TC Insights: revised Core Principles for effective banking supervision
Wednesday, May 01, 2024

TC Insights: revised Core Principles for effective banking supervision


1. Overview

2. New risk – climate change

3. New risks – digital finance and non-bank financial intermediation

4. Risk management and business model sustainability

5. Operational resilience and macroprudential oversight 

6. Financial risks and proportionality

1. Overview                                                          

This Toronto Centre Insight1 examines the implications for supervisors of the revised Core Principles for effective banking supervision, issued on April 25, 2024.  

The Core Principles are important for banking supervisors because (a) they contain key elements of effective supervision; and (b) they form the basis for IMF and World Bank Financial Sector Assessment Programs (FSAPs).

The Core Principles were originally issued by the Basel Committee on Banking Supervision in 1997. They were substantially updated in 2012 in the aftermath of the Global Financial Crisis. The latest revisions follow a consultative document published in July 2023.  

The revised Core Principles are effective immediately. They have also been incorporated into the consolidated Basel Framework.

The latest revisions reflect:  

  • Supervisory and regulatory developments since the 2012 update.
  • The impact of recent structural trends on banks and the banking system, in particular the rapid advances in financial technology and the proliferation of non-bank financial institutions (NBFIs).
  • Lessons learnt in implementing the 2012 update to the Core Principles, and experiences gained from IMF and World Bank FSAPs.

Many of the Core Principles are strengthened or amended in some way, to take account of:

  • New risks, such as climate-related financial risks and the digitalization of finance.
  • The growth of non-bank financial intermediation.
  • Developments in risk management practices, including business model sustainability.
  • The further development of operational resilience, and of systemic risk and macroprudential supervision.
  • Updates to long-standing financial risks.

Each of these areas is covered in this TC Insight.

Key message:

Supervisory authorities should consider what these revisions to the Basel Core Principles imply for their supervisory powers, approaches, and practices; identify required changes; and implement these changes.

Key areas for consideration include the supervision of climate-related financial risks, digital finance, business model sustainability, and operational resilience.  


Relevant Toronto Centre Notes:

FinTech, RegTech and SupTech: What They Mean for Financial Supervision. August 2017.   

Operational Resilience: The Next Frontier for Supervisors? April 2021.

A Climate and Biodiversity Risks Toolkit for Financial Supervisors. February 2023.


2. New risk – climate change

Some of the Core Principles have been revised to reflect the impact of new risks, including climate-related financial risks.

The Basel Committee defines climate-related financial risks as the potential risks that may arise from climate change (physical risks) or from efforts to mitigate climate change (transition risks); their related impacts; and their economic and financial consequences.

Climate-related physical and transition risk drivers can translate into traditional financial risk categories such as credit, market, operational, liquidity, strategic, and reputational risks.

Climate-related financial risks can affect the safety and soundness of banks and financial stability. Explicit references to climate-related financial risks2 have therefore been added to some of the Core Principles, to improve supervisory practices and banks’ risk management.

In particular:

CP8: Supervisory approach – supervisors should consider climate-related financial risks in their risk assessments and in their supervisory methodologies and processes.

CP10: Supervisory reporting – supervisors should have the power to require banks to submit information that allows for the supervisory assessment of the materiality of climate-related financial risks.

CP15: Risk management process – supervisors should require banks to:

  • Have comprehensive risk management policies and processes for all material risks, including climate-related financial risks, recognizing that these risks could materialize over varying time horizons that go beyond their traditional capital planning horizon.
  • Include climate-related financial risks assessed as material over relevant time horizons, including in their stress testing programs where appropriate.
  • Implement appropriate measures to manage climate-related financial risks where they are material.

CP26: Internal control and audit – supervisors should require banks to consider climate-related financial risks as part of their internal control framework.

Both supervisors and banks should consider climate-related financial risks in a flexible and proportionate manner, given the degree of heterogeneity and evolving practices in this area.

Key message:

Supervisory authorities should build climate and biodiversity-related risks into their supervision by:

  • Recognizing climate change and biodiversity loss as potential sources of economic and financial risk.
  • Developing an understanding of how climate change and biodiversity loss might affect their country and its economy.
  • Determining the potential impact of climate change and biodiversity loss on financial institutions, on financial stability, on users of financial products and services, and on financial inclusion, including by conducting assessments of impact and dependency, and developing climate and biodiversity-related scenario analysis and stress tests.
  • Reflecting the impact of climate and biodiversity-related risks on the inherent risks facing financial institutions (as in the risk-based supervision risk matrix, or whatever system is used for capturing the risks to supervisory objectives).
  • Setting regulatory requirements and supervisory expectations for financial institutions’ governance, risk management, strategy, disclosure, and financial conduct in relation to climate and biodiversity-related risks.


Relevant Toronto Centre Notes:

Climate Change. January 2017.

Climate Change: Issues for Banking Supervisors. July 2019.

Stress Testing and Climate Change. June 2020.

Climate Change: Issues for Securities Supervisors. May 2021. 

Adapting Macroprudential Frameworks to Climate Change Risks. March 2022.

A Climate and Biodiversity Risks Toolkit for Financial SupervisorsFebruary 2023.

Introduction for Supervisors to Scenarios and Stress testing of Climate Risks. May 2023.

Supervisory Stress Testing: A Primer. March 2024.

Supervision of Stress Testing by Financial Institutions. March 2024.


3. New risks – digital finance and non-bank financial intermediation

The Basel Committee notes that technology-driven innovation and digital finance are changing both the way that banking services are provided and customer behaviours. The use of new technologies, the emergence of new products, new entrants, and the proliferation of non-bank financial institutions (NBFIs) create both opportunities and risks for supervisors, banks, and the financial system.   

This is reflected in the revised Core Principles:

Digital finance

CP1: Responsibilities, objectives and powers and CP10: Supervisory reporting – supervisors should be able to access relevant information irrespective of where it is stored, and to review the overall activities of a banking group, including those undertaken by service providers and by any NBFIs within a banking group. 

CP15: Risk management process – the Basel Committee considers this Principle to already be sufficiently broad to cover many of the risks to banks arising from digitalization.

CP25: Operational risk and operational resilience – the revised version of this Principle highlights the importance of operational resilience, given that banks are increasingly relying on third parties for the provision of technology services, which creates additional points of cyber risk and potential system-wide concentrations.


NBFIs supplement banks in providing financial services, but their activities can also affect the stability of the financial system and increase the potential for contagion risks through their interconnections with banks.

CP4: Permissible activities – the revised version of this Principle strengthens the expectation that supervisors should monitor risks to banks from the range of different NBFIs.

CP8: Supervisory approach – the Core Principles have long recognized that supervisors should remain alert to the risks arising from NBFI activities and their potential impact on the banking system.

CP15: Risk management – the revised version of this Principle highlights step-in risk3 more explicitly as a risk that banks should be actively managing (where applicable).

CP17: Credit risk – the revised version of this Principle places greater emphasis on how banks should manage counterparty credit risk.

Key message:

Supervisory authorities should identify the growth of technology-driven innovation, digital finance and NBFIs in their financial sectors; the risks they pose to supervisory objectives; and the need to change supervisory practices to reflect these developments. In particular, supervisory authorities should:

  • Monitor carefully the ways in which, and the extent to which, specific types of innovation, digital finance, and NBFIs are developing in their financial sectors. This will differ across countries.
  • Assess the risks that these developments might pose to their supervisory objectives, including the risks to regulated financial institutions, to financial stability, and to consumers and investors.
  • Include these risks within their approaches to risk-based supervision.
  • Set regulatory requirements and supervisory expectations for financial institutions’ management of these risks.


Relevant Toronto Centre Notes:

Supervision of Cyber Risk. December 2018.

Cloud Computing: Issues for SupervisorsNovember 2020.  

Operational Resilience: The Next Frontier for Supervisors? April 2021.

Supervisory Implications of Artificial Intelligence and Machine LearningJuly 2022.

Cyber Risk: Determining and Delivering a Supervisory StrategyJuly 2023.

Supervising Fintech. November 2023.


4. Risk management and business model sustainability

The Basel Committee wants banks to institute a sound risk culture, to maintain strong risk management practices, and to adopt and implement sustainable business models. 

The revised Core Principles make clear that the assessment of business model sustainability is a key component of effective supervision.

The Basel Committee emphasizes that when conducting business model analysis the supervisor should assess the soundness of a bank’s forward-looking strategies to generate sustainable returns over time, and its capacity to execute its business plan and strategy, taking account of potential changes in banks’ operating environments (including the challenges posed by technology-driven innovation and digital finance). The ultimate responsibility for designing and implementing sustainable business strategies lies with a bank’s board.  

CP8: Supervisory approach and CP15: Risk management process – these Principles have been revised to include new requirements for banks and their supervisors to assess the sustainability of banks’ business models

CP14: Corporate governance – the revisions to this Principle place greater emphasis on banks’ corporate culture and values (including their alignment with compensation systems); ensuring that bank boards have appropriate skills, diversity, and experience; and promoting board independence and renewal.

CP15: Risk management process – this Principle has been revised to bring together the requirements that supervisors should impose on banks to undertake stress testing, and emphasizes the need for banks to focus on risk culture, risk appetite frameworks, and risk data aggregation.  

CP20: Transactions with related parties – this revised Principle introduces a minimum definition of related parties; enhances the approval process for granting and managing related party transactions; clarifies the application of limits; and improves associated reporting requirements.

CP29: Abuse of financial services – this Principle is revised to align the requirements on banks with the latest Financial Action Task Force recommendations, and requires banks to implement group-wide programs to address money laundering, proliferation financing, and terrorist financing.

Key message:

Supervisory authorities should reflect these revised Principles on governance and risk management in their regulatory requirements, supervisory expectations, and supervisory practices. In particular, supervisory authorities should: 

  • Recognize that the root cause of capital and liquidity difficulties in financial institutions is often an unsustainable business model (or the inadequate execution of a strategy or business model).
  • Increase supervisory assessment of financial institutions’ business models, to identify vulnerabilities and to intervene where necessary by requiring financial institutions with weak business models to hold additional capital and/or liquidity, or to change their business models.
  • Require financial institutions, on a proportionate basis, to run a range of severe but plausible stress tests to help both financial institutions and their supervisors to identify and understand better the risks they are taking and to manage these risks accordingly.
  • Use on-site discussions with board members and senior management of financial institutions to assess the effectiveness of their corporate governance and their culture and values.


Relevant Toronto Centre Notes:

Improving Corporate Governance in Regulated Firms. January 2016.

Supervising Corporate Governance During Crises. April 2020. 

Supervision of Money Laundering and Terrorist Financing. October 2020.

Supervising Corporate Governance: Pushing the Boundaries. January 2022.

Supervision of Stress Testing by Financial Institutions. March 2024.


5. Operational resilience and macroprudential oversight

The Basel Committee notes that significant efforts have been made in recent years to strengthen operational resilience, so banks are better able to withstand, adapt to and recover from severe operational risk-related events, such as cyber attacks, technology failures, natural disasters, and pandemics.

CP25: Operational risk and operational resilience – this Principle has been revised to cover operational resilience, not just operational risk, so it focuses on how banks respond to and recover from operational disruptions.

The Principle has been extended to enhance the supervisory focus on the effectiveness of banks’ governance, operational risk management, business continuity planning and testing, mapping of interconnections and interdependencies, third-party dependency management, incident management, cyber security, and information and communication technology.

Macroprudential oversight

The previous update of the Core Principles in 2012 required supervisors to apply a system-wide macro perspective to the supervision of banks to assist in identifying and analyzing systemic risks and taking pre-emptive action to address them. These requirements have been strengthened to reflect experience with macroprudential policy and supervision, including:

CP3: Cooperation and collaboration and CP13: Home-host relationships – greater emphasis is placed on the importance of close cooperation, both domestically and internationally, between the relevant authorities with responsibility for banking supervision, macroprudential policy, and financial stability.

CP8: Supervisory approach – this Principle clarifies the role of the supervisor in assessing and mitigating risks to banks and the banking system.

CP9: Supervisory techniques and tools – supervisors should have a process to assess and identify systemically important banks in a domestic context.

CP16: Capital adequacy – supervisors should have the ability to require banks to maintain additional capital (for example a counter-cyclical capital buffer or sectoral capital requirements) in a form that can be released in the event of system-wide shocks.

Key message:

Supervisory authorities should ensure that their supervisory approaches and practices are sufficiently wide-ranging to cover the revised Core Principles in these areas, including:

  • Setting regulatory requirements and supervisory expectations on financial institutions to put in place arrangements and procedures to enable them to respond to, and recover promptly from, operational disruptions. This should be in addition to any requirements on financial institutions to reduce the probability of operational disruptions occurring.
  • Assessing the credibility and likely effectiveness of the plans made by financial institutions to respond to, and recover from, operational disruptions; and intervening where these plans are inadequate.
  • Reviewing institutional arrangements to ensure that the powers and responsibilities of the supervisory authority with respect to macroprudential policy and financial stability are clear; and that there is effective communication and cooperation among all the authorities with responsibilities in this area (for example the supervisory authority, central bank, and Ministry of Finance), both at home and cross-border.      


Relevant Toronto Centre Notes:

Operational Resilience: The Next Frontier for Supervisors? April 2021.

Integrating Microprudential Supervision with Macroprudential Policy. March 2021.

Adapting Macroprudential Frameworks to Climate Change Risks. March 2022.


6. Financial risks and proportionality

The Basel Committee notes the need to reflect the Basel III Framework and other developments in the Core Principles relating to financial risks, including:

CP16: Capital adequacy – supervisors should apply a non-risk-based measure (a leverage ratio) to complement risk-based approaches in constraining leverage in banks and the banking system.

CP17: Credit risk – revisions to this Principle strengthen the requirements on banks’ credit risk management practices, and place greater emphasis on risks relating to counterparty credit risk and securitization transactions.

CP18: Problem exposures, provisions, and reserves – this Principle has been revised to reflect the introduction of expected credit loss (ECL) provisioning.

CP19: Concentration risk and large exposure limits – the definition of connected counterparties and large exposure limits is aligned with the large exposures framework.

CP23: Interest rate risk in the banking book – revisions to this Principle reflect the potential impact of customer behaviours on interest rate risk assumptions.

However, no significant changes are made to CP24: Liquidity risks, despite the liquidity-driven bank failures in March 2023. CP24 is already quite wide-ranging and covers some of the lessons emerging from those failures, but some revisions to this Principle may be required once the Basel Committee has reviewed whether changes need to be made to the Basel III Framework.

More generally, the Basel Committee reiterates the importance of proportionality, noting that the Core Principles should:  

  • Be applicable to a wide range of jurisdictions whose banking sectors may include a broad spectrum of banks (from large internationally active banks to small, non-complex deposit-taking institutions). A proportionate approach is required, both to the requirements that supervisors impose on banks and to how supervisors discharge their own functions.
  • Allow for different approaches to supervision, to reflect specific country circumstances and the context in which supervisory practices are applied.
  • Recognize that the appropriate intensity of supervision for banks varies, with more time and resources devoted to larger, more complex, or riskier banks. Risk-based supervision focuses supervisory resources where they can be utilized optimally, concentrating on outcomes and moving beyond passive assessment of compliance with rules.

Key message:

Supervisory authorities should already be adopting these revisions to the Core Principles as they implement (or plan to implement) Basel III; and be considering proportionality as they implement (or plan to implement) risk-based supervision.   


Relevant Toronto Centre Notes:

Risk-Based Supervision. March 2018.  

Pillar 2 and Beyond: Issues for Supervisors in Implementing Basel II and Basel III. June 2020.  


1This TC Insight is written by Clive Briault, Chair, Toronto Centre Banking Advisory Board.

2The revised Basel Core Principles refer only to climate-related financial risks. They do not explicitly cover risks relating to biodiversity loss.

3The risk that a bank decides to provide financial support to an unconsolidated entity that is facing stress, in the absence of, or in excess of, any contractual obligations to provide such support.