match with the one in annex II ‘Instructions’ i.e. ‘Material entity’. Having said that, the way to complete the column 060 “Bank Assessment” should be developed.
R 07.04 - Mapping of critical functions to core business lines
- It is unclear for us why this mapping is necessary. The other EBA templates focus mainly on critical functions while core business lines are more or less neglected e.g. templates on critical services, FMI, information systems. Furthermore, the identification of critical functions and core business lines is based on deviating concepts (critical functions: predefined by the SRB independent from institution-specific business divisions / core business lines: defined institution-specific according to the business model). Thus, in some cases a mapping of critical functions to core business lines is not possible. We draw attention to the following two examples:
o “Payments services to non-MFIs” may be a critical function in a certain legal entity but may be at the same time an operational business service for two or more core business lines;
o “Lending to non-financial corporations – SMEs” as a critical function may be performed by more than one core business line, because the institution- specific customer segmentation does not correspond to the SME definition of SRB for critical functions.
- Furthermore, we consider the “geographical area” (column 010) should be national, continental or worldwide, in order to consider the cross-border activity of some internationally active credit institutions.
R 08.00 - Critical services
- Some jurisdictions ask for the introduction of a “resolution proof” in contracts of critical services. The following 3 columns should be filled only for credit institutions located in jurisdictions which do not impose “resolution proof” in contracts:
o Estimated time for substitutability (column 090)
o Estimated time for access to contracts (column 100)
o Resolution-proof contract (column 110)
- Regarding this template and in particular of column 100, given the time-consuming features and IT costs associated with the implementation of a critical services contract repository, in order to retrieve any/all the information for all contracts (with internal and external providers), a transitional period of at least two years is considered necessary and would be welcomed.
- Under column 110, institutions are asked to report whether the contract could be continued or transferred in resolution. The assessment shall take into account, inter alia, any clause that would entitle a counterparty to terminate or alter the contract solely as a result of the resolution. However, according to the BRRD, art. 68, a counterparty cannot terminate, suspend, modify, enforce security etc., solely as a consequence of a resolution. In addition, transfer of assets, rights and liabilities, when applying a resolution tool, does not require consent from any third party, see e.g. article 38. Based on this, it is not relevant to report whether a contract is resolution-proof if the contract is subject to the laws of an EU Member State. Accordingly, the requirement should apply only to contracts subject to the laws of a non-EU Member State.
- It should also be noted that this column makes detailed reference to what the legal assessment should actually take into account, including whether the relevant contract can “implicitly” be terminated or altered as a result of a resolution measure. We do not think that an analysis regarding such “implicit” rights is necessary or proportionate. In this context we refer to Article 44 (2) (g) (ii) BRRD which excludes provisions of goods and services that are critical to the daily functioning of the operations of an institution from the application of a bail-in. Accordingly, such creditors will have no incentive at all to exercise such “implicit” rights."
With experience of the FMI-reporting from previous years, it would be helpful if the definitions of the different FMI-systems could be enhanced as much as possible including a delimitation of what kinds of FMIs are out of scope. Moreover, as stated in the Key Points above, please consider the existing template required by the SRB for the institutions / groups under its remit, and the risks of duplicating the required information - thus increasing the regulatory reporting burden for the institutions – and/or creating different reporting for the same objectives.
R 09.01 - Users, providers and users - mapping to critical functions
- We support the application of a transition period and the introduction of this template three years after the entry into force of the implementing regulation. The proposed template should be endorsed by the SRM.
- The dropdown lists in columns 030, 040 and 050 seem to be misplaced.
- The ID identifier requested in column 010 should be better clarified: is this the code of the FMI infrastructure or of a specific service? Guidance should be given to institutions also in order to foster the comparability of the templates for the authorities.
- We would furthermore question how the EBA envisions reporting being done for a bank which operates with branches in different Member States and has access to FMIs via the legal entity of which the branch is part. To us it seems counterintuitive to report the same information several times for different branches when it will not have an impact on the branch’s access to FMIs in resolution (since it will be the legal entity that will be placed in resolution, not the branch).
- In Annex II ’Instructions’, the instructions for column 050 ‘Function ID’ states the “ID of the critical functions as defined in chapter 22.214.171.124 above and referred to in template 7.01”. There is however no chapter 126.96.36.199.
- Lastly, on this template, the completion of the two following columns should be required only in the absence of “resolution proof” in the contracts of the jurisdiction of the credit institution:
o Governing Law (Country) (column 130)
o Termination Trigger in Case of Resolution (column 140)
- Regarding the resolution-proof contract clause on page 35 in annex II ‘Instructions’, we consider the third bullet should be removed: ‘any best efforts commitment of the provider to ensure an orderly transition with a new service provider as well as a commitment to continue providing services in case of resolution during a reasonable period of time. The time envisaged in the contract should be long enough not to negatively affect the restructuring of the entity post-resolution’. This is an excessive requirement from the point of view of the provider and which might be extremely difficult to negotiate. Furthermore, according to this point, the provider could be forced to continue providing the service even after the maturity of the contract.
- As a general remark it is not fully clear what the added value of templates R 09.02 and R 09.03 is. It may seem as if they are merely a repetition of the information in R 09.01.
- Should these templates stay, we support the application of a transition period and the introduction of these templates R 09.02 and R 09.03 three years after the entry into force of the implementing regulation. If FMI templates, R 09.01 to R 09.03, are reported every year, they should be reported on 31st May considering their complexity as it will be very troublesome to report those templates annually by 31st March.
10.1 Critical Information systems (General information)
- In column 020, from a resolution perspective, it is not clear what the purpose of detailing if the systems used are purchased as-is or with custom modifications. We would argue that the categorisation used in the previous version of the EBA-ITS template adds more value i.e. risk management, accounting, regulatory reporting etc.
- In the original ITS on information for resolution plans from 2014-2015, the EBA introduced Annex IX called “Information Systems”. The instructions of template IX referenced to the Section B of the Annex to Directive 2014/59/EU and requested “[…] a detailed inventory and description of the key management information systems, including those for risk management, accounting and financial reporting […].” As such, the EBA should specify what is expected in every column and in every row of the template. Presumably, the templates R 10.01 and R 10.02 now called “Critical Information Systems” of the current consultation process represent an update of the former Annex IX. We would like to understand whether “Critical Information Systems” are synonymous with “Key Management Information Systems” and whether the reference to Section B of the Annex to Directive 2014/59/EU is still valid. For example, does the focus of the templates still lie on risk management, accounting and financial reporting?
- We further draw to the attention of the resolution authorities that neither “Critical Information Systems”, nor “Key Management Information Systems” nor “Information Systems” are terms commonly used in bank practice. There is no industry-wide standard nor a commonly-accepted definition so far. As such, the EBA should specify what is expected in every column and in every row of the template. The definition of “Critical Information System” in the annex II ‘Instructions’ is too vague. What is more, it is completely unclear what the core intention of the EBA is behind the two templates. The lack of a clear-cut definition and a missing industry standard will inevitably lead to a very heterogeneous data provision across European banks. This cannot be in the interest of resolution authorities.
- Furthermore, the IT infrastructure of large banks consist of thousands of IT products and IT systems. These IT products often come in IT supply chains. While information, for resolution purposes, might be centralised in data warehouses, the information is supplied to the data warehouses by a multitude of other IT products. Without these data supplies, the data warehouse would be useless as only an empty shell. Do “Critical Information Systems” only include the data warehouse or the whole IT supply chain? We also note that there are IT products that cannot be mapped to specific critical functions but are indispensable for bank operations and the IT infrastructure of the bank as a whole. It is important to understand how these IT products should be dealt with, as if these products shall be included in the templates, the list would be extensive.
- Considering current market trends e.g. big data, in memory technologies, the borders between “Management information systems” and IT products supporting the operational business become blurred even more. Thus, a differentiation in this way does not appear sustainable to us.
- As the term “Information Systems” is not used in bank-practice, as explained above, these systems are not readily available. Rather, the identification of these systems is a manual task for thousands of IT products. It is important that resolution authorities understand the enormous challenge this represent for banks and the need for massive resources. Therefore, banks need concrete assistance with the following points:
o first, in order to perform a mapping of information systems to critical functions, the critical functions need to be stable (= no moving target);
o second, banks need to understand more fully what the basic intention of the resolution authorities is behind the templates, what the resolution authority wants to know and what the focus is;
o third, there must be a clear-cut definition and industry-wide standard of the term “Information Systems” which has to be prescribed by the EBA and the resolution authorities;
o fourth, the EBA must clearly define the scope of “Information Systems” with regard to IT supply chains and IT products that support the IT infrastructure and bank operations as a whole and cannot be separately linked to single critical functions.
- Lastly, it is highly recommended that the exercise of identifying parts of the IT products and systems for resolution purposes be harmonised with similar tasks which are frequently conducted. To name just two examples, the institutions business continuity management as well as the information security management contain well-known and standard-based procedures to identify the crown jewels of the IT landscape.
10.2 Mapping of Information systems
- In the template R 10.02 (mapping of information systems) one column (010) to report the System Identification Code" is not sufficient as some large and internationally active banking groups have several identification codes."