1.  The importance of proper management of LARGE exposures

1.1.   Definition of a major risk

A bank’s exposure to a single client or group of connected clients is considered a large exposure if it represents more than 10% of Tier 1 capital.

In general, the large exposure monitoring framework acts as a safety net, protecting a bank from significant losses caused by the sudden failure of a client or group of connected clients due to the occurrence of an unexpected event that could jeopardize the bank’s solvency.

1.2.   The large exposure limit modified by CRR2

CRR2 defined the large exposure limit as the bank’s exposure to a single client or group of connected clients, after taking into account eligible risk mitigation techniques, remaining below 25% of Tier 1 capital. A stricter limit of 15% of Tier 1 capital is introduced on exposures between large institutions (G-SII).

If the client is a bank or if the group of connected clients includes one or more banks, the limit is either 25% of the bank’s Tier 1 capital or EUR 150 million, whichever is higher. Banks must comply with these limits at all times.

1.3.   General framework for monitoring large exposures

Banks must have adequate internal control procedures and mechanisms to identify, manage, monitor, report and record all large exposures and any subsequent changes to them.

If, in an exceptional case, a bank fails to comply with the limits, CRR2 requires that the value of the large exposure concerned be reported without delay to the competent authority, which may (where the circumstances warrant) grant the bank a limited period of time to restore compliance with the limit.

Where, in exceptional cases, a competent authority authorizes a bank to exceed the limit, for a period of more than 3 months, the bank must submit a plan for a rapid return to compliance with the limit and must implement that plan within the timeframe agreed with the competent authority. The competent authority monitors the implementation of the plan and requires a return to compliance as soon as possible.

1.4.   The EBA’s mandate

The CRR2 instructs the EBA to draw up guidelines specifying the criteria according to which the competent authorities may determine:

  • Exceptional cases that may justify breaching large exposure limit.
  • The time considered appropriate to return to compliance with the limit.
  • The steps to be taken to ensure timely return to compliance with the bank’s limit.

Breaches of compliance with the limit on large exposures resulting exclusively from exposures on the bank’s trading book do not fall within the scope of the guideline.

2.  The objectives of the guideline

The guideline was developed with the following objectives:

  • Provide guidance to the competent authorities in their assessment of breaches of limits for large exposures.
  • Ensure prudent and harmonized application of large exposure requirements while keeping the approach simple.
  • Ensuring a level playing field between the Union’s institutions.

This guideline provides guidance from a business continuity perspective. Situations where a bank is restructuring or undergoing a similar crisis-induced scenario are therefore outside the scope of this guideline. In such situations, measures are required that go well beyond compliance with the CRR2 large exposures framework.

Published on 15 September 2021, the guideline will come into force on 1 January 2022.

3.  A guideline structured in four main areas

3.1.   Criteria for determining exceptional cases justifying exceeding large exposure limits

Where a bank exceeds the large exposure limits, the competent authority should investigate the particular circumstances that led to the breach. Such an assessment should always be on a case-by-case basis using a holistic approach.

In order to assess a breach of the large exposure limits, at least the following aspects should be considered:

  • The violation must be a rare event:
    • The guideline includes non-binding quantitative elements that competent authorities could take into account when assessing this aspect.
    • Any breach of a large exposure limit that management could have foreseen and therefore prevented should not be considered an exceptional case.
  • The bank was not in a position to prevent the breach of large exposure limit because it was beyond its control, i.e., the reason for the breach was beyond the bank’s control.

There may be cases which may appear to be exceptional but which ultimately need to be treated differently in the light of all the information available to the competent authorities. For example, there may be a recurring breach that requires further monitoring.

3.2.   Information to be provided to the competent authority in the event of a breach of large exposure limits

The guideline introduces a minimum set of information that the offending bank must provide, as a minimum, namely:

  • The name of the client concerned and, if applicable, the name of the group of related clients concerned.
  • The date of the occurrence of the violation.
  • Its size relative to Tier 1 capital.
  • A description of available collateral, both CRR2 eligible and non-eligible, if any.
  • The reasons for the violation.
  • Corrective actions (planned or already taken).
  • The expected time required to return to compliance with the large exposure limit.

This information to be included in the breach report is without prejudice to the right of the competent authorities to request additional information and explanations where the information provided by the bank lacks clarity or sufficient detail, or where additional information is needed to ensure a more rapid return to compliance.

The creditworthiness of a counterparty is a variable that competent authorities need to consider when assessing the precise timing of allowing a bank to return to compliance once a breach of large exposure limits has occurred.

3.3.   Criteria for determining the appropriate time to return to compliance with the limit

On the basis of the assessment made, the competent authority should be able to determine the appropriate time for the return to compliance. In particular, the competent authority should decide whether the violation should be resolved within 3 months, or whether it should allow the bank more than 3 months to return to compliance. In the latter case, competent authorities should not allow more than one year to return to compliance. However, extraordinary cases may justify granting a longer period. These exceptional cases should not be the norm and should be well justified.

3.4.   Measures to be taken to ensure timely return to compliance with the large risk limit

Where a competent authority concludes that the institution must remedy the non-compliance within 3 months and has informed the institution of this, the institution is not required to submit a formal plan for a rapid return to compliance (compliance plan). However, the institution must still discuss and agree with the competent authority on a set of measures to restore compliance within less than 3 months.

The onus is on the institution to present a set of measures to ensure timely return to compliance. The competent authority should consider whether the bank will be able to ensure that the specific exposure in question would not breach the limit again in the near future.

Where the bank is given more than 3 months to return to compliance, it must provide the competent authority with a plan for returning to compliance.

As a general rule, the package of measures (the compliance plan) should include the following elements

  • Provisions to reduce exposure.
  • Measures to increase the bank’s own funds.
  • Provisions to strengthen internal risk management and control processes.
  • Procedures to ensure timely implementation of measures.
  • A detailed timetable for the implementation of the measures envisaged.

In all cases, the institution must always strive to identify and address any foreseeable risks or obstacles in an effective and timely manner.

Competent authorities should consider whether the bank should employ alternative strategies, such as:

  • Request a guarantee from the counterparty or any other client belonging to the same group of connected clients.
  • Acquire eligible credit risk mitigation instruments.
  • Sell all or part of the exposure to another institution.
  • Syndicate parts of the loan.
  • Negotiate with the borrower.
  • Request an early refund.
  • Terminate the entire transaction.

As regards the modalities for increasing the bank’s own funds, it should be analysed whether this could be achieved by issuing new own funds instruments or by not distributing dividends and bonuses.

To ensure an effective and timely return to compliance with the large exposures limit, the competent authority should closely monitor the implementation of the compliance plan or, in cases of less than three months, the measures put in place by the bank with a frequency appropriate to the cause and magnitude of the breach, its potential impact on the institution, and its specificities.

Whenever necessary, the competent authority should be able to request additional information. If the measures are not progressing as initially planned, an alternative strategy should be followed.

Where the breach is part of a lack of internal control framework and/or inadequate risk management processes (e.g., incorrect grouping of related clients), the competent authority should assess these processes and require specific measures to improve them, as well as encourage banks to carry out an internal or external audit of its internal control and risk management process.

In addition, the competent authorities could carry out targeted on-site audits.

4.  Governance around large exposure limit violations

In defining and implementing measures to restore compliance with the large exposure limit, an institution’s management body should have ultimate and overall responsibility for the process. It should define, oversee and be responsible for the implementation of governance arrangements within the institution to ensure its effective and prudent management.

In addition, the bank’s audit committee must monitor the effectiveness of the bank’s internal control, risk management systems and its internal audit function.

A bank’s management body, in its oversight function, should monitor the implementation of a well-documented compliance policy, which should be communicated to all staff. Banks should have a process in place to regularly assess changes in the laws and regulations applicable to its business.

The compliance function must advise senior management on the measures to be taken to ensure compliance with laws, rules, regulations and standards and must assess the potential impact of any changes in legislation or regulation on the bank’s operations and compliance framework.

5.  References


Abreviations and glossary

EBA: European Banking Authority