Civic Review, Vol. 15, Special Issue, 2019, 93–115, 10.24307/psz.2020.0205
Financial supervision, including banking supervision, has evolved over the last hundred years in terms of both its institutional system and its methodology and approach. The biggest impact on development was caused by various economic crises and scandals at certain financial institutions. In order to be able to mitigate the impact of financial crises on the banking system and to detect and deal with banks’ problems in a timely manner, financial institutions must be subject to continuous supervision. The most recent era in Hungarian banking supervision began on 1 October 2013, when the Magyar Nemzeti Bank took over the role of the Hungarian Financial Supervisory Authority, thereby integrating micro-prudential supervision into the Hungarian central bank. Renewal can be identified throughout the set of instruments for Hungarian supervision, including continuous supervision and investigation methodologies. The entire set of instruments is characterised by a change of approaches, i.e. the reactive, “retrospective risk management” approach has been replaced by a proactive approach. As technology develops, it has become possible for the Supervisory Authority to use solutions that enable it to be present in the life of an institution without interfering with its business. In addition, the spread of digital channels has dramatically changed the financial habits of people and institutions. Information technology is becoming indispensable in more and more areas of life. Managing and monitoring the inherent risks is a major challenge that requires innovative solutions. The only constant is change. This paper presents a detailed overview of the latest supervisory developments and regulations.
Journal of Economic Literature (JEL) codes: G01, G21, G29, O30/39
Keywords: renewed banking supervision, innovations in supervision, MNB Supervision
Brief overview of international banking supervision
Generally speaking, the development of the supervision of financial markets – including the development of banking supervision – occurred hand in hand with various scandals at financial institutions, banking crises and, in some cases, turbulences affecting entire banking systems. Both the changes in the institutional framework for financial supervision and the innovations in its supervisory instruments are generally responses to unfortunate institutional bankruptcies and the resultant depositor or taxpayer losses. These milestones are easily identifiable. One such event was the depression of 1929–1933, following which the regulation of supervising organisations was raised to the level of legislation in some countries, while development remained at the level of the national states, with the most advanced financial markets of the time at the forefront, such as the United States, the Netherlands and Belgium. The meaningful launch of a uniform regulatory approach at the international level can also be attributed to the crisis of a well-known bank, the Herstatt Bank House, which triggered the international coordination of banking supervision and banking regulation in the 1970s. Establishment of the Basel Committee on Banking Supervision at the end of 1974 was a huge step towards a unified global regulatory approach. There should be unified approaches and principles that define the fundamentals of banking all over the world. There is special literature on how the Basel Commission recommendations have become more complex and how they have advanced from capital requirements through credit risk requirements to other risk segments. The economic crisis of 2008 was the latest international event that led to the termination of many banks around the world, which put entire banking systems and countries in distress and had a significant impact on supervisory institutions. After that, more and more countries decided to transfer banking supervision to central banks, thereby reinforcing their independence.
Institutional, regulatory and methodological innovations were thus generally driven by crises at financial institutions and major economic crises, while technological advances continue to support the development of supervisory authorities. As in all other sectors, IT innovations play a key role in this regard, preparing the regulatory authority for a deeper, more up-to-date involvement in the day-to-day operations of institutions and, and to intervene in good time, where necessary. Continuous presence, the earliest possible recognition of problems and addressing them as quickly as reasonably possible were demands manifest in every age, but technological progress in the 21th century has offered solutions that make these more feasible than in any previous period.
Banking supervision in Hungary
Hungary and Hungarian banking supervision could not have avoided the international mega-trends, even though the changes began later compared to the developed financial markets. On the institutional side, entities overseeing different sectors of the financial system were created around the political changes of 1989–1990, initially independently of one another. Subsequently, starting from the second half of the 1990s, the merger of supervisory authorities related to different markets in the financial sector began. First, the banking supervision and capital market supervision were merged, and from 2000, the Hungarian Financial Supervisory Authority was established, which also included insurance supervision. As in many other countries of the world, the economic crisis of 2008 highlighted the need for a new supervisory strategy to detect the risks in good time. However, an integrated supervisory approach, separate from the central bank, was in place until 2013. The milestone on the path to renewal was 1 October 2013, when upon the termination of the Hungarian Financial Supervisory Authority, the tasks of the Magyar Nemzeti Bank were supplemented with the supervision and consumer protection functions of the Hungarian Financial Supervisory Authority, thus making it possible to concentrate the macro- and micro-prudential mandate in a single institution. In 2014, the Magyar Nemzeti Bank (MNB) also established a resolution division, through which efficient crisis management could be provided for institutes that were struggling with problems, but were economically viable. Overall, in line with international trends, the supervisory function of the financial system was thus integrated into the Magyar Nemzeti Bank, establishing a central bank with one of the most sophisticated toolkits in the world, consolidating the micro-prudential supervision of all markets of the financial system, including the micro-prudential oversight of the banking, insurance, fund, capital and intermediary markets, the macro-prudential oversight of the financial system, the function of resolution, as well as financial consumer protection, and including the complete set of monetary policy instruments.
Starting from the second half of 2013, the MNB, which had been strengthened in its financial stability toolkit, has taken a number of steps to develop new approaches and methods to address risks to the financial system, including the banking system, in an appropriate and timely manner. Thanks to continuous improvements, the earlier periodic control approach, which mainly addressed existing risks, was replaced by a forward-looking approach, i.e. forward-looking supervision, and a continuous, risk-based, close presence in the institutions. The financial crisis of 2008 demonstrated that the market’s self-regulatory capacity is low, and it is up to supervisory authorities to detect and address signs and practices of unhealthy financial intermediary systems before they become widespread.
Renewal of continuous supervision, basic monitoring and early warning system in continuous supervision
The basic pillar of effective supervisory activity is the ability to intervene in time. The primary means of transitioning from a reactive to a proactive practice is to shift the focus of supervision from periodic on-site audits to continuous supervision. Technological tools support this process, and someday it may be possible to receive information automatically online, twenty-four hours a day, without physical presence, from a supervised credit institution. However, one prerequisite for this is that the supervisory authorities have more detailed information on the functioning of the supervised institutions than in the past. To accomplish that, the volume of data requested from institutions has increased several-fold in Hungary, as in other EU member states. However, this in itself is not enough, as it must also be possible to process the incoming data and analyse the mass of information, extracting those elements that reveal in a timely manner when an institution is exposed to risks, including risks which need to be managed. This required the development of a basic monitoring system and the establishment of an early warning system based on such, which indicates problems by means of dozens of indicators, on the basis of the incoming data. After that, the need for supervisory intervention is examined. This basic monitoring system, which is under constant methodological development, is a kind of continuous forecasting system. Over time, more and more indicators are activated in the monitoring instruments. The reason for this is the recognition that it is not sufficient to capture the operation of a bank by risk segment, such as credit risk, operational risk, market risk, etc. ... it should also be assessed what are those relations in an upswing economic environment or even in a crisis or post-crisis situation, which best capture the current situation and the anticipated future risks of a bank. The technological advances of the 21th century provide the opportunity for a monitoring system to be IT-based as much as possible, and increasingly automated, and for a kind of alert system as well, to be based on the monitoring information. The new dimensions opening up to us with the rise of artificial intelligence in the field of automation and a forward-looking approach are now evolving in front of our eyes. The essence of the alert system is that in the case of sudden and unexpected changes in the data of interest and value to the supervisory authority, a different pattern than before emerges, the system will send an alert to the data evaluation officer, who will then investigate the cause for the alert and, if necessary, take action to fix the problem. Since 2013, several new, complex indicators have been developed that assess and evaluate different risk segments, in order to detect problems as soon as possible when the riskiness of a bank shifts in an adverse direction.
But such a system alone would not be able to fulfil its function if this numerical information was not supplemented by qualitative information which, on the one hand, is received through the regularly conducted prudential interviews, and on the other hand, by requesting materials submitted to the meetings of the supreme decision-making bodies, which constitute an important pillar of regular reporting. Regular institutional interviews, which are conducted quarterly for institutions of systemic importance, provide an excellent opportunity to uncover information and changes in business model and strategy that cannot be inferred from the numbers. During the conversations, the representatives of the institutions have a chance to respond to the trends that can be inferred from the monitoring system, to one-off outliers, and the supervisory authority can also express their opinion on the operation of the institution.
The documents submitted to meetings of the supreme decision-making bodies, such as proposals and minutes prepared for meetings of the Board of Directors, the Supervisory Board and the Senior Lending Committee, ensure that the Authority can very closely follow and detect the direction in which the institution is moving. Naturally, in the course of its operations a bank makes many decisions that require significant resources to process, and the Authority’s capacity to process these fully is limited, but technological advances and the risk-based approach support increasingly close monitoring of the activities of institutions of systemic importance. Development is clearly heading in the direction of having more and more institutions subject to continuous monitoring, which does not seem to be an impossible mission with the development of technology. Other information obtained by institutions in larger volume and in-creased frequency, such as more frequent physical presence in meetings of various bodies, furthermore, indications received from customers and channelled in the process of supervision also support early intervention. By processing these data, MNB staff can keep up-to-date with the activities and operations of the given financial institution and, if necessary, intervene in a timely manner in order to prevent risks and violations of the law. Due to the regular quarterly evaluation of the basic information sources described above (monitoring system, prudential interviews, participation in board meetings and their materials, consumer indications), the Authority is indeed able to forecast the main directions of operation of institutions, and therefore detect any potential negative trends. In practice, as part of the quarterly evaluations, the expert responsible for processing these sources of information for the institution in question will provide the management with a summary of the most significant changes and events that deserve mention on a risk basis over the past period, and propose additional steps to be implemented by the Authority, if necessary. It should be noted that due to the limited resources, supervisory activity is performed on a risk basis. The idea is that each institution is ranked annually in terms of its impact on the financial sector. The more significant the impact of the operation of an institution on the domestic financial sector and the economy, the more emphasis should be placed on it in the course of supervision. In its risk-based oversight, the MNB oversees and audits individual institutions based on their weight in the financial system and their risk profile.
Inspection methods, with special regard to the renewal of on-site inspections
The previous section outlined the tools and channels of information available to financial supervision in Hungary today to reach the institutional actors of the banking system and to monitor their activities, in order to obtain up-to-date information and draw forward-looking conclusions on the operation of banks, and where appropriate, to be able to intervene in due time. However, these fall into the category of so-called ongoing supervision, and at present are not sufficient in themselves to provide a comprehensive picture of a credit institution. They are complemented by various on-site inspections. On these occasions, the supervisory staff will review certain aspects of the operation of the given institution at the premises. It is a legal obligation of the MNB to conduct, at specified intervals, a comprehensive on-site investigation of the various supervised institutions. As a result of the supervisory operating regime renewed after October 2013, the Authority has moved towards conducting more and more investigations in the banking system, other than the comprehensive investigations required by law. In line with the MNB’s general operational approach, these investigations are much more targeted events focusing on specific problems and risks. The background to this renewed approach is that, due to the demands of today’s economic and regulatory environment, the processes and internal control systems of supervised institutions are changing so rapidly that it is necessary to assess the risks of institutions on particular subjects. Simply put, the financial world is changing too fast for a detailed on-site inspection of institutions conducted once every 3-5 years to be sufficient. In order to obtain an accurate picture of the daily business of an institution and the directions of its development, we had to increase our presence. Of course, this is a resource-intensive task, and the available capacities of the Authority are finite, but with the help of risk-based audit design, we have been able to make significant steps towards our goal, by enhancing our targeted and thematic inspections with a narrower focus.
The advantage of the new approach is that risks can be investigated shortly after their occurrence, and if necessary, intervention can be launched before the escalation of negative events, thereby preventing a systemic accumulation of risks. As a result of the thematic investigations, the MNB is able to obtain a sector-wide, horizontal information base and assessment of the evaluated risk, thereby facilitating more standardised supervisory action. Risks are identified by evaluating information received from ongoing supervision and processing data reports to the authority, meaning that ongoing supervision substantially supports and influences when and what type of investigation is conducted at a bank, along with the regular comprehensive review.
In order to facilitate fast and effective supervisory responses, so-called operational investigating units have been set up, which specialise in rapid, on-site risk assessment. The purpose of their activities is to provide immediate on-site inspection and intervention based on the information and risks reported during ongoing monitoring. In the case of operational investigations, the difference from other inspections is that there is no need to notify the institution in advance of the initiation of the investigation, and the investigation is carried out on an identified, specific topic, which often involves copying the contents of the institution’s data media (e.g. computer, telephone) (Lehmann et al., 2017).
Using the tool of thematic inspection, in 2015 for eleven banks the MNB investigated whether their remuneration practices were in compliance with the law and did not encourage excessive risk-taking, and whether the banks that acted as group leaders were enforcing their remuneration policies for group members subject to consolidated supervision. In 2016, by way of a thematic investigation on non-performing loans (NPL), the MNB sought to determine whether banks have a strategy in place to reduce their NPL portfolios, as well as the necessary resources and appropriate tools, by reviewing the practices of eleven institutions. In addition to the investigations, in-depth analysis of various risk-related topics by surveys was promoted, in order to explore the sector-level risks and market practice. In 2017, institutions conducted an analysis of their impairment recognition methodology and collateral management practices, the direct result of which was the entry into force of a comprehensive property valuation supervisory authority recommendation in 2018.1
Of course, comprehensive investigations have not lost their significance over the years, but as a result of several methodological innovations, they have become more targeted and focused. In the context of renewing comprehensive investigations, the following methodological changes have recently strengthened the MNB’s functions in the credit institution sector:
- With regard to the investigation programme of comprehensive audits, risk-based planning has been reinforced, including the assessment of information from ongoing oversight; furthermore, the investigative focuses designated on the basis of the processing of data reports to the supervisory authority will play a more prominent role in conducting investigations. As a result, there are risk segments within the comprehensive investigations that are explored more deeply, in greater detail, and in some cases through a larger sample, for greater certainty.
- The role of addressing annual supervisory priorities in comprehensive investigations has also increased in recent years. This is based on the fact that each year the MNB evaluates the previous year’s supervisory events and experiences, as part of the planning period for the upcoming supervisory year, considers the anticipated economic environment, future trends and risks, and sets out its comprehensive supervisory priorities on that basis. Such priorities included, for example, promoting the deleveraging of the NPL portfolios that developed after the crisis, monitoring the transition to IFRS standards as a result of changes in global accounting requirements, and tight monitoring of new lending processes emerging as a result of the resumption of lending. These horizontal priorities appear more prominently in the audit programme of comprehensive investigations.
- The previous audit practice based on the assessment of transactions and purely focusing on legal compliance has been replaced with a multi-step audit approach:
a) In order to ensure that – above and beyond legal compliance – the individual prudential compliance audits can be implemented in the widest possible scope at the level of the given institution, the MNB recently established the framework for examining compliance with regulatory and prudential requirements at the portfolio level, using analytical tools, which are implemented using the highly granular inspection analytics generated by the credit institutions. After having been tested by the MNB for thoroughness through agreement with the general ledger, the credit and coverage an-alytics generated by the institutions, with detailed data contents, go through a filtering package containing hundreds of checks, including a review of the following: are the given data fields populated in the correct format; equivalence of the institution’s value sets with the values expected by the MNB; proper application of logical relationships between individual data fields; application of the loan coverage value and income-rated instalment rules; conduct of the customer, transaction and collateral reviews in a timely manner; correct application of customer and transaction rating categories; adequacy of collateral allocation; proper application of segmentation; adequacy of the level of group impairment; the adequacy of the risk weights used in capital calculation.
b) the MNB carries out audits of individual risk processes in a process-oriented manner, thereby facilitating the identification of systemic deficiencies,
c) in support of the above, the MNB applies statistical, expert and focused sampling on the basis of a complex methodology, in order to explore deficiencies that can be observed in practice,
d) during the process audits, the MNB pays special attention to monitoring the IT support of risk assumption activities and, in close cooperation with IT security oversight areas, verifies the prudential compliance of the relevant IT applications,
e) the MNB conducts proactive communication in order to remedy the deficiencies discovered in the course of investigations as soon as possible, and reports the errors observed in their operation to the audited institutions.
In line with international requirements, another important innovation of the renewed banking supervision is the so-called ILAAP 2 reviews, used to audit the liquidity positions of institutions and the management of liquidity risks, which take place – in addition to analysing information obtained from regular data reports – in the form of on-site investigations. Previously, the MNB had used balance sheet and deposit coverage ratios to monitor the liquidity of the banking system and measure systemic risks related to liquidity, but this was discontinued based on the experiences from the 2008 global financial crisis. Balance sheet and deposit coverage ratios have been replaced with the so-called Liquidity Coverage Ratio – LCR, compliant with the international regulatory standards, enabling a more segmented, more in-depth analysis of items affecting liquidity (Lehmann et al., 2017). “Pursuant to the liquidity coverage requirement prescribed by the rules of law in force, institutions shall possess such a volume of liquid assets, the total value of which covers, in a situation of distress, the difference between liquidity outflows and inflows, ensuring that such a level of liquidity buffer is maintained which may be appropriate, in times of severe distress, to bridge any imbalance between outflows and inflows for a period of thirty days” (Lehmann, Palotai and Virág, 2017, p. 883). However, practical experience with the application of the LCR indicator has also highlighted certain shortcomings of the indicator, notably that it does not take into account the risk of deposit concentration, and therefore the supervisory authority has provided guidance in that context as well to the sector, through the modification of the regularly renewed ICAAP / ILAAP manual. The essence of the modification is that it has been formulated as an expectation from the institutions that the part above the threshold of individual deposits exceeding a certain percentage of the deposit portfolio should be fully covered by liquid assets. The key areas of liquidity risk management are changing dynamically as a result of factors affecting the banking system, thereby adapting to the risks inherent in banking practices. An example of such an identified risk is the failure to take into account fixed but callable deposits in the LCR. Therefore, the MNB expects the institution not to automatically classify its liabilities into LCR categories based on their maturity, but to review whether they have any call option. Also, an inadequate assessment of the operational relationship also leads to underestimating the risks. In the LCR calculation, “only that portion of the deposit that is required for using the service for which the deposit is a by-product, shall be treated as an operational deposit.” Accordingly, the MNB expects the institution using the operational deposit category to have a methodology to determine the balance needed to maintain the operational relationship. On the other hand, it should make a statistical estimate to determine whether the average outflow factor of the deposit holdings, divided up into an operational and a non-operational part, reflects the risk of the entire deposit holdings appropriately. The MNB also assists the institutions by publishing these priority topics, by defining the legal requirements accurately, and by identifying and managing the liquidity risks that affect them.
The MNB also complies with international expectations by conducting ICAAP3 reviews at the banks, which assess the capital requirements set by credit institutions to cover the risks assumed by them and, if necessary, determines additional capital requirements for the institution. The starting point for this is that all credit institutions are required by international rules to assess their internal capital requirements and to develop calculation procedures that will enable the institution to assess the level of its capital requirements. The European Supervisory Authorities, including the Hungarian Authority, expect the institutions to regularly review whether their available capital covers their losses in times of stress. These tests are conducted by risk type. Credit risks carry the most weight, which are the effects of the risk of default of contractual counterparties on the profitability of the institution and on losses affecting its capital position. It is in this context that the default, counterparty, foreign currency lending, settlement, equity, concentration, country, and residual risks are assessed. In addition to credit risks, special consideration is also given to operational risks, market risks, bank interest rate, business risks, strategic risks and regulatory risk, as risk types. The MNB evaluates the capital requirements of credit institutions calculated for themselves, for each type of risk annually. Its methodology has been constantly evolving over the past five years, influenced by the experiences from the crisis. In the past, ICAAP reviews for non-systemically significant institutions with a weak impact took place annually, on a desktop basis, without any on-site inspection, but each systemically significant institution underwent an annual on-site assessment. In recent years, the central bank has developed a transparent and compelling view on both risk management and the calculation of capital requirements covering the risks. For the latter, benchmark methodologies have been developed to support the acceptability or rejection of the several different calculation methods used by institutions for the risk models. This ensures transparency vis-à-vis the institutions on the one hand, and helps with the comparison of the models based on mathematics and statistics on the other hand. In conclusion, the ICAAP review methodology was a function of the size and risk profile of the institutions. However, given that systemically important credit institutions have, over the years, understood and learned the MNB’s expectations and methodology for ICAAP calculations, and through annual reviews it became clear that the ICAAP calculations had been built into the everyday operation of the institutions, it became possible to shift in the direction of having every institution evaluated by on-site investigations as well. Naturally, due to the limited capacities available, these can only be conducted at certain intervals. Another argument for the change was that there is no such thing as a small or large bank, a systemically significant or not so significant institution from the perspective of the customer, depositor, creditor, depositors authorised their banks to manage their funds trusting that they will certainly get their funds back, and it is the responsibility of the Supervisory Authority to ensure that every institution should have this kind of public trust. The new approach essentially consists of classifying institutions into three categories, depending on their size and risk profile. The first category is subject to a comprehensive, full ICAAP review, the second group of credit institutions are subject to targeted investigations with a narrower focus, but the Authority will still make on-site visits, while the third category will be subject to evaluation without an on-site investigation. Based on the methodology, every institution undergoes a comprehensive review every three years, but the systemically most significant and the most risky institutions continue to be evaluated by on-site investigation.
Data backup, data analysis support during on-site inspections
In addition to data analysis carried out as part of its ongoing oversight, the MNB also performs data collection and analysis as part of the investigations and procedures it conducts. This type of data collection can be divided into two groups according to the processing of the information: when the selection of the data is performed by the supervised institution, and when the selection is performed by the MNB at its branch office in order to ensure and control completeness. “The highest level of data collection is when the MNB makes a physical mirror copy or a certified copy of the data owned by the institution or its staff, including data stored by a hosting provider, and uses the copy to scrutinise the saved data. In this case, MNB is not only responsible for the restoration and processing of the data, but also for demonstrating the integrity and authenticity of the data, which is currently guaranteed by the MNB by using so-called hash codes and hash functions. The first step in processing database backups is to establish the same IT environment as the platform of the backup database, and then restore the database in the same way as the one at the supervised institution’s site. After this, filters, reports and analyses are prepared, which is performed using the same logic as during data requests. Querying data from a restored database has many advantages over obtaining the data files. On the one hand, the risk of data falsification is significantly lower; everything can be audited; sampling is possible on the basis of a more precise risk classification, for more in-depth investigations, on the other hand, it is possible to eliminate problems due to information asymmetry between the requester and provider of the data (e.g. the data provider does not prepare the statement with the required logic/content).
However, there are special requirements for database backup, such as higher IT infrastructure, the information security risk is higher, increased needs for human resources, and the Supervisory Authority needs to have a broader scope of information and skills concerning the individual operation of the investigated institutions. Processing of the physical mirror copy or certified copy differs from the processing of database backups in that in this case the content of the copy remains unknown to the Authority until the beginning of processing, furthermore, the content of the copy is unstructured, and therefore the MNB must have the necessary data analysis infrastructure and the required expertise “ (Lehmann, Palotai and Virág, 2017, pp. 876– 877). At the same time, the MNB has also moved towards the collection of granular data for regular data reporting, as much more detailed and accurate analyses can be conducted on this basis, both by the Authority and other areas of the MNB. A major milestone in this ongoing journey will be the launch, in 2020, of a project initiated by the MNB, which will provide the MNB with regular elementary information on virtually the entire credit portfolio of the supervised institutions, thereby replacing a large number of data reporting tables currently containing aggregate data.
Supervisory stress testing
It has already been mentioned that according to the MNB’s view a forward-looking approach contributes significantly to the stability of the financial sector. One way to do this is to apply stress tests. These stress tests are designed to verify whether in the event of a significant macroeconomic shock the supervised credit institutions would remain sufficiently liquid and capitalised. Since the outbreak of the last financial crisis, special attention has been given to banks’ ability to withstand shocks and absorb losses. With the help of the national micro-prudential authorities, the European Banking Authority (EBA) has been investigating this for larger European banking groups since 2009, but to date there have been no material consequences of these tests. One of the major accomplishments of the common European banking supervision has been the harmonisation of the supervisory review and evaluate procedure and its incorporation into a recommendation, based on which the supervisory authorities work in a uniform manner to identify risks to banks. In order to ensure that stress resistance of financial institutions with foreign parent banks and domestically-owned financial institutions operating in the respective countries can be tested directly by the national supervisory authorities, the EBA supplemented its aforementioned recommendation, which was published on 19 July 2018 (EBA, 2018). Having taken effect officially from 1 January 2019, the guidance requires the relevant authorities to establish a Pillar II capital recommendation (in short: Capital Guidance or P2G) for credit institutions or groups of credit institutions. As a result, the financial system, taking shape since 2017, and separately each of the innovations aimed at ensuring the stability and more secure operation of banks, have been incorporated into the regulation. To determine that, supervisory solvency stress tests had to be developed, which the MNB did in early 2018. The micro-prudential authority will run the first stress test developed by it and determine Capital Guidance on the basis of the balance sheet total of the complex SREP for the largest Hungarian-based banks in the first year, and from 2019 onwards, for small and medium-sized banks. P2G is a supervisory guideline whereby the micro-prudential authority determines the amount of capital buffers it considers justified in addition to the prescribed SREP capital requirements (TSCR) and macroprudential capital buffers (collectively OCR), so that the supervised institution does not violate its requirements under stress conditions. So this is a kind of “proper safe distance”. The management of the banks has so far held additional capital to avoid the violation of the capital requirement (OCR), but this is now being quantified by the supervisory authorities in a single stress test and imposed on the banks in the form of a recommendation. It is important to underline that the new instrument is a guideline and does not constitute a direct capital requirement, but merely determines the amount of additional capital that the supervisory authority deems desirable based on the results of the stress test. The supervisory authority strictly penalises any violation of capital (quasi-car crash), and only declares keeping the “proper safe distance” as desirable. At the same time, the MNB will closely monitor institutions where it finds that this buffer is inadequate and that there may be a risk of a capital infringement on the planning horizon, i.e. the institution stays within the proper safe distance defined by the Supervisory Authority. In the default case, the P2G valid for a given year is determined based on the stress test conducted in the previous year. Therefore, the MNB calculates the P2G values determined at level of the individual bank (sub-consolidated level,) effective from 1 January 2019 as a result of the stress tests conducted in 2018. Since P2G has been formulated at recommendation level only, in the beginning any violation of the established value only results in intensive communication between the Supervisory Authority and the bank, and the preparation of a capital position recovery plan. However, in the absence of a willingness to cooperate, the Supervisory Authority may even apply the tools reserved for capital infringement.
The supervisory stress test methodology is based on a European-level equivalent developed by the EBA. However, in order for testing to be fully applicable to all actors in the Hungarian financial sector, the generalised framework for larger European banking groups had to be slightly revised. The main methodological difference was the shift from an approach based on the use of partial bottom-up, that is, the use of internal banking models constrained by a certain framework. The stress test developed by the Hungarian supervisory authority is fully centralised, in order to ensure better comparability between banks, i.e. both the definition of the macro scenario and the models used for forecasting and populating with data are ultimately controlled by the MNB. The aim of banking regulation is to further strengthen the forward-looking approach, which has also been supported by a change in the accounting standard to be used by credit institutions. For European credit institutions, one of the major innovations of IFRS9, introduced in 2018, was the provision for the calculation of impair-ment of loans. While the previous impairment model was capable of handling only actual, evidence-based losses, the new standard models expected credit losses, which brings forward the recognition of impairment in time. The supervisory stress test has joined this direction since 2019, which can therefore simulate properly and more realistically the recognition of impairment occurring differently in terms of dynamics and extent, in the case of simulating a possible crisis or deteriorating macroeconomic environment.
Viability assessment based on ongoing monitoring and inspections
The previous sections described the activities covered by constant supervision, constituting the backbone of the activity of the Supervisory Authority, and by the various investigations. However, these are not a series of point events, but rather the information extracted from them culminate in a complex, annual institutional assessment. This is a representation of the concept that monitoring is an uninterrupted process. The closing moment of this process for a given year is the viability or SREP dialog, which systematises all activities carried out by the supervisory authority in the given year, from the processing of regular data reports, through completed inspections, through prudential interviews, to the on-site inspections of the given year, all the way to ILAAP, ICAAP evaluations. Since the end of 2017, the system, built on a methodology developed by the European Banking Authority, provides a clear view of the viability of institutions, key aspects of their operations such as corporate governance, credit risk, operational risk, capital position and liquidity, based on more than 70 indicators and qualitative information, and through evaluating these by applying transparent and comparable principles. The subject matter of the SREP CEO meetings, which is a summary of the SREP dialogue covering the entire supervisory system for a given year, is attached to this evaluation because it provides a complete overview of the institution’s operation and its assessment by the supervisory authority, through the composition of the set of indicators. In respect of systemically important institutions, the indicators are updated quarterly, but even for smaller institutions, the analysis and the resulting assessment are performed annually. The annual evaluation discussions take place at the supreme level of governance of the institutions, to ensure that the senior management of the credit institution sees and hears at least once a year what the Supervisory Authority thinks of the institution they manage, its weaknesses, areas for improvement, major risks, and the focal points of the next year from the aspect of the supervisory authority. The information received in the course of ongoing supervision, as well as on-the-spot and other investigations that have established the viability value of a given institution for the given year, are presented here. This kind of approach, formulated in a logically closed system, is one of the supervisory achievements of recent years, helping the Authority to understand and evaluate banks in a complex way, and to allowing credit institutions to understand what they need to do to ensure the development of areas considered by the Authority as the carrying the highest risk.
It is the primary responsibility of the incumbent supervisory authority to channel the information obtained from the sector through ongoing supervision and investigations to the institutions in the form of legislation, recommendations and management circulars, to ensure that the practices of the institutions meet the prudential and other requirements as much as possible. The Authority has prepared extensive recommendations to the sector in the recent period, one of the key motives of which was to communicate the lessons learned from the crisis and post-crisis period to the supervised institutions. Although the former financial supervisory institution had had a similar tool before the supervisory task was delegated to the MNB, due to the previously mentioned complex financial stability toolkit employed by the MNB, the published recommendations can be more attentive not only to the problems occurring in micro-prudential supervision, but also to the macro-level risks. The NPL (Nonperforming Loan) package, which came into force in July 2018, is of particular importance in this respect. The Recommendation package is a coherent system of multiple recommendations built on one another. The set of recommendations is intended to prevent the bad practices observed during and after the crisis, so the key objective is to prevent high non-performing loan portfolios from developing in the sector in an uncontrolled way, and to keep the institutions prepared to write off the portfolio of non-performing loans, to prevent these from being entrenched in the books of the institutions, as these portfolios draw off significant resources from their core business, thereby undermining the efficiency of the financial intermediary system. The central element of the package is MNB Recommendation no. 10/2018 (II.27.), implementing the NLP recommendation of the European Central Bank, which requires supervised institutions with a high non-performing portfolio to have a strategy for de-leveraging their NLP portfolio, which they are required to submit to the Supervisory Authority. In addition to the preparation of the strategy, the recommendation also sets out organisational and process expectations, in order to ensure that the strategy’s realistic but ambitious goals remain achievable.
The other pillar of the package is Recommendation 12/2018 (Part II) on the structuring, monitoring and proper valuation of real estate-based project funding transactions. Real estate-based project financing was a major problem for the domestic banking sector during the crisis, and therefore it is crucial that lessons learned from the crisis are embedded in the practice of both institutions and the supervisory authority, which is implemented in practice by the Recommendation.
Closely related to this is Recommendation no. 11/2018 (II.27.), which provides practical guidance for the valuation of real estate collateral, both for supervised institutions and the real estate appraisal trade, defining such cornerstones, concerning both the professional content of real estate appraisals and how the banks should treat real estate appraisals and appraisers, which, when applied properly, are capable of ensuring that the real properties used by the institutions as collateral are taken into account at an adequate value when lending decisions are made.
Purposes and means of the digital renewal of supervision
From the previous sections, a kind of new approach can be inferred, i.e. that the MNB, as the supervisory authority, attempts to be present in the lives of institutions without hindering, slowing down or disabling their prudent business operations. In today’s modern, computerised world, this kind of approach can work, but it requires further development of methodologies and further shaping of the set of supervision instruments. The keyword is digitisation. The strategic goal of the MNB and the defining element of its mission is the realisation of “Digital Supervision”. In practice, Digital Supervision means that the Supervisory Authority continually seeks and implements technical solutions and innovations that can make its operations more efficient. On the one hand, a supervisory solution is considered effective if it can transform the inherently reactive, subsequent nature of supervision into a proactive one that focuses not on managing existing risks, but rather on preventing such risks from emerging. On the other hand, a supervisory solution is considered effective if it succeeds in replacing random supervision or supervision by expert sampling with a risk-based solution that involves the full or the most comprehensive processing of the data. Thirdly, it is effective if the data to be processed are collected and processed in the most raw, genuine form possible, thereby reducing the possibility of fraud and data manipulation. Fourthly, it is effective if the automation of the processes reduces either the need for human resources or the number of human errors.
IT supervision – the only constant is change
IT supervision is another one of the areas that is constantly changing and thus requires continuous professional development to keep experts abreast of the latest technologies. At the same time, the methodological foundations of IT supervision need to be updated from time to time, proactively anticipating the changes. Meanwhile, supervised institutions must be provided with a stable, predictable regulatory environment that allows for technical innovation and delivers a secure framework for new developments, since a major system change or implementation of a new system is usually a multi-year project. The IT Supervision Department of the Magyar Nemzeti Bank operates in this challenging professional environment. In the following sections, we will discuss IT as a supervisory area, but there seems to be a clear direction that we cannot talk about state-of-the-art supervision without having every major function of supervision (constant monitoring, area of investigations) turning more and more into an IT function. Today, IT solutions have emerged that can automate many processes, and artificial intelligence can open up unprecedented opportunities for the continuous monitoring of prudent banking operations.
Methodological developments in IT supervision
The spread of IT tools, the increasing penetration of smartphones and the emergence of generations of “digital natives” have resulted in IT becoming a part of our everyday lives, and we increasingly manage our finances through electronic channels. This trend has been recognised by both financial institutions and regulatory authorities, which is why banking digitisation is increasingly promoted in institutions’ strategic plans. One example for that, which has been increasingly widespread, is the conclusion of a paperless contract or making legal statements without paper, sometimes even without the physical presence of the customer. Another frequent digitisation goal of financial institutions is to implement remote client identification, in accordance with anti-money laundering regulations, necessary for remote account opening or borrowing. These solutions require application of available state-of-the-art technology, while the current underlying IT systems have often operated unchanged for many years, following a system logic that is several decades old. This duality poses a daily challenge, not only for financial institutions, but also for IT supervision, as it has to examine objectively, with a focus on risks, systems that are very divergent, representing very different worlds in terms of approach and technology, even within a single company. In practice, this means continually reconsidering the system of requirements and testing methodology: each new technology raises the question of whether the previously expected control measures are relevant, or whether there is already some kind of better and more up-to-date risk mitigation measure that the Supervisory Authority can expect or recommend. Can the same set of expectations apply to agile software development, as it does to applications made in the traditional cascade model? The answer depends on many other factors as well (such as the size of the development team, the purpose of the software, etc.), so supervision requires a flexible methodological approach that experts can apply in possession of accurate knowledge of the specific situation and circumstances.
In addition to the technical solutions and the methodologies of development and operation, the system of expectations of IT control itself is also changing. For example, a password policy that any auditor would have regarded as appropriate ten years ago may no longer be considered secure. Today, entry by password is no longer considered as strong authentication in itself, no matter what password complexity requirements the administrator has set. The expected control measures in other areas of information technology are changing in the same way, although the control objectives to be accomplished (such as proper identification of the user) remain the same. For this reason, supervision methodologies are also constantly evolving, extending across the entire framework of investigations and requiring that the guidelines used in technological audits be constantly updated.
In addition to the continuous improvement of its own IT supervisory methodology, the awareness and tracking of international regulatory trends and directions, or even proactive participation in their development, has been an increasingly prominent task. Financial services provided over the Internet are often available across national borders, so it is important for domestic financial institutions and fintech firms to avoid a competitive disadvantage because of a possibly more stringent regulatory background. At the same time, the Supervisory Authority must also take care not to make the mistake of introducing too relaxed regulations, and thus exposing customers to excessive risk or opening up money laundering opportunities. This is particularly true in the field of IT supervision, as financial technology innovation is emerging primarily in this area, and such innovations are being explored by the Authority during licensing procedures and in the investigation of the supervised institutions. Another important driver of participation in international regulatory work is the pursuit of a unified approach and set of rules. All over the world, more and more attention is being paid to cyber security breaches, and many international organisations feel the need to develop regulations, in order to raise the overall cyber security level of maturity. However, this regulatory tendency carries the danger that contradictory, practically unworkable regulations are created that, all in all, do not improve, but rather erode, the cyber security resilience of the financial system. That is why it is important that integrated supervisory authorities with an overview of several sectors, such as the MNB, are more involved in international regulatory and methodological work, share their experience and seek synergies between existing and emerging regulatory frameworks.
New tools in IT supervision
Traditionally, IT supervisors visit the supervised institutions during on-site inspections, especially during IT sub-audits of comprehensive investigations, or during themed and targeted audits. In addition, institutions may receive IT-related expert opinions during licensing procedures and requests for official position, which are prepared with the involvement of the IT supervisory function, but in these cases usually there is no direct connection between the institutions’ IT managers, experts and the IT supervisors. Over the past two years, the MNB has sought to establish a more direct connection with the institutions supervised by it. On a number of occasions, the experts of the IT supervisory function provided consultations on the inspection reports prepared by the Supervisory Authority, as well as on planned major developments, system replacements and data centre relocations. With regard to priority IT projects, the MNB considers it a good practice for institutions to report regularly on the progress of the project in the context of ongoing monitoring. During such personal consultations, the HFSA staff responds to any questions that may arise, in order to help institutions comply with the regulatory and supervisory requirements. As part of more interactive supervisory relationships, the MNB also seeks to assist and monitor major system replacements, data centre relocations, outsourced IT operations, and system and data migration associated with mergers and acquisitions of institutions. At the same time, the Supervisory Authority also strives to ensure that the monitoring of projects that require such a high level of attention and resources should cause no unnecessary drain on the resources devoted to actual objectives, possibly by imposing additional obligations (data requests, reports, on-site interviews) on the institutions. Therefore, supervisory authorities strive to become familiar with the ongoing project, so that they can process information and decision preparation materials designed for the institution’s own decision-makers.
When inspecting data migrations, in addition to enhancing traditional sampling control testing IT monitoring also applies procedures based on full data population testing, with the support of appropriate audit/data analysing software. In this way, supervisory controls can gain very high assurance that data migration has taken place properly, without data loss or inappropriate modification. The correctness of the data is also important, in order to ensure that the relevant rights of the data subject in the processing of personal data are not violated.
Supervision of clouds
In IT, the “cloud” is a solution that enables on-demand access to shared, configurable computing resources that can be quickly allocated and their use can be stopped, with minimum management expenditures or service provider’s involvement. In this way, using the cloud can deliver new business or IT services relatively quickly, even without in-house IT development capacity. Due to its flexibility, more and more financial institutions are opting for cloud solutions, either inside the company or company group (private or community cloud), or outside (public cloud). However, use of the cloud always entails some loss of control over the IT environment, and if the entire in-house IT assets remain outside of the cloud (since that is also an option), then even the available or easy-to-implement control measures might not be implemented. Depending on the chosen cloud service model, the entire infrastructure (Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or only the software (SaaS) is used by the cloud provider’s client, the supervised institution. The model determines the level at which the supervised institution itself controls the data, accesses and services, and the degree to which it relies on the cloud provider’s own services. When supervised institutions start developing a new solution based on a cloud-based service model, they face technical and compliance issues that do not arise during the deployment and operation of traditional IT solutions installed physically on one server. For example, in a virtualised world of clouds, even the continent where the data are stored physically cannot be located by the owner of the data. In order to avoid such situations, the MNB resorted to the regulatory tool presented earlier, and issue a recommendation 4 to financial organisations, with the aim of providing practical assistance in managing the risks arising from the use of community and public cloud services, and to ensure the uniform interpretation of the application of the relevant legal provisions. The Recommendation provides guidance on compliance with legal requirements, sets out the minimal contractual requirements, describes the risks to be managed, the control measures required and the main aspects of the supervisory authority’s audits, and is consistent with other European regulations. The MNB issued the most recent, revised version of the Cloud Recommendation5 in March 2019.
Regulatory and fintech innovations
It is often said that development is unstoppable. This is especially true for the beginning of the 21st century. Technological progress has reached an unprecedented speed. Almost every novelty becomes relatively easily available for the average person as well. Information channels – the Internet, Facebook, Twitter, Tumblr and many others – keep releasing news of the world.
In many cases it is not easy get oriented in this flood of information, and to obtain the relevant and useful information that we are interested in, however, this much-resented flood of information also has some beneficial impacts: The innovations that mean faster, more comfortable services and solutions containing added value and importantly, carry a lower price tag, become available for the consumers – or customers, through the lens of the service provider – almost immediately. Additionally, considering the customer side, the requirements communicated from the side of the consumers may also appear for the other side almost immediately. In the virtual space, the demand and supply side can thus respond almost immediately to consumer demands on the one hand, and to new opportunities, on the other hand. Of course, in order for an idea/need to become a “product”, sharing information is not enough, on both sides listening ears, the intention of implementation and such a regulatory environment, mindset and a system of tools are required that support the implementation of the novelties in the market environment on the one hand, on the other hand, guarantees for the market players that they can operate safely, given the risks that emerge with the new products, services. According to our current knowledge, the two most state-of-the-art tools operated by regulatory, supervisory authorities are the “Innovation Hub” and the “Regulatory Sandbox”.
Financial regulators in many countries around the world have recognised that, similarly to other industries, without supporting and regulating the market entry of innovations, they will lag behind in the competition in the field of services, and the accomplishment of country-specific economic aims may also be jeopardised. One element of the regulatory tools supporting innovation is the so-called Innovation Hub. In most cases, the Innovation Hub is an electronic interface that enables direct information exchange between regulators and market players, as well as between market players. There is no generally accepted scheme for the operation of Innovation Hubs, the operating mechanism may vary from country to country, but we can find the identical elements. The Innovation HUB operated by the MNB summarises international best practices, via a web site with an easy-to-use user interface that includes the following features:
- It acts as a repository of information, i.e. it shows the exact legal environment for each development, indicating the relevant MNB expectations. It contains information on how to obtain the various licenses.
- This is the area where the regulatory authority may be asked questions on matters that are not or are not fully regulated in the legislation belonging to the innovation solution.
- It is a Communication Hub, as well as an international collaboration platform where information can be shared between market participants.
In addition to facilitating information flow between actors, the main function of the interface is to request regulatory support to ensure compliance with the legislation. Obviously, the platform can only be operated efficiently under predetermined conditions. The applicant can submit the question using an electronic form that is easy to understand and fill out.
Regulatory Sandbox (Innovation Financial Testing Environment, IPT)
Another element of the modern regulatory toolbox is the provision of the Regulatory Sandbox, which is not a unique tool operated exclusively in Hungary, as this solution is already available in many countries. At the same time, Hungary was the second country in Europe after the United Kingdom to introduce a Regulatory Sandbox operating within a regulated framework in December 2018, and the first in the CEE region.
By Sandbox, we mean a regulated market test environment for financial products and services that enables the provider of the service/product to test innova-tions within a limited time frame, on a specific customer base, in such a manner that during the test period it is exempted from compliance with the predefined legislative requirements. The purpose of the Innovative Financial Testing Environment is to prevent excessive risk-taking by market players and, if necessary, to adapt the relevant regulatory environment in the light of experience gained during the test period. It was also mentioned in the case of the Innovation Hub that, in order to facilitate efficient operation, the regulatory side defines the admission criteria, whereas the admission criteria for new products/services have also been defined for the IPT:
Source: MNB, EBA6
- The product/service must be innovative,
- The product/service needs to be introduced to the Hungarian market after a successful test period,
- The product/service to be tested in the IPT must be ready for testing.
The regulatory authority consults with the service provider prior to the test period, and will continue to monitor constantly the test results until the end of the test period, following the IPT entry statement.
Testing may have three different outcomes:
- The product/service complies with the current regulatory environment and is therefore fully marketable.
- In relation to the product/service, the relevant MNB decree or decrees are amended and subsequently become available without restriction. Also,
- The service does not comply with the legal environment and the regulations cannot be amended, so the service/product is not allowed to be provided.
The Innovation Hub and Regulatory Sandbox tools allow regulatory authorities in our fast-changing world to shorten the time it takes to bring financial developments to the market, maintaining the security that is essential for the market players – and is of outstanding significance – and to facilitate future supervisory activities, by enabling the competent authorities to know, learn about and understand the nature of innovations in a timely manner, to support their operation by new supervisory methods, and that way all users can use the various financial innovations in a secure context.
- 1. Recommendation no. 12/2018. (II.27.) of the Magyar Nemzeti Bank on the evaluation of real property financing project loans and certain matters of their management.
- 2. ILAAP – internal liquidity adequacy assessment process.
- 3. ICAAP – internal capital adequacy assessment process.
- 4. Recommendation No. 2/2017 of the Magyar Nemzeti Bank (I.12.) On the use of community and public cloud services - repealed with effect from 1 May 2019, see recommendation 4/2019.
- 5. Recommendation no. 4/2019. (IV.1.) of the MNB on the use of community and public cloud services.
- 6. https://eba.europa.eu/-/esas-publish-joint-report-on-regulatory-sandboxes-and-innovation-hubs