On-site inspections

The ongoing monitoring of institutions also includes conducting on-site inspections. These give the Bundesbank deeper insights into institutions’ risk structures and the procedures they use to control risk. The Bundesbank’s supervisors investigate whether the internal risk measurement methods which institutions use to calculate their capital requirements can be approved. Inspections of significant institutions are notable instances where supervisors drawn from various national authorities and the ECB come together to form JSTs and examine institutions in Germany and further afield.

On-site inspections of less significant institutions are mandated by BaFin in accordance with Section 44(1) of the German Banking Act (Kreditwesengesetz). On-site inspections of significant institutions are mandated by the ECB.

The instructions to conduct inspections are given ad hoc or according to a fixed schedule drawn up using risk-based considerations. The content and scope of inspections is broad for significant and less significant institutions alike. Typical types of on-site inspection and areas of emphasis can be delineated as follows:

Inspections of internal models used to calculate capital requirements (also called Pillar 1 inspections)

Pillar 1 inspections relate to credit risk and market risk, for which institutions can calculate their minimum capital requirements using internal models, provided these have been approved by the competent supervisory authority. Otherwise, capital requirements are determined using standardised approaches defined by regulators. The requirements for internal models are formulated in the CRR, the Solvency Regulation (Solvabilitätsverordnung), Delegated Regulations and EBA Guidelines, and by the ECB in the ECB Guide to Internal Models (EGIM).
Once an institution has applied for supervisory approval to use an internal model, on-site inspections are conducted to ascertain compliance with these requirements, either as initial approval and as follow-up inspections. The latter are mandated in order to assess the appropriateness of material changes to or the extensions of models, or for a supervisory horizontal analysis such as the ECB’s Targeted Review of Internal Models.
Inspections of internal ratings-based (IRB) approaches
Using the IRB approach, each borrower is assigned to a specific rating or credit quality step on the basis of internal credit quality criteria; the applicable risk weight for each risk exposure is then determined from this assignment. The IRB approach ca be applied as the Foundation IRB approach (F-IRB) or as the Advanced IRB approach (A-IRB). Under the Foundation IRB approach, institutions only estimate a borrower’s probability of default (PD), whereas the Advanced IRB approach allows them to estimate the PD, loss given default (LGD) and credit conversion factor (CF or CCF). To estimate these risk parameters, mathematical-statistical methods are generally used. Compliance with the supervisory requirements for IRB approaches (which include quality and length of the data history used, model development and calibration, validation and application testing) is assessed prior to initial authorisation and when material extensions and changes to models are proposed; this occurs during on-site inspections conducted by the Bundesbank’s inspection teams over periods of several weeks.
Inspections of internal models method (IMM) for counterparty credit risk
Counterparty credit risk (CCR) is the risk of the counterparty to a transaction defaulting before final settlement of the bilateral payments associated with the transaction, e.g. in the case of derivatives. Since CCR-relevant transactions have an uncertain exposure amount, their value has to be calculated separately taking into account the underlying instruments, such as shares, interest rates or foreign currencies. The purpose of the IMM is to calculate the expected exposure (exposure amount) taking into account the bilateral payments and hedges as well as fluctuations in the value of the underlying instruments. An IMM inspection assesses that the internal method is consistent with the supervisory requirements and whether it can be used to calculate minimum capital requirements.
Inspections of internal assessment approaches (IAAs) for securitisation positions
The internal assessment approach (IAA) pursuant to Article 265 of the CRR is a risk classification approach for securitisation positions in asset-backed commercial paper programmes that have not been rated by an external credit assessment institution. This risk classification is relevant for determining the supervisory capital requirement. Permission to use the IAA must be sought and obtained from supervisors contingent on prior examination and approval. One thing that sets the IAA apart is that it is an internal approach which nonetheless has to be based on the methods of external credit assessment institutions.
Inspections of market risk models (MRMs)
At present (according to Basel 2.5), banks are allowed, after the approval of market risk models to calculate their capital requirement for market risk using risk models which, compared to the standardised approach, allow in large parts for degrees of methodological freedom, e. g. for the valuation of instruments or risk aggregation. These risk models are aimed at central risk measures such as value-at-risk or stressed value-at-risk. Institutions can apply to use risk models for specific risk categories (e. g. general or specific price risk for interest rate/equities, commodities, FX risk) or types of risk such as default and migration risk or the risk of a credit valuation adjustment for derivatives (CVA risk).
In future (according to Basel 3/FRTB), market risk models will be approved per trading desks, the requirements for the risk models will be specified at various points and an usage for CVA risk is deleted.

Further information

Market risk

Inspections of proper business organisation (also called MaRisk or Pillar 2 inspections)

Pillar 2 inspections distinguish between different areas of emphasis, which can form the subject of an inspection individually or in combination. These inspections assess proper business organisation pursuant to Sections 25a and 25b of the Banking Act in conjunction with the Minimum requirements for risk management (MaRisk) and/or the Supervisory Requirements for IT in Financial Institutions (BAIT). Inspections of significant institutions are also based on SSM supervisory requirements (e.g. EBA Guidelines or the ECB Guide to the internal capital adequacy assessment process (ICAAP)). Typical areas of emphasis are as follows.
Internal capital adequacy (ICAAP)
An inspection of the internal capital adequacy assessment process (ICAAP) assesses whether an institution has appropriate and effective processes in place to calculate and maintain capital adequacy. Alongside the supervisory requirements derived from the MaRisk, the assessment is also based on the prudential paper “Supervisory assessment of bank-internal capital adequacy concepts”.
ICAAP inspections are often combined with a particularly in-depth assessment of specific types of risk, such as counterparty credit risk, market risk, interest rate risk or operational risk. Inspections of liquidity risk are also carried out.
Credit business
Examining lending processes is a common type of on-site inspection at credit institutions. The focus here lies on inspecting an institution’s organisational and operational rules. The requirements set out in BTO 1 of the MaRisk form the basis for such inspections. Those provisions differentiate between various sub-processes, including the granting and further processing of loans, early detection of risks, intensified loan management and processing of problem loans as well as appropriate risk provisioning.
Prudential assessment of adequate risk provisioning (PAAR)
PAAR inspections supplement selected process-oriented inspections of credit business (see Credit business). The inspections focus on assessing the impairment of individual loans. Specifically, this involves assessing and examining the sustainability of borrowers’ debt-servicing capacity as well as a valuation of the credit collateral provided. The outcome of these inspections can be additional loan loss provisioning at the inspected institutions.
Information technology (IT) and cybersecurity
For IT inspections, the scope of the inspections relates to the organisational and technical requirements set out in Sections 25a and 25b of the Banking Act and the further details on these provided in the MaRisk and BAIT circulars or § 26 ZAG and §27 ZAG and their details in the ZAIT circular. These system inspections are designed to assess the adequacy of risk management in light of the specific circumstances of each institution. This provides an overall picture of an institution’s digital risks which, coupled with the process-oriented approach to IT inspections, has proved to be a very effective way of working for the Bundesbank.
Business model analysis and profitability
The business model analysis and inspection of profitability aim to assess the viability (short-term horizon) and sustainability (medium-term horizon) of a business model’s profitability. These inspections take into account both quantitative aspects (e.g. current and planned net income from interest, trading, and fees and commissions) and qualitative aspects (e.g. the process of defining the business strategy and operational business plans derived from it).
Internal governance
Internal governance basically covers all of an institution’s standards and principles for defining its objectives, strategies, risk management procedures, business organisation, areas of responsibility, reporting lines and internal controls. Depending on the inspection mandate, sub-areas of an institution’s internal governance are examined. The subject of such an inspection may be, for example, the risk control function, MaRisk compliance function, internal audit, or ensuring general segregation of duties (e.g. between front office and back office).
Trading business
An inspection of trading business assesses the appropriateness and effectiveness of the institution’s organisational structure for executing and settling trades. Besides requirements for the organisational structure (segregation of trading from the settlement and control functions and the risk control function), these inspections examine the organisational requirements for trading processes in particular (including the recording, confirmation, execution and control of trades).

Inspections under the Investor Compensation Act (Anlegerentschädigungsgesetz)

The objective of inspections under the Investor Compensation Act is to assess the risk of a compensation event for the compensation scheme of investment firms occurring at the inspected institution. The inspections differentiate between institutions that are authorised, and those that are not authorised, to obtain ownership or possession of client money or securities. Investors are granted compensation if a investment firm encounters financial difficulties and is no longer able to meet its liabilities arising from securities transactions.

Inspections of remuneration

An inspection of remuneration assesses whether an institution has an appropriate and transparent remuneration system in place which is oriented to the sustainable development of the institution. The rules on the design of the remuneration system are fleshed out by the Remuneration Regulation for Institutions (Institutsvergütungsverordnung) together with the requirements specific to remuneration in the Banking Act, which also serves as the basis for the inspection activities. Much like Pillar 2 inspections, inspections of remuneration also include an assessment of whether the specific remuneration system is consistent with a proper business organisation pursuant to Section 25a of the Banking Act.

On-site inspections

On-site inspections

Inspections of internal ratings-based (IRB) approaches

Inspections of internal models method (IMM) for counterparty credit risk

Inspections of internal assessment approaches (IAAs) for securitisation positions

Inspections of market risk models (MRMs)

Internal capital adequacy (ICAAP)

Credit business

Prudential assessment of adequate risk provisioning (PAAR)

Information technology (IT) and cybersecurity

Business model analysis and profitability

Internal governance

Trading business