95. Having conducted the BMA, competent authorities should assess the key vulnerabilities to which the institution's business model and strategy expose it or may expose it, considering any of the following:
a. poor expected financial performance;
b. reliance on an unrealistic strategy;
c. excessive concentrations or volatility (e.g. of revenues, earnings, customers subject to enhanced customer due diligence set out in Chapter II, Section 3 of Directive 2015/849, high-risk third countries in accordance with Article 9 of that Directive, deposits and assets under custody/management related to such high-risk third countries;
d. excessive risk-taking;
e. funding structure concerns;
f. significant external issues (e.g. regulatory threats, such as mandating of 'ring-fencing' of business units); and
g. ESG risks and their impact on the viability and sustainability of the business model and long-term resilience of the institution.
96. Following the above assessment, competent authorities should
…