ARTICLE
9 August 2024

FIG Top 5 At 5 - 01/08/2024

M
Matheson

Contributor

Established in 1825 in Dublin, Ireland and with offices in Cork, London, New York, Palo Alto and San Francisco, more than 700 people work across Matheson’s six offices, including 96 partners and tax principals and over 470 legal and tax professionals. Matheson services the legal needs of internationally focused companies and financial institutions doing business in and from Ireland. Our clients include over half of the world’s 50 largest banks, 6 of the world’s 10 largest asset managers, 7 of the top 10 global technology brands and we have advised the majority of the Fortune 100.
ESAs publish final report on draft RTS on the sub-contracting of ICT services supporting functions under DORA.
Ireland Finance and Banking

1. ESAs publish final report on draft RTS on the sub-contracting of ICT services supporting functions under DORA

On 25 July 2024, the Joint Committee of the European Supervisory Authorities ("ESAs") published its final report on the draft regulatory technical standards ("RTS") to set out the components a financial entity must identify and examine when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022 / 2554 ("DORA")

In alignment with DORA, the draft RTS highlights the requirements relating to the use of subcontracted ICT services supporting critical or important functions, or material parts of those functions, by ICT third party service providers authorised by financial entities along with the applicable conditions to such subcontracting, which are set out in section 4 of the report.

  • Specifically, the draft RTS requires financial entities to:
  • examine the risk involved with subcontracting throughout the precontractual stage, including the due diligence process; and

implement, monitor and manage the contractual arrangements relating to the subcontracting conditions for the use of ICT services, to guarantee that financial entities can monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions.

Section 6 contains the ESAs analysis, accompanied by a summary of the consultation responses received from the consultation process initiated in December 2023, specifying any amendments that were made to the RTS as a result. According to the ESAs, the main area of focus in the responses were as follows:

  • proportionality;
  • monitoring of the subcontracting chain;
  • imposing requirements on ICT third party service providers;
  • termination; and
  • the transition period.

Next Steps

The ESAs will submit the draft RTS to the European Commission for adoption.

2. Commission proposes to postpone by one year the market risk prudential requirements under Basel III in the EU

On 24 July 2024, the European Commission ("Commission") adopted a Delegated Regulation, amending the Capital Requirements Regulation (575 / 2013) which delays the implementation of that part of Basel III which relates to the date of application of the own funds requirements for market risk (the Fundamental Review of the Trading Book ("FRTB") introduced by Basel III).

According to Article 461a of the CRR, as amended by the CRR III Regulation, the Commission is required to supervise the international implementation of the Basel III FRTB standards throughout all jurisdictions. Article 461a of the CRR also empowers the Commission to adopt delegated acts to ensure equal opportunities, if there are significant deviations in the implementation by third countries. The Commission has found that some jurisdictions such as Canada and Japan have implemented the standards, while other jurisdictions such as the United States have fallen behind, with uncertainty relating to timelines and possible deviations in implementation.

The Commission envisages that the implementation date in the United States is likely to be in January 2026, at the earliest, therefore, the Commission has recommended that the application of the FRTB standards are postponed by one year. Mairead McGuinness, Commissioner for Financial Services, Financial Stability and Capital Markets Union, affirms the Commission's decision and describes it as necessary "to preserve the international level playing field for EU banks". The current market risk requirements will remain applicable until this date.

The delegated act has been adopted in accordance with the mandate received by the Commission from the European Parliament and Council.

Next Steps

The European Parliament and the Council of the EU will now examine the Delegated Regulation for a period of three months. Subject to this, the Delegated Regulation will enter into force on the day after its publication in the Official Journal of the European Union. The current market risk requirements will remain applicable until 1 January 2026.

3. ECB consults on governance and risk culture

On 24 July 2024, the European Central Bank ("ECB") published a draft guide ("Guide") on governance and risk culture for public consultation. The objective of the Guide is to act as a practical tool for the analysis of individual situations and the exercise of supervisory judgement. The Guide does not impose legally binding requirements or replace or introduce any legal rules.

The Guide outlines the ECB's emphasis on diverse and effective management bodies, which is a supervisory priority of the Single Supervisory Mechanism ("SSM") and sets out supervisory expectations relating to the governance and risk culture of supervised banks. The Guide also utilises evidence gathered through the ECB's supervisory activities.

The Guide provides a roadmap to a more productive internal governance and risk culture, taking the place of the 2016 SSM supervisory statement on governance and risk appetite. When published, the Guide will supersede this supervisory statement.

In particular, the Guide:

  • reflects recent updates to standards by the European Banking Authority ("EBA"), providing examples of good practices;
  • clarifies supervisors' expectations relating to the composition and functioning of management bodies and committees;
  • outlines the roles and responsibilities of the internal control functions;
  • highlights the significance of risk culture; and
  • sets out expectations relating to the risk appetite frameworks of banks.

The ECB also explains that the Guide is intended for the internal use of various supervisory teams to ensure a harmonised approach. The ECB further recommends that national competent authorities comply with the expectations and practices outlined in the Guide while examining the governance of less significant institutions.

The ECB expects banks to continue to improve on their implementation of governance standards, while the ECB will continue to oversee such implementation. Where it is necessary, the ECB will use all available supervisory tools to address supervisory findings that are yet to be remediated.

Next Steps

The public consultation on the Guide closes for feedback on 16 October 2024. The ECB will later publish any comments received, along with a feedback statement and the final Guide.

The ECB will hold a stakeholder meeting on 26 September 2024 where relevant experts from supervised institutions and other interested parties may discuss their thoughts on the Guide.

4. ECB concludes cyber resilience stress test and issues findings

On 26 July 2024, the European Central Bank ("ECB") announced the conclusion of its cyber resilience stress test ("Stress Test"). The ECB commenced the Stress Test in January 2024 to establish how banks would react to and recover from a serious but feasible cybersecurity incident. The Stress Test evidenced that while banks have measures in place to protect themselves from a cyberattack, these measures can be improved. The findings of the Stress Test will contribute to the 2024 Supervisory Review and Evaluation Process ("SREP") which evaluates banks' individual risk profiles.

The Stress Test included a fictional stress test which created a cyber security incident. In this incident, all preventative measures that the bank had in place had failed, and as a result, the incident impacted the banks' core systems. The Stress Test concentrated on how the bank would react to the cyberattack, rather than how they may prevent it. The Stress Test involved 109 banks directly supervised by the ECB, and a sample of 28 banks selected to experience thorough testing. The selected banks were of various business models and geographical areas in order to test the resilience of banks across Europe.

The banks involved in the Stress Test were expected to undergo an actual IT recovery test and display that this test was successful as well as being visited, on site by a supervisor.

Banks were expected to show their capacity to respond to the scenario by:

  • initiating their crisis response plans, as well as their internal crisis management procedures and business continuity plans;
  • engaging with external stakeholders such as customers, service providers and law enforcement agents;
  • analysing and identifying what services could be affected and how they may be affected; and
  • implementing mitigation measures, including workarounds that allow the bank to function throughout the time required to fully recover IT systems.

Banks were expected to show their capacity to recover from the scenario by:

  • initiating their recovery plans, as well as restoring backed – up data and corresponding with critical third – party service providers on how to react to the incident;
  • confirming the recovery of the affected areas; and
  • implementing the lessons that were learned from the incident, such as their response and recovery plans.

The ECB is focused on improving the cyber resilience framework of the banks it works with. The ECB recommends that banks continue to meet supervisory standards by having sufficient business continuity, communication and recovery plans in place which should protect them from any potential cyberattacks. Banks are expected to be able to achieve their own recovery objectives, evaluate dependencies on critical third – party ICT service providers and envisage direct and indirect losses from a cyberattack.

Next Steps

As mentioned above, the findings of the Stress Test will feed into the 2024 SREP. In addition, individual feedback has been issued to each participating bank by supervisors. Supervisors will be in contact with the individual banks involved with further information and recommendations. Some banks have already responded to the feedback from the Stress Test by improving or planning to improve the deficiencies identified in the exercise.

5. European Regulators Input on SFDR Review

On 18 June 2024, the European Supervisory Authorities issued a joint opinion on the assessment of the Sustainable Finance Disclosure Regulation ("SFDR"). The publication of the own-initiative opinion follows the European Commission's consultation on the review of the SFDR issued in September 2023. On 25 July 2024, the European Securities and Markets Authority also followed up by issuing its own opinion on the functioning of the sustainable finance framework.

For a detailed consideration of both opinions, please see Insight produced by Matheson's Asset Management Department which can be accessed here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Finance Law and Banking Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More