VISUALIZACIÓN DE LA NORMA

The aim of these Guidelines is to inform institutions of the criteria and methodologies used by the Banco de España for the review and evaluation referred to in paragraph 1 of Article 10.bis of Law 13/1985 on investment ratios, own funds and reporting requirements of financial intermediaries, which specifies that the Banco de España, in its capacity as the authority responsible for the supervision of credit institutions and their consolidatable groups (hereafter “institutions”), shall:

a) Review the systems, whether they be agreements, strategies, procedures or mechanisms of any kind, used to comply with the solvency rules in this law and in its implementing regulations;

b) Assess the risks to which institutions are or may be exposed;

c) Based on the review and evaluation referred to in a) and b) above, determine whether the systems mentioned in a) above and the own funds held by institutions ensure sound risk management and coverage.

d) Publish guidelines to indicate the criteria, practices or procedures institutions should follow to properly assess the risks to which thay are or may be exposed and for best complying with the rules on the regulation and discipline they have to comply. These guidelines may also include the criteria which the Banco de España will follow in its supervisory review process.

The implementing regulations of the aforesaid article are contained in Chapter IX of Title I of Royal Decree 216/2008 of 15 February 2008 on the own funds of financial institutions and in Rule 108 of Banco de España Circular 3/2008 to credit institutions on determination and control of minimum own funds (hereafter “the Circular”).

The aforementioned paragraph 1 of Article 10.bis of Law 13/1985 is the transposition to Spanish legislation of Articles 124 and 144 of Directive 48/2006 of the European Parliament and of the Council on the taking up and pursuit of the business of credit institutions (hereafter “the Directive” or “the CRD”), the implementing rules of which are set out by the Committee of European Banking Supervisors (CEBS) in its document “Guidelines on the Application of the Supervisory Review Process under Pillar 2”, published on 25 January 2006. These Guidelines are based on the principles and criteria established in the CEBS guidelines, a summary of which is included in Annex 1. Annex 2 lists other guidelines relating to Pillar 2 prepared by the CEBS and the Basel Committee on Banking Supervision.

This task of the Banco de España is generally known by the acronym SREP (supervisory review and evaluation process) although in these Guidelines it is referred to by the literal translation (capital review process) of the term used in the Spanish version (proceso de revisión de capital, PRC).

The aim of the capital review process (PRC) is to ensure that the risk profile of credit institutions is commensurate with the own funds held by them. To this end the so-called Pillar 2 of the revised solvency framework known as Basel II establishes the following four principles:

Principle 1: Credit institutions should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

Principle 2: Supervisors should review and evaluate institutions’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.

Principle 3: Supervisors should expect institutions to operate above the minimum regulatory capital ratios and should have the ability to require institutions to hold capital in excess of the minimum.

Principle 4: Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular institution and should require rapid remedial action if capital is not maintained or restored.

It follows from the first of these principles that institutions should have in place an internal capital adequacy assessment process which is appropriate for their size and complexity. This principle is laid down in Article 6.4 of Law 13/1985 and implemented in Article 68 of Royal Decree 216/2008. In order to facilitate compliance with this obligation, on 25 June 2008 the Banco de España published the “Guidelines on the internal capital adequacy assessment process (ICAAP) at credit institutions”, aimed at helping institutions to carry out this process.

Under the second principle set out above, the Banco de España is responsible for reviewing the aforementioned internal capital adequacy assessment process and evaluating whether institutions’ corporate governance, risk management, control procedures and own funds level ensure the adequate management and coverage of the risks to which they are exposed. As stated above, this review and evaluation process is referred to here as the capital review process (PRC).

This task which the regulation of own funds under Basel II has recently imposed on supervisors is not, however, new, but rather the explicit and formal expression of an obligation which has always existed. The Banco de España, in its risk-based supervisory model (SABER), has already established specific procedures for assessing institutions’ risks and capital adecuacy, and this supervisory activity is a fundamental part of the risk-based supervision of credit institutions performed by the Banco de España.

Accordingly, the capital review process forms part of the Banco de España’s general supervisory process, and receives as inputs the results or conclusions obtained during the course of all supervisory activities[1], particularly those stemming from the assessment of institutions’ risks and solvency. For this reason the PRC is included in this activity.

The capital review process is carried out by the Banco de España once it knows the degree of credit institutions´ compliance with the rules they have to follow (particularly with the accounting rules) and after analysing institutions’ economic and financial situation. Without such prior knowledge, a review of institutions’ capital within the meaning of Article 10.bis of Law 13/1985 cannot be carried out.

The internal capital adequacy assessment process draws on the idea that the minimum regulatory capital requirements (the so-called Pillar 1 capital) covers credit, market and operational risk on the basis of uniform rules and constitute a minimum; and that no set of uniform rules can capture all aspects of every risk or cover all the risks to which each particular credit institution is exposed.

Therefore, forming a judgement on the risks assumed and on whether the capital is adequate to support those risks calls for more than a simple assessment of compliance with minimum regulatory capital requirements according to the rules set in Pillar 1 of Basel II. But the capital review process cannot consist in setting automatic increases in capital needs (Pillar 2 “add-ons”) for the risks not covered in Pillar 1. It is not just a matter of simply aggregating the risks not considered under Pillar 1 and determining the capital add-ons needed to cover them, since there may be good reasons to accept that the total amount of capital required may be less than the sum of the capital needed to cover the individual risks, as a result of the well-known diversification effect.[2] In short, it is necessary to carry out an overall assessment of the institution’s risk profile and of the capital needs derived from that risk profile.

The capital review process ends with a forward-looking assessment which results from analysing and evaluating the financial strength of each institution to face any adverse future events which may arise. To this end the institution’s capital plan and, within that capital plan, the envisaged stress scenarios are reviewed and evaluated.

The Banco de España expects institutions to operate above their minimum capital requirements stablished by the solvency regulation, i.e. above the Pillar 1 figures, and to maintain a buffer above the regulatory minimum, in accordance to its risk profile. Moreover, the obligation to hold own funds in excess of Pillar 1 requirements is a prudential tool which the Banco de España can use to make allowance for the risks or weaknesses identified, after having given exhaustive and careful consideration to other supervisory measures.

The scope of application of the PRC is determined by the scope of application of own funds regulations, which generally require compliance at consolidated level. Hence the PRC is conducted at consolidated level, although the review of a banking group also looks at whether the individual institutions of the group are also adequately managed and capitalised from an individual standpoint.

A banking group should be adequately capitalised both in at overall level (in terms of both volume and quality of capital) and, in addition, there should be an adequate distribution of the capital within the group, i.e. commensurate with the allocation of risks at the group, such that each individual bank of the group, including the parent, has the capital that is appropriate for its risk profile and a sufficient buffer to allow its ordinary growth.

Each credit institution in the group should be capable of identifying, managing and assessing its business risks at the individual-entity level, although the risk techniques, systems and culture used by it may be common to the group, without prejudice to the application by the parent of its own control mechanisms to the whole group.

The individual credit institutions in the group, regardless of the degree of control exercised over them by the parent, should have the capacity to turn to the markets to finance their activity and arrange individually the appropriate risk coverage. Intra-group transactions should always be at market prices and not be subsidised in either direction. The best way of achieving this is for the different institutions in a banking group to operate directly with the market, since this improves transparency and enables effective knowledge and rating not only of the group, but also of each of its components.

The prudential supervision of international banking groups is based on the current arrangements for the sharing of responsibilities between home and host supervisors envisaged in Basel Committee documents and in European legislation, as follows:

- The home supervisor exercises the individual prudential supervision of the parent and of the group subsidiaries in his country; it also exercises the consolidated supervision of the group as a whole.

- The host supervisor exercises the individual prudential supervision of all the subsidiaries authorised in his country. Where existing, it is also responsible for supervising the sub-consolidated group in his country, formed by the subsidiaries established in its jurisdiction and the subsidiaries of these.

Neither the new Basel capital framework (Basel II) nor the new capital requirements directive (CRD) has altered this legal sharing of responsibilities. Hence, under Pillar 2 the home supervisor carries out the PRC at group and parent level and the host supervisor carries out the PRC of the subsidiaries in his jurisdiction (and of the sub-consolidated group, if any, in his country).

Notwithstanding the above, the CRD significantly encourages cooperation between supervisors in the EU, with the aim of achieving more effective and efficient supervision of European banking groups, avoiding unnecessary duplication of supervisory activities and preventing an excessive supervisory burden for institutions. For this purpose, the European authorities have undertaken to abide by a reinforced cooperation framework based on close coordination and information exchange to improve efficiency and efficacy in the performance of the respective supervisory tasks.

In accordance with the CEBS’s principles of home-host country cooperation, the Banco de España considers that the key features of the framework of cooperation with other supervisors within the scope of the PRC can be summarised as follows:

- The Banco de España will, as the home supervisor of international Spanish banking groups with subsidiaries in other EU countries, conduct the PRC for the group as a whole, assess the internal governance and the group ICAAP, have the dialogue with the key staff of the group and draw conclusions from the PRC of the group. The Banco de España should initiate on a timely basis a process of consultation with the individual supervisors involved, take the lead in establishing cooperative arrangements based on the group PRC and take into consideration the local PRCs performed by host supervisors when assessing the capital adecuacy of the group as a whole.

- The Banco de España will, as host supervisor of the subsidiaries in Spain of foreign banking groups, perform the PRC at local level in order to assess the ICAAP of the group subsidiaries in Spain. In doing so, it will take into consideration the PRC and ICAAP at the group level, within the context of the cooperative arrangements with the home supervisor.

- The supervisory review process of the Banco de España will take into consideration the degree of integration of the banking group and its internal organisation. Banking groups may have centralised certain activities such as their risk management functions and, consequently, there may be a need to develop a more integrated and coordinated approach to supervision. In such cases the coordinating role of the home supervisor should be more important to ensure an efficient supervisory review.

- The supervisory cooperative framework should contribute to enhancing the consistency and efficacy of supervisory assessment throughout the whole group and should allocate, without prejudice to the legal framework of the respective responsibilities, the various tasks to the supervisor best able to carry them out effectively.

The PRC analyses the solvency of credit institutions in the broad sense of the term, i.e. it analyses not only capital adequacy at a given time, but also foreseeable capital needs and availability. It also analyses the quality of the own funds held, its distribution in consonance with risk allocation within a banking group, the existence of unrealised gains and other items which may be used to absorb unexpected losses, etc. And clearly the PRC considers the ability to generate future profits which can strengthen an institution’s solvency if necessary, since an institution’s first line of defence against possible future losses is a sound profit and loss account based on recurring earnings.

The main sources of information used by the PRC are the periodical institution’s own funds return to Banco de España and its internal capital adequacy assessment report (ICAAR). However, the Banco de España uses other relevant information available to it, most notably all that derived from its supervisory activities.

The PRC is structured so as to ensure uniformity in the treatment of institutions, although it takes into account the fact that institutions differ in risk profile, organisation, business strategy and risk management.

The PRC is inspired on the following principles:

- It is comprehensive, in that it includes the review of all significant aspects and risks affecting institutions’ solvency and encompasses both quantitative and qualitative aspects, such as the internal governance of institutions and the management, control and mitigation of all significant risks.

- It is proportionate. The intensity and depth of the review are proportionate to the scale, complexity and systemic importance of each institution. The way in which the review and assessment are carried out is tailored to the organisation and special features of each particular institution.

- It is periodic. It is conducted at regular time intervals and with differing depths, in accordance with the inspection plans, and is updated at least once a year.

- It is prospective and evaluates, based on the information known at any given moment, each institution’s ability to comply with the solvency requirements in the future.

- It is preventive and seeks to identify, where applicable, the prudential measures required to avoid or reduce the probability of future credit institution´s insolvency, limit the cost of those that eventually occur and avoid its effects on the system.

The supervisory process of the Banco de España is established such that the multiple tasks comprising the process enable to update as often as necessary, and at least yearly, each institution’s supervisory risk profile and, where applicable, the Banco de España’s supervisory strategy and supervisory plan for the institution[3].

The PRC forms an integral part of the Banco de España’s risk-based supervisory process and receives input from all supervisory activities which affect the solvency of institutions in one way or another. The Banco de España assesses institutions’ risk profiles by means of its different supervisory activities, i.e. through off-site monitoring and analysis, inspection visits and continuous on-site monitoring.

The PRC is based on all the relevant information available to the Banco de España about an institution, and, specifically, that resulting from all its supervisory activities. Notwithstanding this, the PRC basically consists of two activities:

- Review and evaluation of the periodical own funds return to the Banco de España.

- Review and evaluation of the internal capital adequacy assessment report.

5.1 Review and evaluation of the own funds return

The PRC consists firstly of checking that institutions comply with the regulatory minimum solvency requirements, and analysing and evaluating such compliance through review of the own funds returns submitted periodically by institutions to the Banco de España.

This review and evaluation is conducted basically off-site,[4] but also periodically in inspection visits in accordance with the supervisory plans. Both reviews, i.e. off-site and in inspection visits, are carried out by the operating groups. The off-site review analyses the consistency of the information received, while inspection visits also check the accuracy of the information sent to the Banco de España. The review of the own funds return puts particular emphasis on the past history of the institution’s solvency ratios and on comparing these solvency ratios, in terms of both volume and quality (i.e. percentage of tier 1 capital on total capital held), with those of peer institutions.

An important part of this review relates to the examination and evaluation of ongoing compliance with the requirements to be met in order to use advanced approaches for the calculation of regulatory capital requirements under Pillar 1. This review aims to ensure that these requirements continue to be met, the models continue to be valid, any changes to them by institutions are appropriate and the capital so calculated continous to be adequate. This review is carried out off-site and also in inspection visits.

As stated below (in Section 6.1.2 on the capital plan), this review includes the analysis of possible increases in own funds requirements at times of unfavourable economic circumstances (known as the analysis of capital procyclicality), and also the analysis of the ability of institutions to develop their strategic business plans while complying with their regulatory capital requirements at any time in the future.

5.2 Review and evaluation of the internal capital adequacy assessment report (ICAAR)

Current solvency regulations impose a further obligation on institutions, which is to have a formal internal capital adequacy assessment process. In Spain this process is formally displayed in the internal capital adequacy assessment report (ICAAR) which institutions have to submit to the Banco de España every year.

Hence the Banco de España’s incorporates to its former supervisory activities the task of reviewing and evaluating this internal capital adequacy assessment process performed by institutions.

The Banco de España reviews and evaluates the internal capital adequacy assessment process (ICAAP) performed by institutions by means of the review of the ICAAR and the dialogue with the institution. The dialogue between the institution and the Banco de España is an essential part of the capital review process and includes the Banco de España informing the institution of its evaluation of the ICAAP. The ICAAR is the basic document for this dialogue between the institution and the Banco de España, whose intensity and depth should be proportionate to the complexity and systemic importance of the institution.

This dialogue encompasses all the risks held by the institution, which can be grouped in four categories:

- Pillar 1 risks (credit, market, and operational risk).

- Risks not fully covered under Pillar 1 (for example, residual risk in credit risk mitigation, and securitisation risk).

- Pillar 2 risks (interest rate risk in the banking book, concentration risk, liquidity risk, reputation risk, strategic risk, etc.).

- External factors, where not already considered in the previous points, including the impact of economic cycles.

Regarding the capital held to meet capital needs, although the internal capital adequacy assessment processes of institutions refer to internal capital (as explained in the ICAAP guidelines), this concept of capital differs from own funds in both meaning and composition. Accordingly, for greater clarity, in the dialogue which compares and contrasts the ICAAP and the PRC, the Banco de España bases this dialogue in terms of own funds.

Although the review of the ICAAR is ongoing and lies within the general supervisory process, it has two distinct landmarks: a yearly off-site review, to check that the ICAAR is complete and is reasonable, and the performance of specific reviews of greater depth and wider scope, during inspection visits[5]. Both reviews are subject to the principle of proportionality, whereby the intensity of the review is commensurate with the importance and complexity of what is being reviewed.

5.2.1 Yearly off-site review of the ICAAR

The yearly off-site review of the ICAAR does not aim to check the information submitted by the institution, but rather to draw the conclusions which reasonably derive from that information. However, if major inconsistencies are observed, or if the institution makes statements clearly contrary to the Banco de España’s knowledge of that institution, the pertinent clarifications will be requested. In extreme cases, the institution will be asked to correct the report and re-submit it to the Board of Directors for approval.

The yearly review of the ICAAR consists of examining its content to check that it is complete and reasonable, and of making a first assessment of the report. To this end, the following two tasks are previously carried out:

- The summary ICAAP return[6] is reconciled to the correspondent own funds return and any inconsistencies are identified.

- Any relevant omission in the ICAAR is indicated. Significant omissions must be remedied by the institution.

To review the ICAAR of an institution, account is taken of the ICAARs submitted by peer institutions.

5.2.2 Review of ICAAR in on-site inspections

The review of the ICAAR is also included in the yearly on-site inspection plan. The scope of the review is defined before the inspection visit is commenced. This scope may encompass the full ICAAR or specific aspects of it. It is considered advisable to carry out the review of the ICAAR together with the review of the corresponding own funds return because they are closely related to each other.

A major aim of this review is to check that the information in the ICAAR is adequate and accurate. Another aim is to review and evaluate the methodological aspects of the ICAAP incorporated into the ICAAR and identify possible deficiencies and weaknesses affecting the outcome of the ICAAP.

This review includes a review of institutions’ internal capital models if they are used to prepare the ICAAP.

5.2.3 Review of ICAAR in on-site continuous monitoring

Notwithstanding what has been said in the preceding two sections, the supervisory operating groups which engage in on-site continuous monitoring may review the ICAAR by using the teams located at the institution and the methodology normally employed in the day-to-day conduct of their supervisory activity.

For this purpose, each year a programme will be drawn up to facilitate the review of the ICAAR by coordinating the tasks of the various teams which will review each section of the ICAAR. This programme will set the scope, which will normally be full.

Given that the monitoring of the different risks addressed in the ICAAR, of corporate governance and of the controls in place is of a permanent nature, the information gathered in this monitoring will be used to keep each institution’s supervisory risk profile up to date, independently of whether the yearly review of the ICAAR has been formally completed.

The supervisory process of the Banco de España is established so that all of the multiple tasks comprising it are updated and reviewed each year. This enables supervisory teams to keep up-to-date each institution’s risk profile and, when applicable, the Banco de España’s supervisory strategy and supervisory plan for the institution.

Under this supervisory framework, the regular, at least yearly, execution of the PRC[7] seeks to provide the conclusions needed to better update the institution’s risk profile. To enable this, the ICAARs received from institutions are reviewed and evaluated and, based on this review and on the other supervisory activities performed during the year, possible deficiencies are identified, the pertinent conclusions are drawn and, where applicable, the necessary prudential measures are taken.

6.1 Evaluation of the institution

Once the ICAAR has been reviewed it is taken into account, along with all the results and conclusions from the various supervisory activities carried out during the year and any other relevant information available, in evaluating the institution’s solvency situation and in reviewing, where applicable, the risk matrix ratings[8] and supervisory risk profile of the institution. For this purpose the strengths and also the significant limitations or weaknesses identified are taken into account and the soundness of internal governance is assessed.

As a result of the review of the ICAAR, a brief memorandum is prepared which is included in the annual risk profile report of the institution. This memorandum has the following sections:

1. Capital target. The capital target set by the institution is specified and assessed. To do so, the institution’s specific situation and the targets set by peer institutions are considered.

2. Capital plan. The capital plan, including stress scenarios and contingency plans, is analysed to determine its reasonableness. The discrepancies between the current reality and what was envisaged in the capital planning of prior years are stated, if significant.

3. Consistency between the institution’s internal capital adequacy assessment in its ICAAR and the risk matrix ratings and risk profile of the institution drawn up by the Banco de España. The discrepancies considered significant are indicated.

4. Future action programme. The future action programme, if any, is summarised and assessed. The degree of fulfilment of prior years’ action programmes, when applicable, is also summarised and assessed.

5. Noteworthy matters. Other issues considered significant, in view of the information in the ICAAR and what is known about the institution, are indicated.

The evaluation of the institution is based especially on the reasonableness of the capital target and on the institution’s capital plan.

6.1.1 Capital target

An appropriate capital strategy, based on maintaining a sufficient buffer in excess of the regulatory minimum requirement, enables institutions to get over difficult situations and fulfil their strategic business plan.

Institutions’ ICAARs should display this strategy by means of their capital target. This target should be reasonable, sustainable over time and consistent with the institution’s strategic business plan, without prejudice to possible temporary deviations due to adverse impacts or one-time circumstances.

The Banco de España ICAAP guidelines define the capital target as the amount of capital in excess of the regulatory minimum which the institution considers necessary to hold both currently and in the future period projected in its capital planning and which is in accordance with:

- The risks inherent in its activity.

- The economic environment in which it operates.

- The internal governance, risk management and control systems.

- The strategic business plan.

- The quality of the own funds held.

- The real possibility of obtaining further own funds in the future, if needed.

The ICAAR must justify the institution’s capital target to the satisfaction of the Banco de España. In assessing the capital target the Banco de España considers:

- Material risks not covered under Pillar 1.

- Weaknesses in internal governance, risk management and control.

- The institution’s strategic business plan.

- The institution’s capital plan, including stress tests conducted.

- The Banco de España view, reflected in the risk matrix ratings and the supervisory risk profile given to the institution.

- The existence of available financial resources not considered in regulatory solvency calculations (to be more specific, level of general provisions and unrealised gains).

- The foreseeable increase in own funds requirements in times of crisis. This matter is particularly important for institutions which use advanced approaches for calculating their regulatory capital, due to the higher risk-sensitivity of these approaches.The institution’s capital target (in terms of volume and quality) is compared for this purpose with those of peer institutions. In the case of groups of credit institutions, the distribution of capital between the various legally separate institutions is assessed and, specifically, the reasonableness of the parent’s degree of leverage in its investment in subsidiaries is analysed.

The Banco de España, in assessing an institution’s capital target, will take into account particularly that this target should be commensurate with the institution’s risk profile. Hence institutions with a risk profile considered “high” by the Banco de España should have a higher capital target than institutions with a "medium-high" risk profile; institutions with a "medium-high" risk profile should have a higher capital target than institutions with a "medium-low” risk profile; and finally, institutions with a “medium-low” risk profile should have a higher capital target than institutions with a "low" risk profile.

6.1.2 Capital plan

The capital plan, in conjunction with the institution’s capital target, should allow the growth envisaged in the strategic business plan and, furthermore, the compliance with the mínimum capital requirements under Pillar 1 in the event of a severe recession or of clearly unfavourable business circumstances.

For this purpose, institutions should carry out stress tests and the Banco de España should evaluate them, since these stress tests should be sufficiently severe (for example, considering situations occurring once in the last 20-30 years). To determine the impact in terms of the actual losses arising with a certain probability, institutions may use (when possible and appropriate) advanced regulatory methods for calculating own funds and, on the basis of these methods, estimate the losses which may arise with a certain periodicity (which may be set previously by the Banco de España).

To review these stress tests, the Banco de España will follow the principles and recommendations established in this respect by international supervisory bodies[9], and will apply these recommendations to check that the degree of severity of the stress scenarios used by the various institutions is comparable. The Banco de España will assist institutions in order for them to establish scenarios of comparable severity. For this purpose, the Banco de España may provide direct inputs to institutions for certain stress tests, such as, for example, specific falls in GDP, certain rises in the unemployment rate, house price falls, increases in doubtful loans ratios, etc. and may also define specific “reverse stress scenarios”[10] to be considered by institutions.

Capital buffers over and above the regulatory minimum are held by institutions largely so that regulatory capital requirements continue to be met even in situations of stress, in which extraordinary losses appear. For this reason, if such extraordinary losses materialise, it does not make sense to require institutions to restore immediately their capital to its former level, since in such a case this excess capital lacks utility[11]. In the case those losses occur, the institution should consider a realistic and prudent plan for returning to its capital target.

6.2 Assessment of the programme of future measures

Based on the assessments set out in the ICAAR, institutions should also summarise the main deficiencies and weaknesses found and, if significant, draw up an action plan to remedy them. This action plan may include the following measures, among others:

- Modification of the institution’s risk profile: reduction of certain activities, use of new risk mitigation techniques, etc.

- Improvements in governance and internal organisation; improvements in risk management and internal control.

- Modificate (raise up) the capital target, stating the related adaptation period, if appropriate.

The Banco de España will analyse and assess, as often as necessary and at least yearly, the degree of fulfilment of these programmes of future measures which, as explained in the ICAAP guidelines, constitute a voluntary commitment of the institution.

Taking into account all the supervisory activities performed in the year and the result of the review of the ICAAR, decisions considered appropriate are taken. These decisions may be of internal scope or may have practical implications for the institution:

- Decisions of internal scope:

- Changes to risk matrix ratings and to the institution’s supervisory risk profile.

- Changes to the supervisory plan for the institution and, where appropriate, performance of extraordinary supervisory activities.

- Decisions with practical implications for the institution, in accordance with article 11.3 of Law 13/1985:

- Urge the institution to make changes in its ICAAP or in its ICAAR, in its capital target, in its capital plan or in its programme of future measures.

- Set up Pillar 2 additional capital requirements or other corrective measures.

Ten general principles of the capital review process, referred to in principle 2 of Pillar 2 of the revised solvency framework and in Article 124 of the capital requirements directive, generally known in English by the acronym SREP (supervisory review and evaluation process), were formulated by CEBS in its guidelines on Pillar 2 (Guidelines on the application of the supervisory review process under Pillar 2). They are as follows:

Principle 1: The PRC[12] should be an integrated part of the authority's overall risk-based approach to supervision. The PRC underpins the supervisor's dialogue with the institution.

Principle 2: The PRC should apply to all authorised institutions. The scope of application of the PRC will be determined by reference to the CRD.

Principle 3: The PRC should cover all the activities of an institution. All significant business units of the institution, whether operating domestically or abroad, will be considered in the review and evaluation process.

Principle 4: The PRC should cover all material risks and internal governance. The supervisory authority will evaluate the institution’s risks and internal governance (including risk controls, compliance, and internal audit). The evaluation will focus on identifying each institution's risk profile and assessing the quality of the institution's risk management system. The evaluation of controls should include, at a minimum, an assessment of the quality of internal governance, management body, organisational structure, the risk management and control environment and internal audit and compliance functions. The evaluation should be forward-looking in the sense that it should consider, based on information known at the time, whether the risk profile of the institution is likely to change over the forthcoming period. The supervisor can use stress tests to help determine the need for early intervention.

Principle 5: The PRC will assess and review the institution's ICAAP. The supervisor will assess the institution's ICAAP as part of its PRC. This should include a consideration of the assumptions, components, methodology, coverage and outcome of the institution's ICAAP.

Principle 6: The PRC will assess and review the institution's compliance with the requirements laid down in the CRD. As part of the PRC, the supervisor must also evaluate the institution's compliance with the minimum requirements under the CRD.

Principle 7: The PRC should identify existing or potential problems and key risks faced by the institution and deficiencies in its control and risk management frameworks; and it should assess the degree of reliance that can be placed on the outputs of the institution's ICAAP. The PRC will enable the supervisory authority to tailor its approach to the individual institution and provide the foundation for the supervisor’s general approach to the institution and its actions.

Principle 8: The PRC will inform supervisors about the need to apply prudential measures. Once it has evaluated the adequacy of an institution's capital in relation to its risk profile, the supervisor should identify any prudential measures or other supervisory actions required. For example, where there is an imbalance between business and risk controls, on the one hand, and the capital held, on the other, the supervisor should consider the range of remedial supervisory actions that may be needed to rectify a deficiency in controls or perceived shortfalls in capital.

Principle 9: The results of the PRC will be communicated to the institution at the appropriate level together with any action that is required of the institution and any significant action planned by the supervisory authority. The authority will convey the results of its risk assessment to the institution. This may be done as part of the dialogue between the authority and the institution on the internal systems used to assess capital adequacy. This review and evaluation allows the supervisor, among other things, to provide qualitative feedback to the institution about the adequacy of its risk management and internal controls in relation to its business risk profile.

Principle 10: The supervisory evaluation should be formally reviewed at least on an annual basis, to ensure that it is up-to-date and remains accurate. Supervisory authorities agree that this review may not always constitute a full risk assessment. However, supervisory authorities should at least take stock of any significant changes to the overall risk profile over the past year. They will take into account the results of any supervisory visits, inspections and other information received during the period, and will consider whether the timing of the next full assessment, as agreed during the previous full assessment process, remains appropriate. Notwithstanding the above, any significant new information received in the course of ongoing monitoring and supervision which may affect the institution’s risk profile will trigger consideration by the authority on the need for a formal review or a full risk assessment.

The Committee of European Banking Supervisors (http://www.c-ebs.org/) and the Basel Committee on Banking Supervision (http://www.bis.org/bcbs/) have prepared various documents and guidelines relating to internal governance, risk management and measurement and the implementation of Pillar 2 of Basel II, which institutions must take into account when applying these Guidelines. The following are directly related to these Guidelines:

- CEBS documents:

- Guidelines on supervisory review process, 25 January 2006.

- Guidelines on Validation. 4 April 2006

- Technical Guideline on Interest Rate Risk in the Banking Book. 3 October 2006.

- Additional Guidelines on Stress Testing 14 December 2006 (under revision)

- Additional Technical Guidelines on Concentration Risk. 14 December 2006 (under revision)

- High-level principles for Remuneration Policies, 20 April 2009

- Compendium of Supplementary Guidelines on implementation issues of operational risk, 8 September 2009

- Guidelines on Liquidity Buffers, 9 December 2009

- Implementation Guidelines for Hybrid Capital Instruments, 10 December 2009

- Guidelines on reporting requirements for the revised large exposures regime, 11 December 2009

- Guidelines on the implementation of the revised large exposures regime, 11 December 2009

- Guidelines on Operational Risk Mitigation Techniques, 22 December 2009

- Basel Committee on Banking Supervision documents:

- Framework for Internal Controls, September 1998

- Intra-Group Transactions and Exposures and Risk Concentrations Principles, July 1999

- Enhancing Corporate Governance for Banking Organizations, September 1999

- Risk Concentrations Principles, December 1999.

- Principles for the Management of Credit Risk, September 2000.

- Sound Practices for the Management and Supervision of Operational Risk, February 2003.

- Principles for the management and supervision of interest rate risk, July 2004.

- Implementation of Basel II: Practical Considerations, July 2004.

- Compliance and the compliance function in banks, April 2005.

- Enhancing corporate governance for banking organisations, February 2006.

- Home-host information sharing for effective Basel II implementation, June 2006

- The Core Principles Methodology, October 2006

- Core Principles for Effective Banking Supervision, October 2006

- Implementation of the compliance principles, August 2008

- Range of practices and issues in economic capital modelling, August 2008

- Principles for Sound Liquidity Risk Management and Supervision, September 2008

- External audit quality and banking supervision, December 2008

- Principles for sound stress testing practices and supervision, May 2009

- Enhancements to the Basel II framework – Supplemental Pillar 2 Guidance. July 2009