Banks and other financing activity

Supervision

Finanstilsynet's supervision of banks and finance companies is risk-based. Supervisory activities in 2023 were prioritised on the basis of reporting from the institutions, analyses of risks and vulnerabilities and signals received about institutions and markets. Finanstilsynet attaches great importance to ensuring that the institutions are well capitalised and liquid, and that their board of directors and senior executives properly manage and control operations and the risks to which the institutions are exposed.

Inspections are an important means to uncover high risk levels in the institutions and any deficiencies in their management and control and regulatory compliance. In 2023, Finanstilsynet conducted 26 inspections at banks, mortgage companies and finance companies. Topics covered at the inspections included credit risk, with emphasis on the loss allowance rules in IFRS 9, internal governance, consumer protection, ICT risk, compliance with the anti-money laundering legislation and climate risk. Finanstilsynet also surveyed the use of risk weights in the calculation of capital requirements according to the standardised approach, including how the retail exposure category is used under the capital requirements regulation (CRR).

Institutions that for various reasons have elevated risk levels are subject to enhanced monitoring. In 2023, this was the case for just under 20 institutions, with particularly close follow-up of three of them. During the year, Finanstilsynet found that six institutions were engaged in financing activity without the necessary licence. The institutions were subject to further scrutiny and ordered to stop their illegal activities. Four of the institutions appealed the decision. Finanstilsynet reported one of the institutions to the police. Finanstilsynet also stopped companies that engaged in illegal financing activity on Facebook.

Finanstilsynet conducted a thematic inspection in 2023 of banks' recovery of own claims and treatment of residential mortgage customers with payment difficulties and non-performing mortgages. Furthermore, Finanstilsynet followed up errors in banks' collection of outstanding pecuniary claims, where debtors were charged excessive costs and interest.

Follow-up of the Pillar 1 capital requirements

The capital requirements shall ensure the banks’ ability to absorb losses and maintain lending activity during downturns. Pillar 1 stipulates minimum capital requirements and buffer requirements in per cent of risk-weighted assets.

Systemically important institutions are subject to an additional buffer requirement of 1 or 2 per cent, depending on their size and their market share of lending in Norway. In line with advice from Finanstilsynet, the Ministry of Finance defined DNB Bank ASA, Kommunalbanken AS, Nordea Eiendomskreditt AS and SpareBank1 SR-bank ASA as systemically important in 2023.

Ten Norwegian institutions have received permission from Finanstilsynet to use internal models to determine risk-weighted assets for credit risk (IRB models). Banks with permission to use the IRB approach generally have lower risk weights than banks using the standardised approach. In order to obtain such permission, the institution is required to document that the models are suited to measure long-term risk, that they are used as part of the banks' risk management, credit approval process and risk reporting, and that they are tested (validated) on a regular basis.

In 2023, Finanstilsynet approved the applications of six IRB banks, subject to certain terms and conditions, to implement changes in their IRB models for corporate and retail exposures, partly to reflect changes in the definition of default and new guidelines for IRB models introduced by the European Banking Authority (EBA). During 2023, five of the banks appealed against the decisions on IRB models for corporate exposures.

Follow-up of Pillar 2 capital requirements – additional requirements for individual banks

Every year, Finanstilsynet carries out an assessment of individual banks’ overall risk. The risk assessments provide a basis for making inspection priorities and for assessing the banks' capital needs (SREP). Based on the risk assessment, Finanstilsynet sets individual additional capital requirements for the institutions, so-called Pillar 2 requirements. The Pillar 2 requirements cover risks that are not or only partially covered by the minimum and buffer requirements under Pillar 1.

Finanstilsynet sets Pillar 2 requirements annually for systemically important banks and every two or three years for medium-sized and small banks. In 2023, Finanstilsynet set 34 Pillar 2 requirements. The decisions were based on the methodology for assessing risk and capital requirements described in Circular 3/2022. The decisions are published on Finanstilsynet's website (in Norwegian only).

During 2023, Finanstilsynet refined analytical tools for the risk assessment of banks, including a new model for a risk-based assessment of how supervisory activities are prioritised. As part of its work on digitalisation, Finanstilsynet launched a streamlining project in 2023 for the use of artificial intelligence for risk assessments of small banks.

In 2023, the Ministry of Finance circulated for comment Finanstilsynet's proposal to implement the fifth Capital Requirements Directive (CRD V), which amends the legal framework for setting Pillar 2 requirements and Pillar 2 guidance. In December, the Ministry of Finance presented a proposal for implementing the rules in Norwegian law.

Supervision of anti-money laundering and counter terrorist financing measures

In 2023, Finanstilsynet updated its risk assessment of money laundering and terrorist financing for supervised institutions. The risk assessment forms the basis for risk-based supervision in this field.

Supervisory activity in 2023 included the institutions' customer knowledge, risk assessments and compliance with the requirements for ongoing monitoring. The inspections revealed, among other things, deficiencies in institutions' risk assessments, operational procedures and training. Administrative fines were imposed on two banks for violation of the rules.

During 2023, Finanstilsynet finalised a thematic inspection of banks' compliance with obligations related to sanction screening. The inspection revealed a number of weaknesses in banks' sanction screening systems and also showed that banks’ reliance on screening system providers represents a vulnerability.

The guidance to the asset freeze provisions prepared by the Ministry of Foreign Affairs aims to make it easier to understand the obligations and prohibitions ensuing from the financial restrictions set out in Norwegian regulations. The Norwegian regulations are based on sanctions from the UN Security Council and measures implemented by the EU. In 2023, Finanstilsynet contributed to a new guidance to the asset freeze provisions, which was published in June. Finanstilsynet was also involved in the Ministry of Foreign Affairs' work on new sanction packages prepared as a result of the war in Ukraine.

In the period 2021–2023, the International Monetary Fund (IMF) evaluated how the authorities in the Nordic and Baltic countries follow up AML efforts. The evaluation was partly based on the supervision of banks, and Finanstilsynet participated in the project, whose objective was to identify cross-border threats and vulnerabilities in the Nordic-Baltic region and to make recommendations on how they can be handled. A summary report from the project was published in September, and a separate country report for Norway was submitted in December.

Supervision of ICT risk

Supervision of financial institutions' compliance with regulations concerning ICT risk, including ICT security, is often carried out as pure ICT inspections, but may also be part of broader inspections at individual institutions. The inspections carried out in 2023 focused on areas that are material to the management and control of institutions' ICT risk, including outsourcing of ICT operations, emergency preparedness and continuity, as well as ICT security.

In 2023, Finanstilsynet followed up the banks in the Eika Alliance's shift to Tietoevry as a new provider of core banking solutions. The conversion was carried out without major negative consequences for the banks' operations.

During 2023, Finanstilsynet received and considered 353 notifications of serious or critical ICT incidents from banks and other finance companies, which was a significant increase from the previous year. However, financial institutions enjoyed good operational stability, and there were no ICT incidents with consequences for financial stability in 2023.

Finanstilsynet cooperated with other government agencies on ICT security in the financial system. Among other things, Norges Bank and Finanstilsynet established a framework for testing of cybersecurity in the financial sector (TIBER-NO). Testing in accordance with TIBER-NO is voluntary. In 2023, one bank completed the test.

Licensing and other administrative matters

In 2023, Finanstilsynet granted two permissions for the merger of savings banks. In connection with these cases, licences were granted to establish three savings bank foundations.

Every year, Finanstilsynet assesses whether members of boards of directors and senior executives and qualified owners of banks meet fitness and propriety requirements. A number of such assessments were made again in 2023.              

Finanstilsynet processed 182 notifications of outsourcing of ICT deliveries in 2023.

Analysis and monitoring

In order to identify risks that affect the institutions, Finanstilsynet monitors and analyses the real economy, financial markets and developments in individual entities. The analyses are partially based on reporting from the institutions. The reporting also forms an important basis for supervision of the institutions.

Reports prepared and published in 2023 covered the institutions’ profitability and financial position and thematic analyses of residential mortgages and consumer loans. The following reports are available on Finanstilsynet’s website:

• quarterly reports on institutions’ profitability, credit risk, financial position, etc.
• quarterly reports on institutions' compliance with the Lending Regulations
• semi-annual reports on financial stability (Risk Outlook)
• semi-annual reports on developments in consumer loans
• semi-annual reports on fraud and fraud statistics
• annual survey of the institutions’ lending practices for residential mortgages
• annual risk and vulnerability analysis of the financial sector's use of ICT (RVA)

Emergency preparedness and crisis management

Finanstilsynet is the Norwegian resolution authority pursuant to the pan-European rules on the resolution of banks. 13 banks have been identified as having critical functions, which means that a liquidation could threaten financial stability. In 2023, Finanstilsynet prepared resolution plans for each of these 13 banks and also made decisions on Minimum Requirements for Own Funds and Eligible Liabilities (MREL) for the individual banks.

The European Banking Authority (EBA) has published guidelines for assessing banks' crisis management capacity. The guidelines entered into force on 1 January 2024. The guidelines are aimed at both institutions and public authorities. Finanstilsynet has communicated to the banks that the following topics will be given special weight, in line with the guidelines: access to financial infrastructure, valuations and work on specific plans for internal recapitalisation (‘bail-in playbook’). These three areas are considered to require the greatest effort to achieve the goal of ensuring effective recovery and resolution of vulnerable institutions. The work on verifying the institutions' compliance with the guidelines will be followed up in 2024.

Cyberthreat landscape

Changes to the cyberthreat landscape, including those due to Russia’s attack on Ukraine and an increase in cybercrime, have contributed to a greater focus on the risk of systemic cyber incidents and the importance of digital resilience and recoverability in the financial sector. Again in 2023, Finanstilsynet and the Financial Infrastructure Crisis Preparedness Committee (BFI) paid particular attention to entities that support important functions, including critical functions in society identified by the Norwegian Directorate for Civil Protection (DSB).

Nordic-Baltic-American crisis management exercise – cyber security

In autumn 2023, Finanstilsynet participated in the ‘Northern Bastion’ resilience exercise in Finland, which included participation from government authorities from Denmark, Estonia, Finland, Norway, Sweden and the US. The participants represented the respective countries' finance ministries, central banks, financial supervisory authorities and, in some cases, national security agencies. The exercise examined preparedness and resilience in a situation where a cyber security incident and damage to physical infrastructure occurred simultaneously. In the exercise, these incidents disrupted the digital processes supporting the provision of services in the financial sector. The financial sector is part of critical infrastructure, and disruptions in this sector could be detrimental to critical social functions. Coordination and cooperation between authorities and countries to maintain business continuity in the sector was part of the exercise.

Regulatory development

Risk weighting of capital requirements for agricultural loans

In autumn 2023, the Ministry of Finance asked Finanstilsynet to consider whether the EU/EEA regulations permit national authorities to adopt differentiated risk weighting of property loan segments, and whether the risk associated with agricultural property loans indicates that the risk weighting should be lower for this segment. The Ministry also asked Finanstilsynet to assess the current threshold for classifying agricultural property as either residential or commercial property. Finanstilsynet presented its conclusions in November 2023. The Ministry of Finance has asked Finanstilsynet for further assessments.

New Act on loan intermediation

A new Act on loan intermediation came into force on 1 July 2023. Prior to this, Finanstilsynet had prepared a proposal for new regulations on loan intermediation and certain amendments to the Financial Institutions Regulations. These rules entered into force at the same time as the new Act.

New rules on digital operational resilience for the financial sector (DORA)

As part of the EU’s digital financial package, the EU has adopted a regulation on digital operational resilience for the financial sector (DORA). The regulation is intended to help ensure that all participants in the financial system have the necessary measures in place to reduce the risk of cyberattacks and other risks associated with ICT operations. In Norway, the use of ICT in the financial sector is regulated mainly in the ICT Regulations. DORA contains provisions that overlap both the ICT Regulations and the Financial Supervision Act, as well as provisions that are currently not covered by Norwegian law.

DORA has been adopted by the EU and will enter into force in the EU in January 2025. In summer 2023, the Ministry of Finance asked Finanstilsynet to assess how DORA should be implemented in Norwegian law. Finanstilsynet presented its proposal to the Ministry in October 2023.