to the point: financial regulation | 08/2025

·    The EBA has issued a no-action letter on the application of the ESG Pillar 3 disclosure requirements under the EBA disclosure Implementing Technical Standards (ITS), providing temporary relief for institutions facing uncertainty over the evolving Pillar 3 framework. Large institutions with listed securities, as well as other firms recently brought under the expanded scope of Article 449a CRR, are not required for the time being to prioritise disclosure or reporting of certain ESG templates and data points, as supervisors have been advised not to enforce these specific requirements until the amended ITS enter into force. For banks and other institutions, this means that while the overarching obligation to prepare for ESG risk disclosures remains, they are given some breathing room to adapt systems, align reporting processes and avoid potential inconsistencies or duplication during the transitional period. The updated ESG risk dashboard also signals that institutions should expect ongoing monitoring and gradual integration of climate and sustainability risks into supervisory assessments, even if enforcement of selected templates is delayed. In practice, the no-action letter reduces immediate compliance pressure but underscores the need for obliged entities to continue investing in their ESG data and reporting capabilities in preparation for the harmonised and expanded disclosure framework that will soon become binding.

·   The EBA has published its final draft Regulatory Technical Standards (RTS) on the allocation of off-balance sheet items and the specification of factors that might constrain institutions' ability to cancel unconditionally cancellable commitments, in which it reshapes how institutions must calculate and classify such exposures under the Standardised Approach for credit risk, with significant implications for obliged entities. Banks and other institutions now have to apply new assignment criteria to off-balance sheet items that were previously not mapped to buckets under Annex I of the Capital Requirements Regulation (CRR). This requires them to carefully assess conversion probabilities based on financial covenants, conditions linked to non-credit events, and the level of optionality the obligor holds, while making use of the EBA's illustrative examples to support consistent classification. At the same time, institutions can no longer rely solely on the formal "unconditionally cancellable" label for commitments, as the RTS introduce four factors, linked to risk management, commercial, reputational and litigation considerations, that may in practice constrain their ability to cancel such commitments. This raises the bar for documenting and justifying when exposures can truly be treated as cancellable. Moreover, for off-balance sheet items not covered in Annex I, entities must follow a formal notification process through the COREP framework, which adds a new reporting requirement but is designed to streamline compliance. Taken together, the new rules oblige institutions to refine their risk assessment and classification processes, adjust internal controls, and ensure that both capital calculations and reporting align with the stricter and more harmonised EU standards.

·     The EBA has issued its new final Regulatory Technical Standards (RTS) specifying what constitutes an "equivalent legal mechanism" for unfinished property exposures under the Capital Requirements Regulation (CRR), under which institutions may recognise properties under construction in their capital requirements calculations, but only if the guarantees or completion schemes backing them meet the strict safeguards set out in the RTS. This means that obliged entities must ensure that the protection providers have adequate creditworthiness and that the guarantee arrangements are legally enforceable, with a harmonised 20 % risk weight cap applied where applicable. For institutions operating in Member States with national completion guarantee schemes, the RTS provide a broader recognition than previously proposed, but still subject these schemes to EU-wide prudential conditions to ensure consistency and soundness. In practice, this will require banks and other regulated parties to review their use of such schemes, confirm that they comply with the new criteria, and potentially adapt contractual and risk management practices so that exposures to unfinished properties can continue to benefit from preferential treatment under the Capital Requirements Regulation.

·    The EBA has published final draft Regulatory Technical Standards (RTS) under CRR3, specifying how EU banks must calculate and aggregate their crypto-asset exposures for prudential purposes.  The RTS cover the capital treatment for credit risk, counterparty credit risk, market risk and credit valuation adjustment risk for both asset reference tokens (ARTs) and unbacked crypto assets such as Bitcoin. They set out technical details on netting, aggregation of long and short positions, hedge recognition and the formulas for determining exposure values. The RTS are designed to align with the  Basel standard on prudential treatment of crypto-asset exposures and reflect requirements under the Markets in Crypto-Assets Regulation (MiCA). Notably, after consultation, the EBA removed the requirement for prudent valuation of fair value crypto-asset exposures and clarified how to aggregate positions for exposure limits. These transitional rules, mandated by Article 501d(5) of CRR3, provide a harmonised approach for capitalising crypto-asset exposures until a permanent prudential framework is established, enabling institutions to engage in crypto markets while ensuring consistent risk management across the EU.

·    The EBA has published three final draft Regulatory Technical Standards (RTS) under the CRR3 "EU Banking Package", significantly updating how banks record and manage operational risk losses. The first RTS establishes a harmonised taxonomy for operational risk events, including detailed event types, categories and attributes, such as ESG and ICT-related factors, aligned with international standards and the Digital Operational Resilience Act (DORA). The second RTS clarifies the conditions under which it would be unduly burdensome for an institution to calculate the annual operational risk loss, allowing for a temporary waiver in specific cases, particularly benefiting smaller or data-limited institutions. The third RTS sets out requirements for adjusting and integrating loss data following mergers or acquisitions, including guidance on currency, taxonomy and handling missing historical data. These RTS represent a key step towards a more risk-sensitive and data-driven operational risk framework for EU banks. 

·    The EIOPA has published an Opinion addressed to national supervisors, which does not introduce new rules but clarifies how existing insurance legislation should be applied to the use of AI systems, which has important implications for obliged entities in the sector. Insurers and pension providers must align their AI practices with the governance and risk management principles already embedded in frameworks such as  Solvency II and the Insurance Distribution Directive (IDD), while also taking into account the obligations under the EU AI Act, particularly for high-risk AI applications in life and health insurance. This means that companies deploying AI in pricing, underwriting, claims handling or fraud detection are expected to strengthen data governance, maintain adequate records, ensure fairness and explainability, address cyber risks and preserve meaningful human oversight, all in a proportionate way tailored to the nature of the AI system. The Opinion further signals that supervisors across Member States will converge around these expectations, reducing room for divergent national approaches and creating a more harmonised supervisory environment. For obliged entities, this translates into the need to review their AI use cases, ensure compliance with existing governance frameworks and be prepared for more detailed supervisory guidance as the EIOPA deepens its analysis of specific AI risks and practices.

·       Amendment of the Criminal Code

• In addition to Act VII of 2024 on the market of crypto assets (Crypto Act), the provisions of the Criminal Code have also been amended to include two new offences: misuse of crypto assets and unauthorised provision of crypto asset conversion services. The new provisions entered into force on 1 July 2025.
• Misuse of crypto assets (Section 394/A of the Criminal Code): committed by an individual or legal person who, by using an unauthorised crypto asset conversion service, converts a crypto asset of significant value into money or another crypto asset. Unless the offence is more serious, the offender is liable to imprisonment for up to two years. Crypto assets with a value between HUF 5 and 50 million are considered to be of significant value. Because of the new regulation, when using a crypto exchange service, it is important to pay close attention to choose a service provider that complies with MiCA rules and the validation obligations under the Crypto Act.
• Provision of unauthorised crypto asset conversion services (Section 408/A of the Criminal Code): the offence is committed by anyone who provides crypto asset conversion services of significant value in breach of the validation obligation under the Crypto Act. The offender is punishable by a maximum term of imprisonment of up to three years. The offender is punishable by imprisonment from 1 to 5 years if the offence is committed for a particularly high value, i.e. between HUF 50 and 500 million. The offender is punishable by imprisonment from 2 to 8 years if the offence is committed for a particularly high value, i.e. above HUF 500 million.

·       Amendment of the Crypto Act

• The amendment introduced a validation requirement for the exchange of crypto assets. According to the new legislation, crypto assets can only be exchanged for cash or other crypto assets based on a declaration of conformity issued by a crypto asset validation service provider. Such declaration can only be issued after the successful identification of the transaction and the customer.
• Validation service providers are required to comply with strict personnel, physical, technical, IT and security standards and to apply a transparent pricing policy.
• The rules of the Crypto Act apply to services provided in Hungary and should therefore also be considered when providing cross-border services.
• The new rules of the Crypto Act is effective from 1 July 2025, the rules on the validation obligation and validating service providers will only apply 60 days after the entry into force of the relevant orders of the President of the Security of Supply, Consumer Protection, Innovation (SZTFH), who has not yet issued such orders.

·    On 31 July 2025, the National Bank of Hungary issued a recommendation (No. 9/2025 (VII.31.)) on the transfer of non-performing loans (NPLs), in accordance with Act XII of 2025 on Servicers of Non-Performing Loan Agreements and Purchasers of Non-Performing Loan Agreements, setting out legal and prudential frameworks subject to supervisory oversight from 1 August 2025. Although not legally binding, the recommendation is expected to operate as a de facto mandatory standard for market participants. The scope covers credit institutions, non-bank lenders, and NPL purchasers, applying to claims related to loans overdue by at least 90 days. Key supervisory expectations include: separation of NPL portfolios from other assets, establishment of written internal rules in relation to the NPL portfolio, mandatory contractual provisions in the transfer agreement, strengthened IT and data security controls, conflict-of-interest checks, and close MNB monitoring. Within 60–90 days, financial institutions must update internal policies, revise contract templates, upgrade IT systems, and conduct staff training. The aim is to ensure EU-compliant operations, enhance transparency, protect borrowers, and support the stable development of secondary loan markets.