Legal development

Financial Services SpeedRead 3 March 2025 edition

03 March 2025

Share Share
Panels in the sunshine
Share

    Welcome to the latest edition of the Financial Services SpeedRead, a collection of bite-sized updates designed to help you keep on top of key regulatory developments in financial services over the preceding fortnight.

    Please get in touch if you want to explore any of the topics covered in this fortnight's edition of Financial Services SpeedRead in more detail.

    Financial Markets 

    1.  ESMA publishes draft technical standards on the CSDR

    On 20 February 2025, ESMA published three final reports containing draft technical standards under the Central Securities Depositories Regulation (EU) No 909/2014 (CSDR). 

    The reports cover the following topics:

    • information notified by third-country central securities depositories (CSDs), see report here. In this report, ESMA sets out proposals to streamline the information required to be notified by third country CSDs;
    • criteria under which the activities of a CSD in a host Member State could be considered of substantial importance for the functioning of the securities market and the protection of investors, see report here; and
    • review and evaluation process of EU CSDs with a view to introducing new reporting requirements, see report here. In this report, ESMA proposes new reporting requirements to ensure the harmonisation of existing reporting requirements across the EU.

    The three reports have been submitted to the European Commission for adoption. The European Commission has three months to decide whether to endorse the proposed amendments.

    2. UK Government response to Accelerated Settlement Taskforce report

    On 19 February 2025, the UK Government published a response to a report produced by the Accelerated Settlement Technical Group (ASTG), which recommends that the UK shift to faster settlement of securities trades by the end of 2027.

    The key recommendation in the report is that the Government bring forward secondary legislation, to change the current T+2 requirement under the UK Central Securities Depositories Regulation to a T+1 requirement, which the Government has accepted and "intends to implement."

    The first day of trading under a T+1 standard is proposed for 11 October 2027. ASTG will oversee the Government's implementation of the recommendations in the report until completion of the T+1 transition.

    3.  ESMA publishes consultation paper proposing amendments to the RTS on settlement discipline under CSDR

    On 13 February 2025, ESMA published a consultation paper on settlement discipline under Delegated Regulation amending Commission Delegated Regulation (EU) 2018/1229, which supplements the CSDR.

    The proposals aim to improve settlement efficiency in various areas, through: 

    • the use of electronic, machine-readable allocations and confirmations in accordance with international standards;
    • the implementation of hold and release and partial settlement by all central securities depositories (CSDs); 
    • requiring CSDs to report top failing participants and publish information on settlement fails; and
    • reduced timeframes for allocations and confirmations.

    The consultation paper was released in line with the roadmap outlined in ESMA's report on Shortening the Settlement Cycle (see our previous Financial Services SpeedRead entry on this here) and taking into account the transition to T+1 settlement in the European Union. 

    The consultation closes on 14 April 2025, and ESMA expects to publish a final report and submit draft RTS to the European Commission by October 2025.

    4.  PRA publishes policy statement on streamlining firm-specific capital communications (PS2/25)

    On 12 February 2025, the PRA published policy statement PS2/25, containing final rules simplifying the regulatory process and communications used to set Pillar 2A capital, the systemic buffers, and the additional leverage ratio buffer (ALRB), following the PRA's consultation paper published in September 2024.

    Amendments set out in the policy statement include:

    • amending the 'Capital Buffers' part of the PRA Rulebook to reflect any Pillar 2A capital and systemic buffers set by the PRA (the current rules only refer to Pillar 1 capital), to ensure that these are included when set in the rules around capital conservation and maximum distributable amount restrictions;
    • amending the Leverage Ratio – Capital Requirements and Buffers, Disclosure and Reporting Parts of the PRA Rulebook to set out the ALRB requirements and include the calculation methodology (as the current rules provide for these requirements separately, rather than in the PRA Rulebook itself); and
    • making consequential amendments to the PRA Rulebook, SS31/15 and SS45/15.

    The policy statement and rules therein will take effect on Monday, 31 March 2025. The amendments will not impact firms' capital requirements, and firms are not required to take any specific actions to implement the changes. 

    5. FCA publishes updated webpage on UK MiFID transparency calculations

    On 11 February 2025, the FCA updated its webpage on UK MiFID transparency calculations to record the publication of the latest UK quarterly liquidity assessment for bonds, applicable between 16 February and 15 May 2025, and accessible via the FCA Financial Instruments Transparency System.

    Banking and Prudential

    6.  EBA publishes final draft ITS on CRR3/CRD6 to implement a centralised EBA Pillar 3 data hub

    On 12 February 2025, the EBA published final draft implementing technical standards (ITS) setting out IT solutions and processes to be followed by large and other institutions when submitting Pillar 3 disclosures. The draft ITS for small and non-complex institutions (SNIs) will be subject to a separate consultation, intended to be launched in the first half of 2025.

    The ITS have been published as part of the EBA's mandate under the Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD) to implement a "Pillar 3 data hub", which will centralise prudential disclosures by institutions through a single electronic access point on the EBA website. 

    The ITS detail the IT solutions and processes to be followed by large and other institutions when submitting their respective Pillar 3 disclosures, including the IT solutions to be used, the data exchange formats to be considered, and the technical validations to be performed by the EBA. 

    Firms will benefit from a transition period for the information with disclosure reference dates from June to December 2025. The EBA will provide additional detailed information to the submitters of Pillar 3 information in the onboarding communication plan, which it expects to publish by the end of Q1 2025. 

    7.  European Commission publishes call for evidence on the prudential treatment of short-term securities financing transactions 

    On 11 February 2025, the European Commission published a call for evidence concerning a proposed regulation to amend the CRR. 

    The proposed amendment would permanently instate the current transitory treatment of short-term securities financing with financial customers for the calculation of the net stable funding ratio. The aim is to ensure an international level playing field in the treatment of short-term securities financing transactions. 

    The feedback period opened on 10 February 2025 and closes on 10 March 2025.

    Fund Management

    8.   ESMA launches common supervisory action with NCAs on the compliance and internal audit functions 

    On 14 February 2025, ESMA published a press release stating that it has launched a common supervisory action (CSA) with NCAs in relation to the compliance and internal audit functions of UCITS management companies and AIFMs across the EU.

    The CSA aims to assess to what extent UCITS management companies and AIFMs have effective compliance and internal audit functions that are adequately staffed and have the knowledge and expertise required to perform their regulatory duties. 

    The CSA will be conducted throughout 2025 in accordance with a common assessment framework developed by ESMA. NCAs will collaborate with ESMA to share knowledge and experience in terms of how they supervise the compliance of UCITs management companies and AIFMs with the relevant regulatory rules.

    ESMA will publish its final report in 2026. 

    9.  FCA sets out expectations for authorised fund applications  

    On 14 February 2025, the FCA published a document setting out its expectations for applications from firms applying for collective investment schemes to become authorised funds and related guidance, including as to the general application process and more detailed aspects for specific types of funds. 

    On the same day, the FCA also updated its webpage on fund authorisation applications to reflect the publication of its expectations document.

    Senior Managers and Governance

    No new entries.

    Financial Crime

    10.  UK Finance issues failure to prevent fraud guidelines for 2023 Economic Crime Act

    On 11 February 2025, UK Finance published guidance for the financial services sector on the failure to prevent fraud (FtPF) offence within the Economic Crime and Corporate Transparency Act 2023.

    This document provides sector-specific guidance regarding the interpretation of the FtPF offence and offers examples of (i) reasonable prevention procedures; and (ii) situations where it would be unreasonable for a firm to have such procedures in place.

    This guidance is not exhaustive, and firms are not obligated to specifically take this guidance into account when formulating their own approach to addressing the offence or enforcing reasonable prevention procedures. UK Finance also emphasises that its guidance does not limit the prevention procedures or circumstances that a firm can use to defend against the FtPF offence.

    11. FCA updates webpage on cryptoasset AML/CTF regime applications feedback

    On 11 February 2025, the FCA updated its webpage on good and poor quality applications for the cryptoasset AML/CTF regime to refresh its registration statistics for the amount of applications received and their final outcome (i.e. registered, rejected, withdrawn or refused), as at 9 February 2025.

    In the past month, 1 application has been granted and 1 has been withdrawn. This brings the total number of firms registered in since January 2020 to 50, representing 14% of all applications received by the FCA.

    Retail Services

    No new entries.

    Digital Finance and Fintech

    12.  RTS and ITS in relation to MiCA published in the Official Journal of the European Union

    On 20 February 2025, new RTS, (Commission Delegated Regulation (EU) 2025/303), and ITS, (Commission Implementing Regulation (EU) 2025/304), supplementing MiCA were published in the OJEU. In summary:

    • the RTS specifically provides for the information to be included by certain financial entities in relation to the notification of their intention to provide cryptoasset services; and
    • the ITS sets out standard forms, templates and procedures for the above notification.

    The RTS and ITS will come into force on 12 March 2025.

    13. FCA and PSR publish Feedback Statement on big tech and digital wallets

    On 19 February 2025, the FCA published a Feedback Statement (FS25/1) and accompanying letter to the Competition and Markets Authority (CMA) assessing the usage and impact of digital wallets

    The FCA found that the proportion of card transactions using a digital wallet increased significantly from 8% in 2019 to 29% in 2023 and that approximately 20% of card users used a digital wallet for over 50% of their card transactions, whilst approximately 10% used one for over 75% of their transactions. It drew three key themes from this: 

    • digital wallets represent an opportunity for growth and investment;
    • digital wallets could present an opportunity for non-card forms of payment, particularly retail transactions; and
    • there are potential competition, consumer protection and operational resilience concerns to be tackled.

    The FCA highlighted and agreed with the CMA's concerns regarding Apple and Google potentially leveraging their market power into adjacent activities. It found that Apple Pay and Google Pay are the two largest providers of 'pass-through' digital wallets in the United Kingdom.

    The FCA and PSR will continue to monitor developments and consider issues that emerge and engage with the CMA on potential competition issues.

    14. ESMA publishes consultation paper on criteria to assess knowledge and competence under MiCA

    On 17 February 2025, EMSA published a consultation paper containing guidelines on the criteria for the assessment of knowledge and competence of natural persons giving advice under the MiCA.

    The guidelines aim to ensure staff advising or giving information on crypto-assets have a minimum level of knowledge and competence, enhancing investor protection and trust in the crypto-asset markets. 

    At a high level, the draft guidelines require cryptoasset service providers (CASPs) to, among other things:

    • take sufficient steps to ensure staff know, understand and apply the CASPs internal policies and procedures to comply with MiCA, such procedures to be subject to annual review by the CASP's management body;
    • staff have the necessary knowledge and competence to understand the key characteristics and risks related to crypto-assets, crypto-asset services being offered and the markets in which they operate; and
    • comply with organisational requirements to ensure the knowledge and competence of staff is assessed, maintained and updated appropriately where relevant.

    ESMA will consider all comments received to the consultation by 22 April 2025, with a view to issuing the final report and guidelines in Q3 2025.

    Payments

    No new entries.

    ESG

    15.  ESMA publishes final technical standards on the European Green Bonds Regulation

    On 14 February 2025, ESMA published a final report setting out technical standards on Regulation (EU) 2023/2631 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and sustainability linked bonds (the European Green Bonds Regulation). The European Green Bonds Regulation was published in the Official Journal on 30 November 2023 (see our previous Financial Services SpeedRead entry on this here).

    The European Green Bonds Regulation empowers ESMA to develop regulatory technical standards and implementing technical standards relating to the registration and supervision of external reviewers of European Green Bonds, including:  

    • the criteria to be assessed relating to senior management, board members, and analytical resources;
    • the criteria to assess sound and prudent management and management of conflicts of interest; 
    • the criteria applicable to outsourcing of assessment activities; and 
    • standard forms, templates and procedures for the provision of registration information. 

    ESMA has submitted the draft regulatory and implementing technical standards to the European Commission for adoption. The technical standards will also be subject to non-objection by the European Parliament and Council. 

    Other

    16. Technical standards on reporting major-ICT related incidents under DORA published in Official Journal of the European Union

    On 20 February 2025, new implementing technical standards (ITS) on DORA were published in the Official Journal of the European Union, including:

    • Commission Delegated Regulation (EU) 2025/301 (see here): containing regulatory technical standards (RTS) specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and
    • Commission Implementing Regulation (EU) 2025/302 (see here): on implementing technical standards for the application of DORA including standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. 

    Both ITS are intended to guide firms within scope of DORA on the reporting major ICT-related incidents, and will each take effect on 12 March 2025.

    17.  ESAs publish roadmap on designation of critical ICT third-party providers under DORA

    On 18 February 2025, the European Supervisory Authorities (EBA, EIOPA and ESMA, together the ESAs) published a roadmap regarding the designation of critical ICT third-party providers (CTPPs) by the ESAs. 

    The roadmap sets out the following timeline:

    • collection of Registers of Information: by 30 April 2025, the ESAs will collect the Registers of Information that financial entities have submitted to their respective NCA;
    • criticality assessments: by the end of July 2025, the ESAs will perform criticality assessments and notify third-party service providers of their classification as "critical". The notification will start a six-week period during which ICT third-party service providers may object to the assessment (by the first half of September 2025); and
    • final designation: by the end of 2025, the ESAs will have designated CTPPs, published the list of CTPPs and initiated oversight engagement with such designated CTPPs. 

    The ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025 regarding preparatory activities, the designation process, and the ESAs' oversight approach.

    18.  European Commission adopts RTS on threat-led penetration testing under DORA

    On 13 February 2025, the European Commission adopted the RTS for threat-led penetration testing (TLPT) under DORA.

    Article 26(11) of DORA mandates the European Supervisory Authorities (EBA, EIOPA, and ESMA, together the ESAs), in collaboration with the ECB, to develop joint draft RTS in line with the ECB's TIBER-EU framework. These standards aim to specify:

    • the criteria to identify which financial entities are required to perform TLPT;
    • the requirements regarding the scope of the tests, the testing methodology and the results of TLPT;
    • the requirements and standards governing the use of internal testers; and
    • the rules on supervisory and other cooperation needed for the implementation of TLPT and for the mutual recognition of testing.

    In July 2024, the ESAs published a final report with the draft RTS, which were submitted to the Commission for adoption. The Delegated Regulation, including these RTS, will take effect 20 days after its publication in the Official Journal of the European Union.

    19.  EBA publishes final report updating ICT and security risk management guidelines

    On 11 February 2025, the EBA published a final report amending its guidelines (EBA/GL/2019/04) on ICT risk and security management following the introduction of new related requirements under DORA.

    Specifically, the EBA:

    • limited the entity scope of the guidelines to only those entities covered by DORA, which includes credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions; and
    • narrowed the scope of the guidelines to focus on the requirements for managing relationships with payment service users in the context of providing payment services.

    The guidelines will still be applicable to certain types of payment service providers that are not captured under DORA and which are entitled under national law to provide payment services, such as post-office giro institutions.

    The guidelines will be translated into all official EU languages and made available on the EBA website, alongside a consolidated version. Competent authorities will have two months from the publication of the translations to report their compliance, after which point these guidelines will become effective.

    20.  Eurosystem updates TIBER-EU framework to align with DORA

    On 11 February 2025, the ECB published an article announcing that the Eurosystem has updated its European framework for threat intelligence-based ethical red-teaming (the TIBER-EU framework) in line with the regulatory technical standards introduced by DORA on threat-led penetration testing (TLPT).

    Updates to the TIBER-EU framework include:

    • alignments with DORA RTS on process steps: The process steps have been aligned with the deliverables outlined in the DORA RTS on TLPT. The strict timelines introduced by DORA RTS for completing these deliverables have now been integrated into the TIBER-EU framework;
    • mandatory purple-teaming: specifying purple-teaming (whereby red team "offensive" testers, and blue team "defensive" testers collaborate to assess an organisation's security framework) as mandatory, as prescribed under the DORA RTS;
    • terminological consistency: terminological changes have been introduced to ensure consistency with DORA, such as renaming the "White Team" to the "Control Team";
    • establishing TIBER-EU guidance documents: new TIBER-EU guidance documents have been established to facilitate the implementation of various parts of the framework and ensure secure and controlled TLPT execution; 
    • quality assessment of providers: the "Guidance for Service Provider Procurement" has been updated to include advice on assessing the quality of a provider; and
    • simplified national implementation: authorities wishing to implement TIBER-EU no longer need to publish a full national implementation guide. Instead, they can refer to the adoption of TIBER-EU documentation and publish a brief implementation document as described in the framework.

    Authors: Penny Chamberlain, Junior Associate; Tiegan Cormie, Junior Associate; Roni Fass, Junior Associate; Anjali Naik, Legal Apprentice

    Key Contacts