Supervisory OSIs enable a thorough assessment of the bank


Supervisory OSIs enable a thorough assessment of the bank

How to use on-site inspection experience to enhance processes and business

Both ECB and DNB perform on-site inspection (OSI) as part of their supervision on the banking sector. The combination of both off- and on-site supervision allows the supervisor to perform a thorough assessment of the bank and draft a detailed report. An OSI can be a challenging period, which starts right after the notification and request for information. How can OSI experiences help a bank to enhance the OSI process? How can an OSI be used to improve the bank’s business model?

OSI: the investigation tool used by competent authorities

Competent authorities (both national and European) have long adopted a policy of on-site inspections (OSIs) to investigate topics within the domains of finance, credit risk, compliance and even cyber. An investigation team will be on-premise at the bank to use investigation techniques and pose challenges to get a clear view on how the organisation handles a certain request.

How OSIs are executed as a way of supervision

In its September 2018 ‘Guide to on-site inspections and internal model investigations’, the European Central Bank (ECB) describes in detail the different phases that are executed as part of an OSI.

  • The preparatory phase includes both a notification and a first information request. This allows the bank to start the organisation of all the required logistics and collect the information requested before the communicated kick-off date. Depending on the scope of the OSI, it is likely that significant effort needs to be put into the information request.
  • The actual OSI is performed during the investigation phase. This starts with a kick-off meeting where the bank shows up with senior representation. It is appreciated by the head of mission of the supervisory OSI-team if the bank prepares a comprehensive presentation as an introduction to the institution in general and to the OSI scope in particular. Shortly after the kick-off meeting, the actual inspection starts. The supervisory OSI-team can use a range of techniques, such as interviews, walk-throughs, file sampling and detailed questions (all with a limited time window for response by the institution). 
  • The reporting phase allows the supervisory OSI-team to draft their observations, including an actual or potential impact from low to very high. The draft report is shared with the bank, followed by an exit meeting. Based on the bank’s feedback the report is finalised, including a draft follow-up letter and (potentially) a closing meeting. 
  • In the exit phase, the OSI-team will hand over their report to the joint supervisory team (JST). The inspection outcomes allow the supervisor to present recommendations of measurements with one of the two instruments:
        o A letter expressing supervisory expectations shared by the JST. These expectations are not legally binding but they do include recommended follow-up after the OSI.
        o An ECB supervisory decision, agreed by the ECB’s Supervisory Board and the JST, which contains legally binding supervisory measures including a formal “right to be heard” process. This means that, whatever the outcome, the bank has the right to react upon the drafted supervisory decision and that reaction has to be taken into account by the JST when the final decision is being written.

How OSIs are handled from an organisational perspective

The phases described above are mirrored from a bank’s perspective. From the moment the OSI starts, the bank will experience pressure to deal with the process and meet deadlines while delivering high quality.

Preparatory phase:
The supervisory OSI-team will pose a formal request for information (RFI), which usually contains two elements:

  1. Documentation regarding the scope of the investigation.
    The wealth of information that a bank is requested to collect usually comes from different departments and multiple sources at the bank. Thus, this process has to start early and has to be streamlined and organised centrally. The bank should also take time to review and finish the formal documentation.
  2. The loan tape with data elements and definitions chosen by the OSI-team.The creation of the loan tape in itself often proves to be challenging. The supervisory OSI-team will ask for ECB data definitions sourced from the bank’s systems, which have to comply with regulatory and data quality standards. Accurate testing and continuous sourcing of the loan tape during the OSI time period can therefore be expected. It is likely that multiple submissions of the loan tape are required with a growing set of data attributes.

Investigation phase:
During the investigation phase, the supervisory OSI-team will be on-premise to conduct interviews and ask follow-up questions based on the RFI. These follow-up questions can relate to observations on specific loan tape data, credit file classifications, processes within specific portfolios in relation to regulatory requirements, and potential inconsistencies.

This phase is often the most demanding for the organisation since a significant number of both high-level and extremely detailed questions are usually asked simultaneously. This can also come across as intrusive - and it is designed to. The supervisory OSI-team desires a clear, non-ambiguous view on the organisation, and assumes all banks should be ready to quickly provide such a view. To test the readiness of the organisation, the questions asked are expected to be answered within a short time frame of two or three working days during the question and answer (Q&A) process. Collecting information from different people and departments, formulating the answer and performing a quality and consistency review requires a prepared organisation, even before the first question.

During the process, it is pivotal to constantly be aware what information has been shared by whom and what answers have been given in the interviews. Hence, a central project management organisation (PMO) is a must. A well-structured PMO allows for I) consistent and central communication between the supervisory OSI-team and the bank; II) documentation and archiving of information already shared; III) having a central point of view on the deadlines for Q&As; and IV) preparing for potential supervisory observations by pro-actively sharing additional information during workshops or walk-throughs.

Again, the need for streamlining this process and creating a clear view of where the bank stands and the inconsistencies the supervisory OSI-team has uncovered is key. This PMO should therefore be set up before the preparatory phase, allowing proper execution during the investigation phase.

Reporting phase and exit phase:
After the final Q&A and last workshops, usually a final meeting with a delegation of the supervisory OSI-team and a stakeholder from the board of the bank takes place, to discuss the draft OSI results. Subsequently, the reporting phase starts. It is vital to recall that the supervisory OSI-team is the research team and that their conclusions will be shared with the JST, who will draft the recommendations.

Some lessons learned during our OSI involvement
Deloitte has supported multiple banks during the challenging times of an OSI and we have drafted some key lessons learned based on that experience:

  • Start your preparations at the first possible moment, for example by setting up the PMO and identifying a single point of contact per department. 
  • Explain the expected process to all departments involved by (brief) training and information packs.
  • Prepare, validate and reconcile the loan tape and do not wait until the formal request with the data attributes and (historical) reporting dates comes in, as you will most likely be too late if you do so.
  • Use a central system for communication and information storage, including a strong PMO role.
  • All information shared with the supervisory OSI-team will be used, bank’s representatives for the interviews should be prepared to not share informal or draft documents and to keep the tone of the interviews formal and factual.
  • Keep in mind that the supervisory OSI-team members have a background in banking legislation. Within its Center of Excellence for Regulatory Reporting, Deloitte constantly keeps up the manners of interpretation of this legislation.

Use OSI observations to enhance the bank’s business model

The inspection outcome, as the result of the OSI, will be shared with the bank a while after the OSI itself. Usually, observations mentioned as recommendation or measure are slightly broader than the OSI scope that was initially communicated, although they are always related.

Receiving an overview with a number of inspection outcomes might seem unpleasant, but can actually be quite positive - the outcomes can be used to enhance the bank’s business model. The inspection of the OSI is objective, whereas objective analyses are quite rare. As a consequence, at least a couple of the observations will highlight weaker banking processes or incompliances with regulations and guidelines and cause an opportunity to reinforce the bank.

In order to help banks with processing the inspection outcomes, we suggest adherence to the following principles:

  • Assess the inspection outcome openly, while being aware that the supervisory OSI-team has less of a background within the bank, but a more objective view. The added value of resolving such a recommendation should be carefully assessed.
  • Recommendations could be used to reprioritise the project agenda for the coming period.
  • Recommendations that are addressed by the bank should be provided with a proper implementation plan including timelines ready to share with JST upon request. 
  • Recommendations that the bank is not planning to address should be sufficiently explained with solid arguments, since the inspection outcome is well-reasoned and most likely properly substantiated. It is advised to remain flexible and to potentially reconsider the arguments of not addressing the specific recommendations.

Questions? Get in touch with us today!

The Center of Excellence for Regulatory Reporting (CoE) is a virtual team centralising Deloitte’s Regulatory Reporting knowledge and helping clients to do responsible business by helping them with their regulatory reporting. In order to effectively support our banking clients in this complex regulatory environment, the CoE is founded to (i) stay on top of new developments in the field of regulatory reporting to support timely and appropriate data-driven-reporting solutions at financial institutions, (ii) support financial institutions by leveraging expert view of our international network on ad hoc queries regarding their regulatory reporting data and processes; and (iii) have teaming of professionals to combine expert knowledge in the field of regulatory reporting with strong data and implementation skills to ensure fit-for-purpose teams.

For more information, please contact us via

Did you find this useful?