In this News Update special on FinTech, we discuss the most recent developments in this area, including publications of the European Supervisory Authorities (“ESAs“) and the Basel Committee on Banking Supervision (“BCBS“) on digitalisation and financial technology. We also highlight some other Financial Regulatory publications issued last month.
Legislators and supervisors have regulated several new FinTech sectors after an initial relatively laid-back approach of referring to the overall existing framework and its application (e.g. to cloud services). These sectors include part of the crypto sector and payment services (mainly digital) and are focusing now on reducing risk in targeted areas. Apart from some limited regulatory developments, it appears that the supervisory priority is that all financial institutions upgrade practices and operational risk management to best practices. How to accommodate this focus into innovative business plans can be challenging even for licensed financial institutions and financial sector FinTech market entrants. Where non-financial enterprises drift into regulated areas, delays can occur while obtaining regulatory licenses or establishing a cooperation with a licensed service provider. We look forward to discussing this with you, including current options and the preparation for what is likely to be stricter binding requirements in cross-border market access or governance.
ESAS | CALL ON FINANCIAL INSTITUTIONS TO ADAPT TO INCREASING CYBER RISKS
On 8 September 2021, the ESAs issued their second joint committee report on risks and vulnerabilities. The report highlights the increasing vulnerabilities across the financial sector, the rise seen in terms of cyber risk and the materialisation of event-driven risks.
On cyber risk, the report states that the use of ICT at financial institutions and by their customers have rapidly increased, and that the COVID-19 pandemic has accelerated digital transformation in the financial sector. Increasing reliance on digital solutions has also expanded the opportunities for cyber attackers, for whom the financial sector already was a key target before the pandemic. Financial institutions and supervisors rank cyber risk among the most important operational risks. The ESAs note that the costs of cyber incidents coupled with a tightening in data protection regulation across the world could boost cyber insurance demand.
The bill on digital operational resilience (“DORA“), building on the ESAs joint advice on ICT, intends to create a comprehensive framework on digital operational resilience for EU financial institutions and consolidate and upgrade ICT risk requirements in various financial services legislation. DORA also introduces an EU oversight framework to address the lack of appropriate oversight powers to monitor risks stemming from ICT third-party service providers, including concentration and contagion risks for the EU financial sector.
With regard to digitalisation, the ESAs further note that materialisation of event-driven risks (such as GameStop, Archegos, Greensill), as well as rising prices and volumes traded on crypto-assets, raise questions about increased risk-taking behaviour and possible market exuberance.
EBA | RAPID GROWTH IN USE OF DIGITAL PLATFORMS IN THE BANKING AND PAYMENTS SECTOR
On 21 September 2021, the European Banking Authority (“EBA“) published its Report on the Use of Digital Platforms in the EU banking and payments sector. The EBA has noticed a rapid growth in the use of digital platforms to connect customers and financial institutions, a trend expected to accelerate in line with the wider trend towards the digitisation of the EU financial sector. The use of digital platforms presents a range of potential opportunities for EU customers and financial institutions. However, new forms of financial, operational and reputational interdependencies are emerging and the EBA has identified steps to strengthen supervisory capacity to monitor market developments.
The EBA plans on helping supervisors in 2022 to deepen their understanding of the opportunities and risks of platform-based business models by developing standard questionnaires for regulated financial institutions on digital platform and enabler use and sharing information about financial institutions’ reliance on digital platforms and enablers to facilitate coordinated EU-wide monitoring. The EBA also plans to continue its efforts to foster the sharing of supervisory knowledge and experience about digital platforms and enablers to enhance effective dialogue between supervisors, consumer protection, data protection and competition, including actions under the coordination of the EBA’s FinTech Knowledge Hub.
BCBS | NEWSLETTER ON CYBER SECURITY
On 15 and 20 September 2021, the BCBS held meetings where it assessed risks and vulnerabilities to the global banking system and discussed supervisory and policy initiatives. After these meetings, the BCBS published a newsletter on cyber security on 20 September 2021, calling on banks to improve their resilience to cyber threats.
The BCBS observes that cyber threats and incidents, such as ransomware attacks, have emerged as a growing concern for the banking sector over the past several years, posing risks to the safety and soundness of individual banks and the financial system’s stability. These concerns increased since the onset of the COVID-19 pandemic, due to remote working arrangements and increased provision of financial services using digital channels. The BCBS believes that cyber security measures should consider operational dependencies on third-party service providers. Earlier, the BCBS issued two documents related to operational risk and operational resilience: the revised Principles for the Sound Management of Operational Risk (“PSMOR“) and the Principles for Operational Resilience (“POR“). The PSMOR were revised in part to take better account of the operational risks associated with information and communication technology, including vulnerability to cyber threats. In addition, as set forth in the POR, in today’s environment a key component of banks’ operational resilience is resilience to cyber incidents, including those that may arise from outsourcing arrangements. The BCBS deems that attaining resilience requires banks to identify and protect themselves from threats and potential failures and that they must also respond and adapt to, as well as recover and learn from, disruptive events to minimise their impact on the delivery of operations, particularly critical operations.
The BCBS believes that it is important for all banking authorities to encourage the institutions they oversee to adopt tools, effective practices and frameworks, including provisions for testing their efficacy, for cyber risk management that are aligned with widely accepted industry standards. Adopting such approaches will allow banks to better identify, assess, manage and mitigate their exposures to cyber risks, including those arising from third-party service providers. The BCBS further believes that in the current environment, banks must continually strive to improve their resilience to cyber security threats and incidents.
OTHER FINANCIAL REGULATORY PUBLICATIONS
We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision in September 2021.
- The Dutch Authority for the Financial Markets (“AFM“) and the Dutch Central Bank (De Nederlandsche Bank) announced (only in Dutch) that they have appointed two confidential advisers for members of management boards and members of supervisory boards at supervised entities who are assessed for fitness and propriety.
- The AFM published a report on the implementation of the Sustainable Finance Disclosure Regulation (only in Dutch).
- The European Central Bank published the results of its economy-wide climate stress test.
- The EBA published its revised Guidelines on the stress tests conducted by national DGSs under the Deposit Guarantee Schemes Directive, its final Guidelines specifying the criteria to assess the exceptional cases when institutions exceed the large exposure limits and the time and measures to return to compliance, its 2021 Funding Plans Report, and its regular monitoring report of the full implementation of the final Basel III (2028) reforms in the EU.
- The European Insurance and Occupational Pensions Authority published its criteria for assessing the independence of supervisory authorities.
- The European Securities and Markets Authority (“ESMA“) launched consultations on the review of the MiFID II framework on best execution reports and on the review of certain aspects of the Short Selling Regulation. ESMA also published its second Trends, Risks and Vulnerabilities Report of 2021, its MiFID II/MiFIR review report on algorithmic trading and its 2022 Annual Work Programme.
- The Single Resolution Board published an update on its approach on prior permissions for eligible liabilities.
- The BCBS published its Basel III Monitoring Report.
- The European Commission adopted a comprehensive review of Solvency II, consisting of a bill amending the Solvency II Directive, a communication on the review of the Solvency II Directive, and a bill on a new Insurance Recovery and Resolution Directive.
Compliments of Houthoff – a member of the EACCNY.