Raphael Stevens

“If you assess individual banks in Italy, it’s difficult not to believe that something will happen, I would say, over the next 12 months or so,” Antonio Reale, co-head of European banks at Bank of America, told CNBC.
Speaking in March, Italy’s Economy Minister Giancarlo Giorgetti said “there is a specific commitment” with the European Commission on the divestment of the government stake on BMPS.
Paola Sabbione, an analyst at Barclays, believes there would be a high bar for Italian banking M&A if it does occur.

Banking analysts assess the possibility of a banking merger in Italy.
Bloomberg | Bloomberg | Getty Images

MILAN, Italy — European policymakers have longed for bigger banks across the continent.
And Italy might be about to give them their wish with a bumper round of M&A, according to analysts.

Years after a sovereign debt crisis in the region and a government rescue for Banca Monte dei Paschi (BMPS) that saved it from collapse, many are looking at Italy’s banking sector with fresh eyes.
“If you assess individual banks in Italy, it’s difficult not to believe that something will happen, I would say, over the next 12 months or so,” Antonio Reale, co-head of European banks at Bank of America, told CNBC.
Reale highlighted that BMPS had been rehabilitated and needed re-privatization, he also said UniCredit is now sitting on a “relatively large stack of excess of capital,” and more broadly that the Italian government has a new industrial agenda.
UniCredit, in particular, continues to surprise markets with some stellar quarterly profit beats. It earned 8.6 billion euros last year (up 54% year-on-year), pleasing investors via share buybacks and dividends.
Meanwhile, BMPS — which was saved in 2017 — has to eventually be put back into private hands under an agreement with European regulators and the Italian government. Speaking in March, Italy’s Economy Minister Giancarlo Giorgetti said “there is a specific commitment” with the European Commission on the divestment of the government stake on BMPS.

“In general, we see room for consolidation in markets such as Italy, Spain and Germany,” Nicola De Caro, senior vice president at Morningstar, told CNBC via email, adding that “domestic consolidation is more likely than European cross-border mergers due to some structural impediments.”
He added that despite recent consolidation in Italian banking, involving Intesa-Ubi, BPER-Carige and Banco-Bpm, “there is still a significant number of banks and fragmentation at the medium-sized level.”
“UniCredit, BMPS and some medium sized banks are likely to play a role in the potential future consolidation of the banking sector in Italy,” De Caro added.
Speaking to CNBC in July, UniCredit CEO Andrea Orcel indicated that at current prices, he did not see any potential for deals in Italy, but said he is open to that possibility if market conditions were to change.
“In spite our performance, we still trade at a discount to the sector … so if I were to do those acquisitions, I would need to go to my shareholders and say this is strategic, but actually I am going to dilute your returns and I am not going to do that,” he said.

“But if it changes, we are here,” he added.
Paola Sabbione, an analyst at Barclays, believes there would be a high bar for Italian banking M&A if it does occur.
“Monte dei Paschi is looking for a partner, UniCredit is looking for possible targets. Hence from these banks, in theory several combinations could arise. However, no bank is in urgent need,” she told CNBC via email.
European officials have been making more and more comments about the need for bigger banks. French President Emmanuel Macron, for example, said in May in an interview with Bloomberg that Europe’s banking sector needs greater consolidation. However, there’s still some skepticism about supposed mega deals. In Spain, for instance, the government opposed BBVA’s bid for Sabadell in May.
“Europe needs bigger, stronger and more profitable banks. That’s undeniable,” Reale from Bank of America said, adding that there are differences between Spain and Italy.
“Spain has come a long way. We’ve seen a big wave of consolidation happen[ing] right after the Global Financial Crisis and continued in recent years, with a number of excess capacity that’s exited the market one way or the other. Italy is a lot more fragmented in terms of banking markets,” he added. More

When times are tough, politicians reach for metaphors. In Ethiopia, which floated its currency and entered a $3.4bn IMF programme on July 29th, the prime minister Abiy Ahmed (pictured) compared reform to “the pain of surgery, endured for healing”. In Nigeria Bola Tinubu, the president, has defended two devaluations, saying the old system was “a noose around the economic jugular of our nation”. Both want to head towards orthodox policy, however much it hurts. More

Jerome Powell’s tenure as chairman of the Federal Reserve has been admirably sure-footed. But on July 31st he may have stumbled when he announced that interest rates would remain at 5.25-5.5%. This was soon followed by unexpectedly weak employment data. Markets around the world then plunged as investors worried that the Fed had fallen behind the curve. More

No investor commands attention quite like Warren Buffett. As boss of Berkshire Hathaway, an investment firm that he has run for almost six decades, Mr Buffett’s every movement is scrutinised. When he shifts in his seat, investors large and small ponder what it might mean for their portfolios. More

“Even those born poor fear the heat.” This slogan, printed on a lemonade from Mixue, a drinks-and-ice-cream chain, says a lot about Chinese consumption. The beverage has been a wild success during a heatwave sweeping the country, less for its tart, refreshing properties than for its price. A cup sells for as little as 3.6 yuan ($0.50), compared with 15 yuan for milk tea. Its popularity, bloggers speculate, reflects darkening consumer sentiment and growing stinginess. Consumers are rapidly trading down, from higher-cost goods to cheap substitutes, and many want to squeeze out every last drop of their spending power. More

By January 2025, banks and their technology suppliers will have to comply with a new EU law known as DORA. It could help prevent major IT disruptions in future.
The importance of financial firms reducing risks stemming from third-party tech vendors became more pronounced after a faulty CrowdStrike software update caused widespread global tech outages.
CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.

Traffic_analyzer | Digitalvision Vectors | Getty Images

Financial services companies and their digital technology suppliers are under intense pressure to achieve compliance with strict new rules from the EU that require them to boost their cyber resilience.
By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming law from the European Union known as DORA, or the Digital Operational Resilience Act.

CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.

What is DORA?

DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations.
Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline. 
The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash. 
Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers.

In the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.
Mike Sleightholme, president of fintech firm Broadridge International, notes that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.

Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.
Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.
These IT providers often deliver “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes.
“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told CNBC.
Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.

When does the law apply?

DORA entered into force on Jan. 16, 2023, but the rules won’t be enforced by EU member states until Jan. 17, 2025.
The EU has prioritised these reforms because of how the financial sector is increasingly dependent on technology and tech companies to deliver vital services. This has made banks and other financial services providers more vulnerable to cyberattacks and other incidents.
“There’s a lot of focus on third-party risk management” now, Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”
“Enhanced recovery time objectives is an important part of it. It really is about security around technology, with a particular focus on cybersecurity recoveries from cyber events,” he added.
Many EU digital policy reforms from the last few years tend to focus on the obligations of companies themselves to make sure their systems and frameworks are robust enough to protect against damaging events like the loss of data to hackers or unauthorized individuals and entities.
The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure the way they process personally identifiable information is done with consent, and that it’s handled with sufficient protections to minimize the potential of such data being exposed in a breach or leak.
DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.

What if a firm fails to comply?

For financial firms that fall foul of the new rules, EU authorities will have the power to levy fines of up to 2% of their annual global revenues.
Individual managers can also be held responsible for breaches. Sanctions on individuals within financial entities could come in as high a 1 million euros ($1.1 million).
For IT providers, regulators can levy fines of as high as 1% of average daily global revenues in the previous business year. Firms can also be fined every day for up to six months until they achieve compliance.
Third-party IT firms deemed “critical” by EU regulators could face fines of up to 5 million euros — or, in the case of an individual manager, a maximum of 500,000 euros.

That’s slightly less severe than a law such as GDPR, under which firms can be fined up to 10 million euros ($10.9 million), or 4% of their annual global revenues — whichever is the higher amount.
Carl Leonard, EMEA cybersecurity strategist at security software firm Proofpoint, stresses that criminal sanctions may vary from member state to member state depending on how each EU country applies the rules in their respective markets.
DORA also calls for a “principle of proportionality” when it comes to penalties in response to breaches of the legislation, Leonard added.
That means any response to legal failings would have to balance the time, effort and money firms spend on enhancing their internal processes and security technologies against how critical the service they’re offering is and what data they’re trying to protect.

Are banks and their suppliers ready?

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to get into compliance with DORA and “identify any gaps they may have.”
“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonise them across the EU,” he added.
Fredrik Forslund vice president and general manager of international at data sanitization firm Blancco, warned that though banks and tech vendors have been making progress toward compliance with DORA, there’s still “work to be done.”
On a scale from one to 10 — with a value of one representing noncompliance and 10 representing full compliance — Forslund said, “We’re at 6 and we’re scrambling to get to 7.”
“We know that we have to be at a 10 by January,” he said, adding that “not everyone will be there by January.” More