1. Central Bank of Ireland make CCyB Rate Announcement
On 2 August 2023, the Central Bank of Ireland ("Central Bank) announced that it would maintain the current countercyclical capital buffer ("CCyB") rate on Irish exposures at a level of 1.5%, applicable from 7 June 2024.
In June 2023, the rate was increased from 1% to 1.5% as the Central Bank deemed 1.5% an appropriate level where risk conditions were neither elevated or subdued. This position is evidenced by the Central Bank's Quarterly Bulletin which suggested that the domestic economy was operating at capacity, driven by a strong labour market. Banks' capital remains strong, supported by a significant demand from first time buyers for mortgage credit.
A number of potential risks were also identified, which include rising interest rates, erosion of real incomes, and the lagged transmission of higher monetary policy rates as well as high inflation. The rate of 1.5% enables the banking sector to withstand shocks, without limiting the supply of credit to the economy. If risk conditions reflect emerging imbalances or an elevated risk environment, then the CCyB rate may rise above 1.5%. If there is a cyclical systemic risk or downturn, then the CCyB rate is expected to be reduced to assist the banking sector in absorbing loss and maintaining a lending supply to the economy.
2. Central Bank publishes Report on Data Ethics within Insurance
On 2 August 2023, the Central Bank of Ireland ("Central Bank") published a report on the results of its "Data Ethics within Insurance" research project ("Project") ("Report"). The Report is part of the Central Bank's research into how the advancements in digitalisation creates both opportunities and risks for the insurance industry.
The Project
The Project was carried out as part of the Central Bank's ongoing work on digitalisation, alongside its Digitalisation in Insurance Survey, its Consumer Protection Code review and its active contributions to EIOPA and IAIS work. These initiatives have helped to form the Central Bank's thinking in this area and its future approaches.
The Report was based on the use of BigData and Related Technologies ("BD&RT") and aims to improve understanding of how BD&RT is being used, the extent to which it is being used within the insurance industry and the ethical considerations that it raises. As part of the data collection process, 12 firms which are subject to Central bank supervision and include life, non-life, health and reinsurance participated and provided data via a survey and interviews.
Results of the Project
The Report demonstrated that the majority of firms were using BD&RT mostly for underwriting and pricing purposes, but anticipated that they would use it for sales, distribution and marketing within the next three years. The areas it was least used for included fraud detection and post after sale services and assistance, while some use was reported in product development and claims management. Reinsurers reported that they were less likely to use BD&RT than insurers.
The types of data used by the firms were:
- traditional data such as loss data, population data and demographic data; and
- non-traditional data such as geocoding and location tracking, online media data, firm's own digital data and other digital data.
The most common types of data used were traditional data, with some firms already beginning to use non-traditional data. Internet of Things data is the data type which most firms expected would expand in the next three years.
The Report confirms that the use of BD&RT is growing as traditional data sources are being combined with newer data sources. This is in keeping with EIOPA's thematic review findings which found a strong increasing trend regarding BD&RT use. To date the biggest impact of BD&RT is seen in underwriting and pricing. Within sales, distribution and marketing, the most common uses were seen in website monitoring and communication. Within claims management, the most common use was claims settlement.
Potential benefits of using BD&RT
The Project outlined a number of benefits of using BD&RT both for consumers and for firms which included:
- enhanced claims processing and resolution;
- enhanced consumer engagement;
- more personalised products, services and pricing; and
- lower administration and operational costs.
The firms were also asked to ranked which of these benefits they felt would be most important from a consumer perspective. Over half the respondents believed that enhanced claims processing and resolution would be extremely important. They also considered that enhanced customer engagement and personalisation of products and services would be important.
Potential risks and issues with BD&RT
Alongside the benefits associated with BD&RT, the Report also details a number of risks/issues which it has identified from the use of BD&RT. These include:
- issues with the use and management of data such as data accuracy, quality and completeness, data protection and privacy; and discrimination and bias;
- issues with design and use of technology such as technology performance and robustness, and lack of competent use, skill and oversight;
- accountability issues such as the lack of clear roles and responsibilities within the firm, and the lack of understanding at board levels;
- outsourcing issues such as third party dependencies, new interdependencies, lack of appropriate controls and governance, concentration risk, and systemic and security risks; and
- cyber and security issues such as increased capacity for cyber-attacks.
Additionally, the Report highlighted the importance of adequate management and governance of data, particularly involving the risks surrounding consent for data use and a lack of understanding about how data is used. It also indicated that existing processes and controls for data management need updating and those who use this data need to further develop their skills.
Governance Risks
The Project also considered how data ethics specifically was being incorporated within the governance and risk management system of firms. The Report suggests that larger firms, which are part of a group, may have more developed systems in place to deal with ethics, governance and risk management.
When dealing with third parties, the Report found that GDPR was relied on to cover all ethical matters, with no explicit consideration of data ethics. The Central Bank stressed that ethical matters need to be more explicitly considered, and that engagement at board and senior management level is essential. This consideration must go far beyond existing compliance requirements. To achieve this, there must be transparent BD&RT responsibilities to prevent accountability issues.
Consumer Risks
Five main consumer risks were identified in the Report. They included:
- lack of explainability or transparency;
- data management, privacy and exclusion;
- human autonomy;
- lack of human oversight; and
- unfairness and discrimination (suitability, affordability and availability, exclusion and bias).
The areas identified as having potential to have the biggest impact on consumers were pricing and risk assessment, followed by advertising and personalised offerings. The Central Bank flagged a number of existing consumer protection requirements and other guidance which seek to mitigate many of these risks including Solvency II, Consumer Protection Code and EIOPA's AI Governance Principles. The Report identifies a number of possible risks that may occur if there is inadequate guidance such as lack of explainability, marginalisation, discrimination or unfair treatment of customers, inappropriate sales and risk to the principle of pooling.
These risks may increase, given the anticipated growth in BD&RT over the next three years. Firms should ensure that their practices consistently provide fair outcomes for consumers, and that consumers can engage in-person with the firm where necessary.
Conclusion
The Report indicates that for many firms BD&RT is still at an early stage of maturity as future plans for BD&RT are still at the development stage. While some risks has been integrated into firms' governance systems, there is more that needs to be done in terms of consumer protection, particularly regarding data ethics, to ensure adequate protection as the use of BD&RT increases in the sector over time. This viewpoint is echoed in the OECD's AI principles and the requirements for governance and risk management set out in Solvency II.
The Central Bank set out specific publications and developments at a European and international level which firms "could benefit from considering as they continue to, and further broaden out their use of BD&RT."
As the integration of BD&RT in the insurance sector develops, the Central Bank has emphasised the need for the consumer to remain firms' central focus and for there to be careful ethical considerations. This should include assessing the risk of bias or unfair treatment and misuse of data.
3. European Commission adopts a list of essential services in the sectors covered by the Critical Entities Resilience Directive which includes certain financial services
On 25 July 2023, the European Commission ("Commission") adopted a list of essential services in the eleven sectors contained within the Critical Entities Resilience Directive ("Directive") which entered into force on 16 January 2023.
Background
The Directive applies to critical entities in multiple sectors including banking and financial market infrastructure and was introduced as part of the Commission's aim to improve resilience against online and offline threats.
Essential Services
Critical entities are those which provide essential services which are crucial to the maintenance of vital societal functions, economic activities, public health and safety, and the environment. The Commission has put forward a non-exhaustive list of services for the eleven sectors covered by the Directive. Of interest to financial services are the following:
- Banking sector:
- taking deposits (credit institutions); and
- lending (credit institutions).
- Financial market infrastructure sector:
- operation of trading venues (operators of trading venues); and
- operation of clearing systems (central counterparties).
Once the list is adopted, Member States will use the list of essential services to carry out risk assessments, which will then be used to identify the relevant critical entities. Impacted critical entities must then take actions to improve their resilience. The deadline for identifying the critical entities is 17 July 2026.
It should be noted however that the Directive has a minimum harmonisation approach and therefore Member States may add additional essential services at national level.
Next Steps
If neither the European Parliament or the European Council object to the Commission's delegated act within a two month period from 25 July 2023, or if within that time, they inform the Commission that they do not intend to make an objection, then the delegated act will enter into force. However, the European Parliament or Council make extend this period for a further two months.
4. European Banking Authority publishes a report on its mystery shopping exercise into personal loans and payment accounts
On 8 August 2023, the European Banking Authority ("EBA") published a report ("Report") on its mystery shopping exercise into personal loans and payment accounts which it carried out in 2023 ("Exercise"). The Exercise involved five national competent authorities ("NCAs") and 37 financial institutions ("Firms") across the across participating Member States, both onsite and online. The identity of the NCAs were not revealed.
Legal Basis
Under Article 9(1) of the EBA Founding Regulation, the EBA is required to coordinate mystery shopping exercises and this Report is the fourth and final step in fulfilling its mandate. The aim of mystery shopping is to enable NCAs to gain further insight into Firm's conduct and introduce measures which will help to ensure that requirements are met and to enhance consumer protection. The Exercise focused on the pre-contractual stages of obtaining personal loans and payment accounts (making adjustments to the Exercise depending on national laws).
Key Findings
Personal Loans
Some of the key issues that were identified in the pre-contractual stages were:
- provision of pre-contractual information was found to be inadequate;
- the credit amount was increased to include bank fees without obtaining the customer's explicit consent;
- in some Member States, less information was provided online than onsite; and
- information given over the phone was more detailed than information given via email.
In most cases, written information was provided at the first visit. As this was the pre-contractual stage, no contracts were signed, so it is unclear whether those Firms which provided no, or only oral information would have provided it "in good time before the consumer is bound by any credit agreement or offer". There is no legal definition of "good time", but providing information at the first meeting would be considered good practice. Consequently, it was concluded that providing information when the signing of the contract was imminent would not be considered good practice.
In addition, it was noted that some Firms required the applicant to have a bank account before accessing a personal loan, while others did not, but none proposed other products such as a debit/credit card where opening a bank account was required. Where insurances were mandatory, the mystery shopper was offered the insurance proposed by the Firm, and was rarely informed that they could also purchase it from another provider.
Payment Accounts
In some Member States, the mystery shoppers also requested information to open a payment account and a number of observations were made:
- payment accounts with basic features were only offered in 11% of cases;
- credit institutions presented the entire payment account portfolio more often than e-money institutes;
- when shopping online, e-money institutes did not mention anything about personal information being needed before opening a payment account in over half of the visits; and
- 63% of onsite Firms and 69% of online Firms did not provide the Fee Information Documentation ("FID") required by Directive 2014/92 - EU Payment Accounts Directive (PAD).
Article 13 of Directive 2015/849 – 4 Money Laundering Directive, requires that customers provide identity documents to protect against money laundering. A request meeting this obligation was seen more commonly in onsite Firms where mystery shoppers were required to provide ID, name, age, payslips or working contracts or a minimum deposit, and over half were questioned about residency and their financial circumstances. No information about personal information being needed to set up an account was mentioned to mystery shoppers in over half of the visits carried out online, particularly when communicating via online chat.
Almost two-thirds of mystery shoppers did not receive FID required by PAD. Credit institutions provided the information more frequently than e-money institutes, particularly online.
Next Steps
Overall the Report found that mystery shopping is a useful exercise, which enables Member States to assess whether the information required by law is being provided to customers, particularly at the pre-contractual stage. In addition to the observations set out above, the Report also suggested a number of steps that the participating NCAs can take as a follow up to the Exercise:
- communicate and emphasise the importance of a consistent approach to the provision of information of pre-contractual information particularly onsite and online;
- investigate the conduct of increasing the total credit amount without explicit consent from the consumer and the specific requirements to obtain a loan;
- investigate the provision of pre-contractual documentation "in good time";
- introduce bilateral contracts with Firms to explain the conclusions of this exercise; and
- introduce guidance or supervisory actions if needed.
5. European Banking Authority Consultation Papers
Consultation on Revised Guidelines on the Specification and Disclosure of Systemic Importance Indicators
On 1 August 2023, the European Banking Authority ("EBA") launched a public consultation ("Consultation") on amendments to the annex ("Annex") of the Guidelines on the Specification and Disclosure of Systemic Importance Indicators ("Guidelines"). The amendments aim to replicate the data template issued by the Basel Committee on Banking Supervision ("BCBS") annually.
In identifying globally systemically important institutions, the EBA follows the BCBS' approach for identifying global systemically important banks. The BCBS updated their template in January 2023, based on end-2022 business year data. In order to ensure consistency between internationally agreed templates and the EU regulatory framework, the Annex should be updated in light of these changes. In addition, the last review of the Guidelines introduced a new section on cross-jurisdictional indicators, and these new Guidelines will provide further clarification 'on which relevant cross-jurisdictional indicators concerning SRM jurisdictions should be used for identification, and hence, reported and disclosed, without being considered "memorandum" nor "ancillary" items or indicators for the EU'.
Next Steps
The consultation period will last for one month, until 1 September 2023, as these Guidelines were expected and are limited and technical in nature. The Guidelines will then be translated into the official EU languages and published on the EBA website and competent authorities must report compliance within two months of publication.
European Banking Authority publishes consultation paper on Draft Regulatory Technical Standards on extraordinary circumstances for the continued use of an internal model
On 3 August 2023, the European Banking Authority ("EBA") published a consultation paper for Draft Regulatory Technical Standards ("RTS") on extraordinary circumstances for continuing the use of an internal model or discarding certain back-testing overshootings under Article 325az(9) of the Capital Requirements Regulation ("CRR").
Article 325az(9) requires the EBA to "specify the extraordinary circumstances under which competent authorities can soften or waive the application of certain requirements for the use of internal models for market risk". The draft RTS details a high-level framework which sets out conditions and indicators which can be used when identifying whether a situation is to be considered one of the exceptional circumstances.
The draft RTS specifically state that only two situations will be considered as extraordinary circumstances:
- cross-border financial market stress; and
- a regime shift.
These situations must also impact the validity of the results of the back-testing or profit and loss attribution test, in order to be considered one of extraordinary circumstances. In addition when assessing if the stress or regime meets the criteria, they must assess
- the nature of the stress or regime;
- the levels of volatility, and whether they exceed the levels observed during the Covid-19 pandemic and the global financial crisis; and
- how quickly the stress or regime shift happened.
Next Steps
The consultation will remain open for responses until 3 November 2023.