Regulatory Update: what to take into account in Q3 2023?

With the help of compliance software Ruler, Projective Group closely monitors the developments in financial legislation. We determine the impact of upcoming changes and translate them into the daily practice of our clients.

Which developments should you take into account? Every quarter, we provide a structured overview of the regulatory changes and their consequences for financial institutions in our Regulatory Updates. In this blog, we list a number of focus areas for Q3 2023.

Retrospective: What laws and regulations have recently come into effect?

• On April 1, 2023, the Policy Rule on Suitability 2022 came into effect.
• On June 19, 2023, the EBA Guidelines on common procedures and methods for review and evaluation processes by the supervisor according to IFD became came into effect.
• On June 20, 2023, the EDPB adopted Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR).

Modification of the Standard Model for Information Provision

The standard model for information provision for premium pension institutions and pension insurers has been modified. The new standard model was established on April 4, 2023. The main improvements are as follows:

• In block 2, the text about the pros and cons of variable benefits has been balanced.
• In block 6, the oscillation meter has been replaced with the decline meter, and the scaling of the meter has been adjusted.
• In block 6, the texts and visualization have also been adapted to match the decline meter.

The new model will come into effect on September 1, 2023.

Proposal for ITS standardised information requirements regarding non-performing loans (NPLs)

In 2022, the European Banking Authority (EBA) consulted on a proposal for standardised information requirements to support the sale of non-performing loans (NPLs). After the consultation, the EBA submitted a draft of these standardised information requirements to the European Commission (EC).

The consultation involved proposing technical implementation norms (ITS) to establish the requirements for providing information to potential buyers of NPLs. The information includes details about:

• the counterparts related to the NPL;
• the contractual characteristics of the loan itself;
• any provided collateral and guarantees with their corresponding enforcement procedures;
• and the historical collection and repayment schedule of the loan.
• This information is provided in templates.

The draft ITS also consider the principle of proportionality by setting different information requirements depending on the size of the NPL, specifying mandatory and non-mandatory data fields, and considering a different scope of data fields related to the nature of the borrower (individual or corporation) and the loan (secured or unsecured). The goal of these ITS is to improve the functioning of the secondary markets for NPLs.

The EC must adopt and publish the draft ITS, which will come into effect 20 days after the publication. The expectation is that the implementation regulation will come into effect in the second half of 2023.

EBA Guidelines for effective management of AML/CFT-risks when providing access to financial services

Between December 2022 and February 2023, the EBA consulted on guidelines for effective management of anti-money laundering and counter-terrorism financing risks when providing access to financial services. Shortly after the consultation, on March 31, 2023, the banking authority published the new guidelines.

The EBA aims to ensure that customers of AML/CFT institutions are not denied access to financial services without valid reasons.

With these guidelines, the EBA aims to ensure that customers of AML/CFT institutions, particularly the most vulnerable, are not denied access to financial services without valid reasons. The guidelines address situations where (vulnerable) clients may not be able to present traditional forms of identity documents for valid reasons and how institutions should handle such cases. It also outlines the steps institutions should take when considering refusing or terminating a business relationship based on ML/TF risk. AML/CFT institutions dealing with vulnerable customers must assess whether their internal processes need to be adjusted.

The guidelines need to be translated and will come into effect three months after their publication. This is expected to be by the end of 2023 or early 2024.

Revision of AIFMD and amendment of UCITS Directive

In late 2021, the EC proposed a revision of the Alternative Investment Fund Managers Directive (AIFMD), which also includes changes to the Undertakings for the Collective Investment in Transferable Securities (UCITS) Directive.

Negotiations on the final regulations were ongoing at the beginning of the year. According to the AIFMD, a manager may not operate an alternative investment fund or offer its units to investors without a licence. The requirements for such a licence are stringent. While the existing AIFMD achieves its objectives, the EC believes that it can be improved. The EC evaluated the AIFMD and intends to amend it, focusing on:

• delegation arrangements;
• liquidity risk management;
• supervisory reporting;
• the provision of custody and depositary services; and
• the provision of loans by alternative investment funds.

Requirements from the AIFMD and the UCITS Directive will also be more harmonised.

The revised AIFMD and UCITS Directive will come into effect no earlier than mid-2025, taking into account national implementation.

Level 2 regulation DORA

On November 28, 2022, the Council adopted the Digital Operational Resilience Act (DORA). There are already (European) rules regarding cyber risks, but they are limited and fragmented, leading to inconsistencies in legislation between member states and unnecessary costs. With DORA, the EC aims to implement a unified legislative framework.

DORA will impose requirements on financial organisations regarding IT risk management, IT incidents, periodic tests of digital resilience, and risk management when outsourcing to (critical) third parties. These requirements will be tailored based on the size, risk profile, and system importance of individual organisations.

On June 19, 2023, the first set of draft technical standards under DORA was submitted for consultation by the ESA’s (European Supervisory Authorities) (four draft RTS and one draft ITS). This consultation period runs until September 11, 2023:

• RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
• RTS on criteria for classifying ICT-related incidents;
• RTS to specify the policy on ICT services performed by third ICT suppliers; and
• ITS to establish templates for the information register.

These technical standards aim to provide a consistent and harmonised legal framework for ICT risk management, reporting of severe ICT-related incidents, and ICT risk management by third parties. A total of 13 delegated regulations will be introduced.

The lower (level 2) regulation is expected to be applicable from 2025.

What other upcoming laws and regulations should you be aware of?

In our next Regulatory Update article, we will explain the following developments in more detail:

• Regulation for a financial data access framework (FIDA)
• PSD2 revision (PSD3 and PSR)

Tailor-made Regulatory Updates

Do you want to make sure not to overlook any developments? Then you can request a tailor-made Regulatory Update.

We hope this article has given you an idea of the regulatory changes in Q3 2023. Do you want to make sure not to overlook any developments? Then you can request a tailor-made Regulatory Update (available in Dutch and English). Each quarter you will receive a comprehensive report with current developments, legislative changes, publications by regulators and consultations. This report will be fully tailored to your organisation and activities. This way, you will never be faced with unpleasant surprises.

About Projective Group

Established in 2006, Projective Group is a leading Financial Services change specialist. With deep expertise across practices in Data, Payments, Transformation and Risk & Compliance.

We are recognised within the industry as a complete solutions provider, partnering with clients in Financial Services to provide resolutions that are both holistic and pragmatic.  We have evolved to become a trusted partner for companies that want to thrive and prosper in an ever-changing Financial Services landscape.