to the point: financial regulation | 01/2024

ECB is increasing its focus on climate change by identifying three key areas that will guide its activities in 2024 and 2025:

1. Impact and Risks of Green Transition:
   1. Examining the effects of transition funding, green investment needs, and how the green transition influences aspects such as labor, productivity, and growth.
   2. Exploring potential changes to monetary policy instruments and portfolios in response to the transition.
2. Physical Impact of Climate Change:
   1. Deepening analysis of extreme weather events' impact on inflation and the financial system.
   2. Integrating climate scenarios and macroeconomic projections.
   3. Assessing the impact of adaptation or lack thereof on the economy and financial sector, including investment needs and the insurance protection gap.
3. Nature-Related Risks:
   1. Analyzing the link between nature loss, degradation, and climate change.
   2. Exploring the economic and financial implications of nature loss.
   3. Examining the role of ecosystems for the economy and financial system.

The ECB will also launch its eighth Environmental Management Programme to support its 2030 carbon reduction targets. The ECB aims to improve climate-related indicators, risk monitoring, and disclosures while contributing to the development of climate-related policies at European and international levels. More information can be found on the ECB’s website.

EBA has initiated a public consultation on draft Guidelines for managing ESG risks and these guidelines outline requirements for institutions concerning the identification, measurement, management, and monitoring of ESG risks, including plans aimed at addressing risks associated with the transition to an EU climate-neutral economy. ESG risks, including those related to climate change, environmental degradation, and social issues, pose challenges to the financial sector. The guidelines aim to ensure the safety and soundness of institutions by establishing requirements for internal processes and ESG risk management arrangements. The guidelines also set principles for the development and content of institutions' plans, aligning with the CRD, to monitor and address financial risks arising from ESG factors. The consultation period is open until April 18, 2024. The guidelines are part of the EBA's sustainable finance roadmap and align with its planned actions under the EU banking package. They address the mandate outlined in Article 87(a)5 of the CRD, with criteria for specific climate-related scenarios to be addressed in subsequent EBA work.

ESAs have issued the first set of final draft technical standards under the Digital Operational Resilience Act (DORA), aiming to enhance the digital operational resilience of the EU financial sector by strengthening Information and Communication Technology (ICT) and third-party risk management and incident reporting frameworks. The standards include Regulatory Technical Standards (RTS) on ICT risk management frameworks, criteria for classifying ICT-related incidents, policy on ICT services by third-party providers, and Implementing Technical Standards (ITS) for the register of information. The RTS harmonize ICT risk management tools for different financial entities, provide criteria for incident classification, and establish governance arrangements for ICT third-party service providers. The ITS include templates constituting register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The standards are based on DORA regulations, and after a public consultation, they have been submitted to the European Commission for review and adoption.

EBA has published amendments to reporting requirements for market risk in anticipation of the upcoming implementation of the Fundamental Review of the Trading Book (FRTB) in the EU. The revisions focus on the reporting of own funds requirements under alternative approaches, providing detailed information on instruments and positions covered by the alternative standardised approach (ASA) and the alternative internal model approach (AIMA). Additionally, a new template has been introduced to capture information on the reclassification of instruments among the banking and trading books of an institution. These amended technical standards, excluding reclassification reporting, are set to apply for the first time in reports as of the reference date of March 31, 2025.

EBA has released updated Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on supervisory colleges under the Capital Requirements Directive (CRD), as originally adopted in 2015, the technical standards have been revised to align with the new requirements in CRD V and Capital Requirements Regulation (CRR 2). The updates aim to establish a consistent EU framework for supervisory colleges, enhancing information exchange, risk identification during adverse events, and facilitating efficient cross-border supervision of banking groups. Key changes include improved communication within the college, better risk identification during adverse events, and the optimal use of entrustment of tasks and delegation of responsibility for effective cross-border supervision.

ECB is set to conduct a cyber resilience stress test on 109 directly supervised banks in 2024. The stress test will focus on assessing banks' response to and recovery from a cyberattack, rather than their ability to prevent it. The scenario assumes a successful cyberattack that disrupts the daily operations of the banks. Banks will be evaluated on their measures for response and recovery, including activating emergency procedures, implementing contingency plans, and restoring normal operations. The exercise aims to provide insights for a wider supervisory assessment in 2024 and will not impact capital through the Pillar 2 guidance. Findings and lessons learned will be discussed with each bank during the 2024 Supervisory Review and Evaluation Process. The main findings will be communicated in the summer of 2024.

EIOPA has published its second Report on the application of the Insurance Distribution Directive (IDD), assessing changes in the insurance intermediaries' market structure, patterns of cross-border activity, the impact on small and medium-sized enterprises, and the competence and resources of competent authorities. Over the past two years, higher inflation and rising interest rates have significantly affected the insurance market and customers. The findings indicate a further decrease in the number of registered intermediaries, with improvements in advice and selling methods in some Member States. However, challenges exist in consumers understanding of sustainability rules, and supervisory activities reveal shortcomings in the application of remuneration and conflicts of interest rules. Cross-selling practices, including mobile phone insurance bundled with mobile phones, have been identified as potentially causing detriment to consumers. The report includes a detailed country-by-country analysis of the insurance intermediaries' market structure.

EBA has expanded its Guidelines on money laundering (ML) and terrorist financing (TF) risk factors to include crypto-asset service providers (CASPs), as the updated Guidelines aim to address the potential abuse of CASPs for financial crime, emphasizing ML/TF risk factors and suggesting mitigating measures. CASPs are urged to consider factors such as customer profiles, product characteristics, delivery channels, and geographical locations to assess their exposure to ML/TF risks. The Guidelines also provide guidance to credit and financial institutions dealing with CASPs, particularly those with business relationships involving non-authorized crypto-asset service providers. The deadline for compliance with the Guidelines is two months after their translation into official EU languages, with implementation starting from December 30, 2024. The EBA has been actively working on AML/CFT guidelines related to crypto-assets, aligning the regulatory framework with international recommendations.

The Czech government is currently discussing the amendment that should reflect the so-called TFR regulation regarding information accompanying transfers of funds and certain crypto-assets. Furthermore, it incorporates certain additional legal aspects of DAC 7 and specific recommendations of the Financial Action Task Force Committee (FATF) concerning, among others, the precautional measures aimed to detect cross-border cash movements. Due to these deficiencies, the Czech Republic has been recently positioned under a stricter monitoring regime. If not managed properly, the Czech Republic may be listed on the FATF grey list, i.e. among countries with strategic deficiencies in their AML/CFT systems. Such classification would have serious reputational risk.

The EU intends to regulate artificial intelligence as part of its digital strategy to improve the environment for its advancement and application and to ensure that AI systems used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly. On 21 April 2021, the Commission's proposal on laying down harmonised rules on artificial intelligence was published. The AI Act is intended to create a technology-neutral, future-proof definition that can be applied to all prospective AI technologies. On 9 December 2023 the Parliament reached a provisional agreement with the Council on the AI Act, which is now being formally adopted by the Parliament and Council. On 22 January 2024, a draft of the final text of the AI Act was leaked to the public.

The AI Act establishes obligations for providers and deployers depending on the level of risk from artificial intelligence. It divides AI systems into four categories: Unacceptable Risk, High Risk, Certain AI Systems & General-Purpose AI models^[1] and Minimal Risk. Increased due diligence requirements apply to providers and deployers of high-risk AI systems. For banks, it is essential that systems to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons' access to financial resources and may lead to discrimination of certain individuals or groups. For banks, the AI Act refers in multiple parts to existing banking supervisory obligations, as they are already subject to increased requirements, particularly under the Capital Requirements Directive (CRD). The AI Act will be accompanied by a directive on adapting non-contractual civil liability rules to artificial intelligence. The proposal on the AI Liability Directive was published on 28 September 2022.

[1] This category emerges from the pre-final consolidated text leaked on 22 January 2024. The original public proposal for the AI Act, however, refers to the Limited Risk category (AI systems with limited transparency obligations).

The Austrian Financial Market Authority (FMA) has issued a draft of new minimum standards, currently undergoing consultation, providing guidance to real estate and capital investment companies as well as alternative investment fund managers. The draft emphasises the importance of preparing for potential detrimental developments, such as the incapacity of the custodian bank or depositary to perform its services or their insolvency. It also recommends the implementation of emergency plans for a quick and smooth transition from one custodian bank to another. Asset managers are advised to establish clear communication channels and identify potential custodian banks or depositaries with the necessary capabilities to assume the role swiftly (e.g. utilising compatible IT systems, etc.).

On January 1, 2024, the new principles of the Good Practices of Companies on the NewConnect market adopted by the Stock Exchange (WSE) will take effect. These rules apply to any entity that is an issuer of shares introduced to the alternative trading system on the NewConnect market. An important provision of the Best Practices is the special emphasis on ESG issues, including the company's obligation to publish on its website a description of its business model, covering its business strategy, and specifically, its ESG strategy. As the WSE points out, the basic formula is still "apply or explain," based on the adequacy of solutions in relation to the size or organisational structure of the entity. In this case, companies do not have a single solution or action imposed on them, but individually, adequate to their business, adopt do-able solutions. Entities have until April 15, 2024, to publish a current report on the application of the new rules.

The beginning of January brought another key ruling in franking credit cases. Thanks to the decision of the Court of Justice of the European Union (CJEU) on January 12, 2024 (Case C-488/23), the position on capital valorisation has been clarified. The CJEU is once again standing behind consumers and preventing banks from imposing further costs on consumers due to the invalidity of the loan agreement. This means that the CJEU has deprived banks of the ability to demand additional compensation from customers (in addition to the return of the granted capital), including precisely the valorisation of claims due to at least inflation, once the franking agreement has been declared invalid.