Regulatory updates in the banking space

Changes to the internal governance guidelines for banks

Publication
8 minute read
November 25, 2025

During the second half of 2025, the European Banking Authority (EBA) published two consultation papers and a finalised set of guidelines, all of which address key risk management areas for banks. While each of these focus on separate themes, all are aimed at aligning supervisory practices with changing operational and environmental challenges. The below gives a high-level overview for all three.

Consultation paper on third-party risk management guidelines (EBA/CP/2025/12)

This July, the European Banking Authority (EBA) has issued a new consultation paper on the draft guidelines on the sound management of third-party risk which focuses on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors. These draft guidelines revise and update the previous guidelines on outsourcing published in 2019. The consultation runs until 8 October 2025. Given the importance of these changes, we would like to share the key proposed changes introduced by this consultation paper.

A central theme of the paper is the broadening of scope, with the guidelines now extending beyond traditional outsourcing to encompass all third-party arrangements. Outsourcing is defined as any ongoing provision of a function that would otherwise be performed internally. Notably, ICT services are now excluded from these guidelines and fall under the remit of the Digital Operational Resilience Act (DORA). Additionally, market information services provided by entities like Bloomberg, Moody’s, S&P, and Fitch are now considered within scope.

The EBA is also encouraging register harmonisation, recommending that financial entities align their third-party register with the DORA ICT register. Institutions are advised to maintain a single harmonised register or ensure consistency between the two, with the aim of eliminating discrepancies. The EBA notes: “The register shall be consistent to the extent possible, when not merged, with the register of information under Article 28(3) DORA.” 

Importantly, the guidelines introduce a two-year transitional period, during which financial entities are expected to review and update all existing third-party arrangements and contracts to ensure full compliance. The scale of this exercise should not be underestimated, as supervisors will expect clear documentation, consistency, and evidence of ongoing maintenance. 

Consultation paper amending SREP guidelines (EBA/CP/2025/21)

In October, the European Banking Authority (EBA) issued a new consultation paper on revised guidelines on SREP and supervisory stress testing. The consultation paper leaves the general SREP framework mostly unchanged but introduced a series of proposed revisions aimed at enhancing the principle of proportionality and strengthening governance frameworks. These changes will affect the main areas that the MFSA will focus on in future SREP reviews, as well as the level of communication the bank can expect to receive from the regulator.

The below section covers the most pertinent updates to the guidelines:

Proportionality

A notable development is the extension of the minimum frequency within which all SREP elements must be reviewed for select small and non-complex institutions. Specifically:

The minimum period between full assessments of all SREP elements can be extended from the current 3 years to 5 years.

This extension applies only to institutions that demonstrate a stable low-risk profile, maintain stable financial metrics with healthy margins, and have no concerning signals in their quarterly key risk indicators (KRIs).

Despite the extended review cycle, regulators will sustain a risk-based supervisory dialogue with the institution’s management at least every 3 years, ensuring ongoing engagement and vigilance.

This approach supports a risk-focused supervisory method and efficient allocation of supervisory resources, especially for institutions with sound and stable risk profiles.

Changes to risk areas

The assessment and scoring of liquidity and funding risks have been merged into a combined assessment, yielding a single adequacy score. This amendment reflects the intrinsic interrelationship between these risks and streamlines the supervisory process. By consolidating these factors, the resulting score should reflect a more holistic evaluation of an institution’s capacity to mitigate the risks to liquidity and funding.

A separate addition to the liquidity and fundings risk assessment is the consideration of the impact of digitalisation and the potential for social media to amplify deposit withdrawals under stressed scenarios. This aligns with the regulator’s increasing focus on ensuring that the bank’s digital risk management effectively manages risks stemming from new technologies, and one which has also been identified by the ECB as a medium-to-long-term priority for the period 2026-2028.

For the first time, consideration of credit spread risk arising from non-trading book activities (CSRBB) is incorporated alongside the existing assessment of interest rate risk in the banking book (IRRBB). Given the growing importance of CSRBB as a risk category, particularly amid evolving market conditions, supervisors will now include CSRBB explicitly in their capital risk evaluations. A combined IRRBB/CSRBB score is to be assigned to institutions based on this joint assessment.

Transparency

Minimum list of supervisory measures per regulatory area
The guidelines introduce a non-exhaustive catalogue of supervisory measures linked explicitly to deficiencies identified under each major regulatory assessment area. This helps clarify the escalation process from supervisory dialogue to binding corrective actions and, where necessary, enforcement measures. The listing supports consistent supervisory reactions and enhances predictability for institutions under review.

Enhanced SREP communication

A new consolidated section on SREP communication compiles all requirements regarding the transparency of supervisory findings and decisions. Competent authorities are encouraged to:

Clearly communicate overall SREP assessments and scores, including those for individual elements or sub-elements where relevant.

Provide detailed justification for institution-specific capital requirements (Pillar 2 requirements and guidance), explicitly identifying material risk drivers.

Explain supervisory expectations concerning liquidity requirements and other targeted supervisory measures.

Disclose the potential supervisory reactions should institutions fail to meet their capital and liquidity requirements, including stress test guidance levels.

This enhanced transparency aims to foster more effective supervisory dialogue and improve institutions’ understanding of supervisory priorities.

Incorporation of other guidance

The updated guidelines also integrate references to other new and recently updated guidelines and requirements spanning additional topics such as internal governance, DORA, ESG, and third-country branches. A short summary of the key points to be considered for each topic is provided below: 

The revision extensively updates the internal governance assessment by integrating recent regulatory standards and best practices. Areas such as risk culture, management body composition, and internal control functions have been strengthened with clearer supervisory expectations, including documenting responsibility mappings and ensuring effective remediation capabilities.

Reflecting the evolving cyber and operational risk landscape, the guidelines now fully integrate DORA’s requirements on ICT risk management within the general SREP framework. This integration eliminates the previous stand-alone ICT SREP guidelines, folding ICT risk assessments into operational risk and internal governance reviews. Supervisors will evaluate ICT systems, third-party dependencies, incident management, and operational resilience in a harmonised manner aligned with the EU’s digital resilience standards.

ESG risk considerations have been embedded across all relevant SREP elements rather than treated as a new siloed risk category. Supervisors will assess the impact of environmental transition and physical risks on business model viability, risk management robustness, capital adequacy, and liquidity. The approach recognises the forward-looking nature of ESG risks, urging institutions and supervisors to consider medium- to long-term resilience in strategic planning (including transition planning), and risk governance.

The updated guidelines clarify that the scope of application of the SREP procedures and methodologies for TCBs should include an assessment of the business model, internal governance arrangements and controls, capital endowment, liquidity resources, and booking arrangements, with guidance being provided to competent authorities on each area of focus. The minimum period between full assessments of all SREP elements has been set at 3 years, with the option to extend to 5 years for certain Class 2 institutions.

Finalised guidelines on environmental scenario analysis (EBA/GL/2025/04)

The guidelines on ESG scenario analysis were issued by the European Banking Authority (EBA) in November under the mandate of Article 87a(5) of CRD VI. These guidelines complement the broader ESG risk management guidelines published on 9 January 2025, which were also mandated under the same article.

The ESG scenario analysis guidelines focus specifically on the use of scenario analysis to assess institutions’ resilience to ESG risks, particularly climate-related risks. They aim to support institutions in developing their internal capabilities and skills necessary for setting and using scenarios, primarily to test the shock-absorbing capacity of their capital and liquidity reserves, as well as the resilience of their business model, including in the long-term.

These guidelines apply from 1 January 2027 for all institutions. Postponing the application date of the would “allow institutions to adequately prepare and align internal methodologies, data, and governance processes with the new requirements”.

What is scenario analysis?

Scenario analysis is a forward-looking tool used to assess the implications of plausible future states of the world on an institution’s strategy and risk profile. It includes:

Climate Stress Testing (CST), which is a short term quantitative used to measure the financial impact of adverse climate scenarios on capital adequacy and liquidity (ICAAP and ILAAP).

Climate Resilience Analysis (CRA), which is a strategic assessment of business model resilience to long-term climate risks. The results of the resilience analysis should be taken into account in the long-term strategy, business model, and prudential transition plans of an institution.

When defining the baseline scenario, for both CST and CRA, institutions should assume a continuation of current conditions and trends, which reflects the most likely environmental path that future developments could take.

Proportionality

In their scenario calibration:

SNCIs may rely on a predominantly qualitative approach for both short and longer-term scenario analysis.

Other institutions may use sensitivity analysis to test their short-term financial resilience to adverse environmental factors. For the long-term resilience analysis, other institutions may rely on a predominantly qualitative approach.

Large institutions are expected to progressively integrate more sophisticated quantitative approaches.

How scenarios should be calibrated

In their scenario calibration:

Institutions must begin with a materiality assessment to identify the most relevant ESG risks. This means that institutions should select the specific aspects of transition risk and physical risk hazards to be covered by the scenario based on their assessment.

In their identification of transmission channels, banks will consider both microeconomic (e.g. impacts on counterparties, operations, funding) and macroeconomic (e.g. impact on GDP, inflation, market conditions) channels. Furthermore, institutions are encouraged to use available data via credible scenario providers such as the NGFS, IPCC, IEA.

What does this mean for you?

In summary, these updates signal a shift towards more tailored, risk-based supervision for banking clients, introducing extended review cycles for stable institutions, a more integrated view of liquidity and funding risks, new consideration of credit spread risk in the banking book, and greater transparency and clarity in supervisory communication. Additionally, banks should prepare for enhanced expectations around internal governance, digital operational resilience under DORA, ESG risk integration, and specific guidance related to third-country branches. Collectively, these changes will require institutions to strengthen documentation, align risk management practices, and engage more proactively in supervisory dialogues. Our banking advisory team at PwC Malta is here to help you navigate through this dynamic regulatory landscape and enhance your risk management practices.

Contact us

Norbert Paul Vella

Assurance Partner, PwC Malta

Tel: +356 9945 3843

Braden Sammut

Senior Manager, Assurance, PwC Malta

Tel: +356 2564 2658

Gaetano Gesualdi

Manager, Assurance, PwC Malta

Tel: +356 7973 9071

© 2019 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.