1. Notice of Intention – Recognition of sustainability knowledge and competence in the MCC
On 23 November 2023, the Central Bank of Ireland ("Central Bank") published a Notice of Intention ("Notice") regarding recognition of sustainability knowledge and competence in the Minimum Competency Code 2017 ("MCC"). The Notice sets out the Central Bank's intention to:
- update appendix 3 of the MCC (which sets out Minimum Competencies for Retail Financial Products) to include competencies in sustainability for all retail financial products;
- introduce amendments to incorporate into appendix 3 of the MCC the suitability requirements under the Markets in Financial Instruments Directive II ("MiFID II") and Insurance Distribution Directive ("IDD"); and
- recognise sustainability training for Continuing Professional Development ("CPD") hours where it is "directly relevant to a person's role".
Given the increased demand for financial products with sustainability-type features, the Central Bank considers that those who are selling or advising on sustainable financial products and services should be qualified to do so. In particular, those in customer-facing roles and employees involved in suitability assessments ought to have the requisite knowledge and competence to be able to understand and explain the products, and to carry out a suitability assessment that takes account of a consumer's sustainability preferences, where relevant to the product / service being provided.
New Competencies added to Appendix 3 of the MCC:
For each product listed in Appendix 3, the competencies relating to the composition of a suitability statement are amended to include a requirement to set out "how the consumer's sustainability preferences have been taken into consideration, where relevant to the financial product or service being provided."
For Life Assurance, and Savings and Investments, the following additional competencies have been proposed in respect of how advice and information is given to the consumer:
- to describe how to fulfil the obligations in relation to the suitability requirements under the IDD, including the obligations relating to sustainability preferences in the suitability assessment under the IDD and having regard to the EIOPA Guidance on the integration of sustainability preferences in the suitability assessment under the IDD where relevant to the financial product or service being provided; and
to explain, compare and contrast in non-technical terms the main features, benefits, limitations and risks when offering or advising on insurance-based investment products that promote environmental or social characteristics or that have a sustainable investment objective, as specified in EIOPA Guidance on the integration of sustainability preferences in the suitability assessment under the IDD.
Next Steps
The Central Bank will publish the Addendum to the MCC and the changes addressed will come into force for anyone selling or providing advice on financial products or services that incorporate a sustainability element from 1 January 2025.
2. Director of Financial Regulation, Gerry Cross, gives remarks on the implementation of DORA
On 23 November 2023, the Director of Financial Regulation – Policy and Risk, at the Central Bank of Ireland ("Central Bank"), Gerry Cross gave remarks regarding the implementation of the Digital Operational Resilience Act ("DORA"). He opened by stating that Ireland is on track to implement DORA by January 2025. He noted that submission of the first phase of implementing measures, including regulations on risk management, "major incident' classification and outsourcing are on target to be submitted to the European Commission ("Commission") in early 2024. The second phase of implementing measures which include major incident reporting, Threat Led Penetration Testing ("TLPT") and the management of chains of subcontracting are also on course to go to public consultation in the next few weeks, and to be submitted in the middle of 2024. The following is a summary of the key points made during his speech:
ICT Risk Management including ICT outsourcing risk
Many of the DORA requirements will be familiar to firms due to the existing standards and guidelines for ICT risk management. Under DORA firms are required to identify, classify and document their ICT assets. Once identified, DORA sets expectations on firms to identify the potential risks related to these ICT assets, and to protect against these risks. Firms should also be able to detect unusual system behaviours and if they do DORA requires them to respond and recover from such incidents.
Level 1 and Level 2 measures should be read in tandem as they complement each other. The Level 2 Regulatory Technical Standards ("RTS") have been finalised and are divided into 5 Chapters: ICT security policies, procedures, protocol and tools expected; interaction of Human Resource policies and access controls; ICT-related incident detection and response; ICT business continuity management; and the firms report on their ICT risk management framework review.
Under DORA, third party risk management is an integral component of the firm's overall ICT risk management, and accountability cannot be delegated. Financial firms that are not subject to simplified requirements are required to have a strategy in place on ICT third-party risk, including the use of external ICT services supporting critical or important functions.
In addition there are obligations on firms to establish a register of information for all contractual arrangements on the use of ICT services provided by third-party service providers. An Implementing Technical Standard ("ITS"), will ensure harmonious recording of contractual ICT outsourcing arrangements, and are currently being finalised following a public consultation. A public consultation on sub-outsourcing risk is due to be published later this year.
The Central Bank has introduced outsourcing guidance and templates which is aligned with the DORA outsourcing register.
Operational resilience testing and TLPT
In relation to digital operational resilience-testing, firms are expected to have a sound and comprehensive program in place. Large financial entities must have TLPT advanced testing requirements under DORA. TLPT will only apply to the largest financial firms and Ireland, along with other Member States have already adopted the 'TIBER-EU' framework for such firms. DORA will require firms to run these tests regularly and put them on a regulatory footing.
ICT related incident reporting
DORA aims to harmonise the reporting of major ICT-related incidents and voluntary reporting of significant cyber threats. DORA expects firms to introduce a management process which detects, manages and notifies ICT incidents and their root causes. The RTS that are being finalised outline 7 classification criteria and thresholds for the identification of major ICT-related incidents. In the next few weeks a public consultation on the template for reporting to competent authorities will be published.
DORA will supersede most of the current incident reporting requirements, but is conscious of existing requirements at a national level such as Ireland's Incident Response Team and it is vital that these work well together. For some regulated financial entities, DORA will lower the reporting burden, while for firms that have limited reporting, DORA will have a bigger impact initially. Cross-sectoral reporting will enable a better EU wide understanding of ICT incidents.
Third Party Oversight Regime
DORA establishes a new oversight regime for Critical Third Party Providers ("CTPPs"). The designation of CTPPs is a vital step. Following the finalising of work on a Call for Advice for the CTPP's criticality criteria by the European Supervisory Authorities ("ESAs") and national competent authorities ("NCAs"), the Commission has received this advice and has been working on the Delegated Acts which were published last week. CTPPs are not regulated and it remains the responsibility of regulated financial entities to take full responsibility for their outsourcing activities. Instead, a CTTP once designated, will be subject to oversight by the Joint Examination Teams. An RTS on the conduct of oversight is also expected to go to public consultation over the next number of weeks.
Next Steps
Following public consultation, work on the first 4 RTS and 1 ITS is on track to meet the submission deadline of January 2024; while the second batch of 4 RTS and 1 ITS is expected to go to public consultation by the end of the year. Discussions between the ESAs and NCAs on the establishment of the Joint Examination Team are also underway.
3. AML/CFT Updates in the context of Crypto-Assets
EBA consults on guidelines on preventing abuse of funds and certain crypto-asset transfers for AML and CFT purposes
On 24 November 2023, the European Banking Authority ("EBA") published a consultation paper on preventing the abuse of funds and certain crypto-assets transfers for money laundering ("ML") and terrorist financing ("TF") purposes under Regulation 2023/1113 ("Regulation").
The Regulation mandates the EBA to issue guidelines to payment service providers ("PSPs"), intermediary PSPs ("IPSPs"), crypto-asset service providers ("CASPs") and intermediary CASPs ("ICASPs") on what steps they should take to detect and identify incomplete information that accompanies a transfer of funds or crypto-assets, and the procedures that they should put in place to manage a transfer of funds or a transfer of crypto-assets lacking the required information.
The EBA proposes to deliver the mandates by repealing the European Supervisory Authorities ("ESAs") Guidelines on the measures PSPs should take to detect missing or incomplete information on the payer/payee and the procedures they should put in place to manage a transfer of funds lacking the required information, and replacing them with the new guidelines.
Some of the proposed new guidelines include guidelines on:
- determining whether a card, instrument of device is used exclusively for the payment of goods and services;
- steps to address technical limitations;
- the interoperability of protocols;
- identifying the specific data points to be transmitted as part of the information;
- self-hosted wallets; and
- obligations on the payer's PSP, payee's PSP and IPSPs where a transfer is a direct debit.
Next Steps
The consultation will close to responses on 26 February 2024.
EBA issues guidance to AML/CFT supervisors of CASPs
On 27 November 2023, the EBA published its Final Report on Guidelines on the characteristics of a risk-based approach to anti-money laundering and terrorist financing supervision, and the steps to be taken when conducting supervision on a risk-sensitive basis ("Guidelines").
The Guidelines extend the scope of the revised Risk-based Supervision Guidelines to include anti-money laundering and countering the financing of terrorism ("AML/CFT") supervisors of CASPs. These amendments:
- highlight the importance of cooperation between competent authorities, prudential supervisors and other stakeholders;
- emphasise the importance of consistency in establishing supervisory expectations where multiple competent authorities are responsible for supervising the same institutions;
- provide guidance on the sources of information available to competent authorities supervising CASPs;
- outline how competent authorities should decide the type of guidance needed in the sector and the most effective way to communicate this guidance; and
- emphasise the importance of training staff of the competent authorities to ensure they are well trained and have adequate technical skills and expertise required to carry out their functions, including the supervision of CASPs.
Next Steps
The Guidelines will be translated in to the official EU languages and published on the EBA website, and competent authorities will have 2 months to report whether they will comply with the Guidelines. The Guidelines will apply from 30 December 2024.
4. Directive on financial services contracts concluded at a distance is published in the Official Journal of the European Union
On 27 November 2023, the Directive on financial services contracts concluded at a distance was published in the Official Journal of the EU.
As previously noted in the FIG Top 5 at 5 dated 26 October 2023, the legislative act was adopted by the European Parliament on 5 October 2023, and by the European Council on 23 October 2023.
The Directive aims to better protect consumers by ensuring that all financial services are covered by these rules, including those which are not covered by specific sectoral legislation, by introducing additional supports for consumers and prohibiting dark patterns.
Next Steps
The Directive will enter into force 20 days after its publication in the Official Journal, on 18 December 2023. Member States have until the 19 December 2025 to adopt and publish the laws, regulations and administrative provisions required to implement the Directive.
5. European Council adopts regulation easing access to corporate information for investors
On 27 November 2023, the European Council ("Council"), adopted a regulation creating the European Single Access Point ("ESAP") which will ease access to corporate information for investors. ESAP will give companies more visibility towards investors, creating more financing opportunities, particularly for small companies in small capital markets.
As previously mentioned in the FIG Top 5 at 5 dated 16 November 2023, the European Parliament adopted, with amendments, the ESAP on 9 November 2023.
Next Steps
The proposal is part of the Capital Markets Union package, and the adoption by the Council closes the decision making process. The regulation creating the ESAP will be published in the Official Journal of the EU and will enter into force 20 days after its publication. It is expected that the ESAP platform will be available and gradually phased in from summer 2027.