1. ESAs: ESAs publish final reports on first set of rules under DORA for ICT and third-party risk management and incident classification
On 17 January 2024, the European Supervisory Authorities (ESAs) published final reports on the first set of final draft technical standards under the Digital Operational Resilience Act (DORA) launched for consultation in June 2023. In some cases, changes have been made to the original drafts.
- Regulatory Technical Standards (RTS) on ICT risk management framework: identifies the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place. Changes made by the ESAs to the draft include the removal of the article on governance and information security awareness from the general regime requirements and clarifying aspects concerning network security, encryption, access control and business continuity aspects.
- RTS on criteria for the classification of ICT-related incidents: sets out the criteria for classifying major ICT-related incidents and other major incidents, as well as the materiality thresholds for each classification criterion. These standards also detail the materiality threshold for determining significant cyber threats. Changes have been made to the classification approach.
- RTS on ICT third-party service providers (TPPs) Policy: specifies the governance arrangements, risk management and internal control framework that financial entities should have in place regarding critical or important functions provided by TPPs.
- Implementing Technical Standards (ITS) on the register of information: establishes the templates to be maintained by financial entities in relation to their contractual arrangements with TPPs. This will be used by competent authorities and the ESAs to supervise financial entities' compliance with DORA and designate critical ICT TPPs that will be subject to the DORA oversight regime.
The European Commission will review the final draft technical standards, with the objective of adopting these in the coming months.
Banking and Prudential
2. BoE (PRA): Dear CEO Letters: UK Deposit Takers and International Banks Supervision: 2024 priorities
On 11 January 2024, the PRA published two Dear CEO Letters outlining 2024 priorities addressed to UK deposit takers and international banks. A common theme underpinning both letters is the need for firms to have robust governance, risk management and controls to enable the effective and proactive identification, assessment and mitigation of risks.
In the letter addressed to UK deposit takers, the PRA identified the following key priorities for 2024:
- Credit risk: the PRA's assessment of firms' credit risk management will include a focus on how credit risk management practices have evolved in light of challenging conditions. Counterparty risk will remain a key area of focus.
- Financial resilience: ongoing assessment of firms' capital and liquidity positions and planning. Firms should reflect on 2023 bank crises and any lessons for their own risk profiles, consider changes in depositor behaviour and be proactive in relation to changes in funding conditions.
- Operational resilience: firms will need to meet the operational resilience expectations set out in Supervisory Statement 1/21 by March 2025, including demonstrating how they can remain within impact tolerances for all their important business services.
- Model risk: firms are expected to conduct initial self-assessments before the model risk management principles for banks come into force and prepare remediation plans to address identified shortcomings.
- Data risk: submitting complete, timely and accurate regulatory returns is crucial for effective supervision. The PRA will use supervisory tools if firms are not maintaining appropriate focus on regulatory reporting. Data accuracy should be a key consideration across all data types.
- Financial risks arising from climate change: firms need to develop capabilities in respect of the management of climate-related financial risks, including relevant stress scenarios.
- Resolution and recovery: largest firms will be subject to the resolvability assessment framework cycle. The PRA will work with small and medium-sized firms to improve the quality of their recovery planning.
The letter addressed to international banks identifies similar priorities as for UK deposit takers in relation to (i) financial resilience, (ii) operational resilience and (iii) data risk. In relation to risk management and controls, the PRA notes that firms should avoid seeing risk management in terms of silos and should consider the read-across to other businesses. It also notes that counterparty credit risk and secured financing risks will remain key priorities for 2024.
3. HM Treasury: Consultation paper: Enhancing the Special Resolution Regime
On 11 January 2024, HM Treasury published a consultation paper on Enhancing the Special Resolution Regime, which was followed by a statement of support from the Bank of England (BoE).
The consultation paper sets out the government's proposed new mechanism for facilitating the use of existing stabilisation powers to manage the failures of small banks, while mitigating the risk of taxpayer funds being used to cover the costs of such failures. The mechanism will allow the BoE to use funds provided by the banking sector to cover costs associated with a resolution, including those associated with recapitalising and operating the failed bank. This will in turn provide the BoE with greater flexibility to effectively manage small bank failures.
This consultation is open to feedback until 7 March 2024.
There are no new updates for this edition.
Senior Managers and Governance
4. BoE (PRA): Final notice against Iain Hunter, former Chief Executive Officer of Wyelands Bank Plc
On 10 January 2024, the PRA issued a final notice against Iain Hunter, former Chief Executive Officer (CEO) of Wyelands Bank Plc (Wyelands) for multiple breaches by Mr Hunter of the PRA's Conduct Rules. This follows the PRA's decision to publicly censure Wyelands in April 2023 and is the first time that enforcement action has been taken against a bank CEO under the Senior Managers & Certification Regime.
The PRA has taken action against Mr Hunter as a result of his conduct whilst the SMF1 (CEO) of Wyelands, the SMF4 (Chief Risk Officer) and whilst he assumed the reporting responsibilities of the SMF2 (Chief Financial Officer). The PRA found that Mr Hunter breached the following PRA Conduct Rules between 7 March 2016 and 28 May 2020:
- Individual Conduct Rule 2: Mr Hunter failed to act with due skill, care, and diligence in performing his roles at the firm, including by failing to take appropriate steps in verifying the accuracy of a number of his statements made to the PRA;
- Senior Manager Conduct Rule 1: Mr Hunter failed to take reasonable steps to ensure the management and conduct of Wyelands' business was controlled effectively, by failing to clearly apportion responsibility for conducting analysis of Wyelands' connected parties; and
- Senior Manager Conduct Rule 2: Mr Hunter failed to take reasonable steps to ensure that Wyelands (a) had adequate systems and controls to assess and manage its connected parties' risks relating to large exposures; (b) submitted large exposures returns to the PRA which correctly aggregated its exposures; and (c) had a formal and appropriate document retention policy in line with PRA rules.
Mr Hunter was fined a total of £118,808 pursuant to section 66 of FSMA. In addition, as part of the settlement reached Mr Hunter has given an undertaking to the PRA that he will not apply for or perform any function in relation to a regulated activity carried on by any authorised person, exempt person or exempt professional firm.
5. Council of the EU and European Parliament: Press release: Political agreement reached on proposed AML Regulation and MLD6
On 18 January 2024, the Council of the EU and the European Parliament each published a press release relating to their provisional agreement on the sixth anti-money laundering directive (MLD6) and the EU "single rulebook" regulation (AML Regulation), which form part of the package of legislative proposals to strengthen the EU's rules on anti-money laundering and countering the financing of terrorism (AML/CFT).
The new package will see all rules applying to the private sector transferred to the new AML Regulation, while MLD6 will address the organisation of institutional AML/CTF frameworks at a national level in Member States.
Amongst other things, the provisional agreement reached on the AML Regulation:
- expands the list of obliged entities to new bodies, including most of the crypto sector, traders of luxury goods and professional football clubs and agents;
- introduces specific enhanced due diligence measures for cross-border correspondent relationships for cryptoasset service providers and high net-worth individuals;
- imposes an EU-wide maximum limit of EUR 10,000 for cash payments, as well as a requirement to identify and verify the identity of a person who carries out an occasional transaction in cash between EUR 3,000 and EUR 10,000;
- harmonises and clarifies the rules on beneficial ownership; and
- requires enhanced due diligence measures to be applied to occasional transactions and business relationships involving high-risk third countries.
The provisional agreement reached on MLD6 provides for:
- uniform EU supervision, harmonising the powers taken by supervisors to ensure that obliged entities apply AML requirements;
- additional powers for financial intelligence units to analyse and detect money laundering and terrorist financing cases;
- access for competent authorities to new registers and information sources; and
- harmonised content and functioning of beneficial owners' registers at an EU level.
The text of the provisional agreements will now be finalised and presented to Member States' representatives and the European Parliament for approval. If approved, the Council and the European Parliament will have to formally adopt the texts before they are published in the Official Journal and enter into force.
6. EBA: Final Report: Extending guidelines on ML/TF risk factors to CASPs
On 16 January 2024, the European Banking Authority (EBA) published a final report including amending guidelines (Guidelines) on money laundering and terrorist financing (ML/TF) risk factors. The Guidelines extend the EBA's existing guidelines to cryptoasset service providers (CASPs), setting out ML/TF risk factors and mitigating measures for CASPs to consider.
- update the list of potential ML/TF risk factors to include risk factors specific to cryptoassets and CASPs;
- provide new sector-specific guidance for CASPs on the factors they should consider when assessing ML/TF risks associated with their business relationships; and
- explain how CASPs should adjust their mitigating actions, including through the use of advanced analytics tools like distributed ledger or blockchain analytics.
The Guidelines also include guidance for other credit and financial institutions that have CASPs as their customers or which are exposed to cryptoassets.
The Guidelines will apply from 30 December 2024. Competent authorities will be required to report on whether they will comply with the Guidelines within two months of the publication date.
7. Home Office: Guidance on money laundering reporting obligations in relation to the DAML exemption provisions introduced by the Economic Crime and Corporate Transparency Act 2023
On 10 January 2024, the UK Home Office published guidance on the new defence against money laundering (DAML) reporting exemption provisions in the Proceeds of Crime Act 2002 (POCA), as amended by the Economic Crime and Corporate Transparency Act 2023 (ECCT Act).
The ECCT Act introduced two additional reporting exemptions to the principal money laundering offences for regulated firms. The exemptions expand the circumstances in which firms can deal with suspected criminal property without submitting a DAML. The new exemptions:
- exempt a firm when they end a customer relationship and pay away property with a value below £1,000, providing the business has complied with their existing customer due diligence duties under the Money Laundering Regulations 2017; and
- clarify the handling of mixed assets where only part of the assets are suspected to be criminal proceeds.
When using the exemptions, firms must still consider whether they need to submit a suspicious activity report (SAR) under section 330 of POCA.
The guidance explains that the exemptions can be used for the same account or customer, but not within the same transaction. It also clarifies that the mixed-property exemption will operate in parallel to the threshold exemption for transactions below the amount specified in section 339A of POCA.
The Home Office encourages firms to consider how they can apply the guidance to streamline their reporting process and maintain the effectiveness of the SARs regime.
8. FCA: Policy Statement: Temporary changes to handling rules for motor finance complaints
On 11 January 2024, the FCA published a policy statement (PS24/1) announcing temporary changes to the handling rules for motor finance complaints. The changes are being introduced in response to the high number of complaints from customers to motor finance firms claiming compensation because of historical use of discretionary commission arrangements (DCAs), which were banned by the FCA in 2021. The temporary rule changes will apply while the FCA carries out diagnostic work on the use of DCAs and determines the best approach to providing customer redress. Under the new rules:
- the requirement that firms must respond to DCA complaints within 8 weeks of receipt is paused for a period of 37 weeks; and
- the time consumers have to refer DCA complaints to the Financial Ombudsman Service is extended from 6 to 15 months (if the firm sent its final response to the complaint within the period specified in FCA rules).
The new rules came into force (without consultation) on 11 January 2024. The 8-week pause will apply to relevant complaints received by firms on or after 17 November 2023 and on or before 25 September 2024.
The FCA encourages firms to progress complaints relating to DCAs during this period, by continuing to investigate and collect evidence to help with their eventual resolution. The FCA plans to communicate a decision on its next steps by 24 September 2024 at the latest. This would include whether the FCA will consult on extending the pause or make other changes.
There are no new updates for this edition.
Digital Services and Fintech
There are no new updates for this edition.
9. EBA: Consultation paper: Draft Guidelines on the management of ESG risks
On 18 January 2024, the European Banking Authority (EBA) published a consultation paper on draft guidelines for the management of ESG-related risks in accordance with Article 87a(5) of Directive 2013/36/EU (CRD IV), as amended by the proposed CRD VI.
The draft guidelines include:
- requirements for the internal processes and ESG risk management arrangements that institutions should have in place for the identification, measurement, management and monitoring of ESG risks;
- minimum standards and reference methodologies to be developed and used by institutions to measure ESG risks;
- requirements for CRD VI-based prudential transition plans, which aim to ensure that institutions embed forward-looking ESG risk considerations in their strategies, policies and risk management processes.
The consultation period ends on 18 April 2024 and the EBA expects to finalise the guidelines by the end of 2024. Their application date will be aligned with the entry into force of CRD VI.
10. FCA: Portfolio Letters: Crowdfunding platforms
On 15 January 2024, the FCA published two portfolio letters addressed to loan-based peer-to-peer lending (P2P) platforms and investment-based crowdfunding (IBCF) platforms.
The letters outline the harms to consumers and markets most likely to arise from the business models of P2P and IBCF platforms and the FCA's strategy to address such harms.
The FCA sets out the following supervisory priorities for P2P and IBCF platforms:
- Financial promotions: the FCA will engage with firms to ensure that the new financial promotion rules laid out in PS22/10 have been fully embedded, and intervene where weaknesses or failings are identified which result in poor consumer outcomes or the potential for harm;
- Wind-down planning and liquidity monitoring: the FCA will continue to ask firms for their wind-down plans through its supervisory work and may take action where it thinks there are insufficient levels of capital or liquid resources; and
- Consumer Duty: the FCA will use the Consumer Duty where it sees the need to intervene to prevent a harm arising or where a harm has occurred. Where necessary, the FCA will use formal tools, including restricting business activity and seeking redress for investors.
The FCA also laid out the following additional areas of focus for IBCF platforms:
- Trading Venue Perimeter Guidance: following the publication of PS23/11 on the trading venue perimeter, the FCA will continue to engage with firms to ensure they hold the appropriate permissions, and work to better understand individual business models in the portfolio (including with regard to risk to investors and risk management);
- Section 21 approvals: the FCA reminded firms that, in accordance with PS23/13, firms must submit an application for permission to approve financial promotions before 6 February 2024 to take advantage of the transitional arrangements. The FCA will continue to take swift action where it identifies a risk of harm to consumers from poor financial promotions; and
- Public Offer Platform: the FCA is developing rules on the Public Offer Platform regime following the publication of Engagement Paper 5. The regime will allow the FCA to set specific rules for types of public offers of securities that are not admitted to a public market. The goal of the FCA is to expand the opportunities available to retail investors, while ensuring that they understand the risks they are taking, and the regulatory protections available.