At the end of each month, the SAFE Regulatory Radar highlights a selection of important news and developments on financial regulation at the national and EU level.
DORA: More digital operational resilience with complementing standards
New rules aim to enhance the digital operational resilience of the EU financial sector. On 17 January 2024, the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) published a set of draft technical standards that encompasses Regulatory Technical Standards (RTS) on Information and Communication Technology (ICT) risk management frameworks, criteria for the classification of ICT-related incidents, RTS defining the policy on ICT services supporting critical functions by third-party service providers (TPPs), and Implementing Technical Standards (ITS) outlining templates for the register of information.
The technical standards on risk management complement the Digital Operational Resilience Act (DORA), and provide harmonized requirements concerning financial entities’ ICT risk management among the different financial sectors. In particular, they address ICT security policies, procedures, protocols and tools; human resources policies and access control; ICT-related incident detection and response; and ICT business continuity management. In addition, they set out simplified reporting requirements for financial entities of lower scope, risk, size, and complexity.
The RTS on classification criteria include, e.g., materiality thresholds for determining major ICT-related incidents or, as applicable, operational or security payment-related incidents. Additionally, they define criteria to classify cyber threats as significant, including materiality thresholds for determining significant cyber threats. The ESAs further provide competent authorities with criteria to assess the relevance of incidents and details of major ICT-related incidents’ reports to be shared with other CAs.
As required by DORA, financial entities need to adopt and regularly review a strategy on ICT third-party risk. About this, the technical standards set out requirements for the financial entities’ policy on the use of ICT third-party services supporting critical functions. They specify parts of the governance arrangements, risk management, and internal control framework that financial entities should have in place.
To allow competent authorities and ESAs to effectively supervise financial entities’ compliance with DORA and to designate critical third-party service providers, these ITS include templates concerning contractual arrangements with ICT third-party service providers that need to be maintained and updated by financial entities.
The final draft technical standards have been submitted to the European Commission for adoption.
MiFID II/MIFIR: Improvements to reduce information asymmetries and increase attractiveness for investments
The European Parliament adopted the main pieces of legislation concerning investment services and activities of EU-based trading venues. On 16 January 2024, it approved amendments to the Markets in Financial Instruments Regulation (MIFIR) and the Markets in Financial Instruments Directive II (MiFID II). One of the key adjustments includes the establishment of an EU-level “consolidated tape”, an electronic system that will collect real-time data on prices and volumes of shares and exchange-traded funds from different exchanges without identification of trading venues. By June 2026, ESMA shall assess whether this will have reduced information asymmetries and increased the EU’s attractiveness as a place to invest. The Parliament also decided to ban the practice of receiving payments for forwarding client orders for execution (“payment for order flows”). The endorsed rules build on the provisional agreement between the European Parliament and the European Council described in more detail in SAFE Regulatory Radar from July 2023.
To ensure a consistent application of rules concerning the use of pre-trade controls set out in MIFID II, ESMA announced the launch of a Common Supervisory Action with National Competent Authorities on 11 January 2024. They will gather information from investment firms on, among other things, their monitoring and governance framework related to pre-trade controls, the calibration and design of pre-trade controls.
AML/CFT: Stricter and harmonized rules for national authorities
New rules aim to protect the EU internal market from money laundering and terrorist financing. On 17 January 2024, the European Parliament and the Council reached a provisional agreement on a regulation providing rules for the private sector and a directive dealing with the organization of national anti-money laundering and counter- terrorist financing systems.
The EU “single rulebook” regulation expands the list of obliged entities by crypto-asset service providers, forcing them to apply customer due diligence measures for transactions amounting to 1000 euros or more as well as enhanced due diligence measures for cross-border correspondent relationships. While member states can impose lower maximum limits for cash payments, the EU-wide maximum level is set to 10,000 euros. In addition, national Financial Intelligence Units (FIUs) and other competent authorities will have access to additional and harmonized information on beneficial ownership held by obliged entities. Entities further have to apply enhanced due diligence measures when involving third countries with high risks according to the financial action task force listings.
According to the sixth Anti-Money Laundering Directive, member states will need to ensure adequate supervision of obliged entities. They have to ensure that entities comply with the requirements and impose stricter sanctions on entities that fail to do so. It further allows FIUs to better cooperate, detect money laundering and terrorist financing cases and suspend suspicious transactions, accounts, or business relationships.
On 18 December 2023, the Council stated that it had agreed with the European Parliament on the procedure to select the seat for the future European authority for countering money laundering and terrorist financing (AMLA), which will have direct and indirect supervisory powers as well as the power to impose sanctions and measures. After public hearings on 30 January 2024, the co-legislators will decide on the seat in an informal meeting, where the Parliament’s and the Council’s representatives will vote together at the same time with the same number of votes attributed to each co-legislator.
Public consultations
|
Dr. Angelina Hackmann is Co-Head of the SAFE Policy Center.
