News Update Financial Regulatory

17 January 2022

In this News Update, we discuss developments in European anti-money laundering and countering the financing of terrorism supervision, information security and related cyber risks; and the pitfalls of 'finfluencing'. We further highlight some other financial regulatory publications issued last month.

EBA | Developments in European AML/CFT supervision

As part of its task of ensuring the integrity, transparency and orderly functioning of financial markets, the European Banking Authority ("EBA") focuses on preventing the use of the financial system for money laundering and terrorist financing purposes. Recently, EBA has been very active in this area, as evidenced by the following publications.

Draft Guidelines on the use of remote customer onboarding solutions
Financial institutions have seen a growing demand for remote customer onboarding solutions, partly due to movement restrictions prompted by the COVID-19 pandemic. As a result, EBA stresses the importance for supervisors and financial institutions to understand the capabilities of remote solutions to make the most of the opportunities they offer. To support their sound and responsible use, they also need to be attuned to money laundering and terrorist financing ("ML/TF") risks arising from the use of such tools and take steps to mitigate those risks effectively. The Guidelines set out the steps financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism ("AML/CFT") legislation and the EU’s data protection framework. The public consultation on these Guidelines is open until 10 March 2022.

Revised Guidelines on risk-based supervision of credit and financial institutions’ compliance with AML/CFT obligations
These revised Guidelines, published on 16 December 2021, build on the existing four-step approach to the risk-based AML/CFT supervision and provide additional guidance on ML/TF risk assessments, including the sectoral risk assessment. They also help supervisors choose the most effective tools to meet their supervisory objectives, especially in situations where they have identified breaches and weaknesses in institutions’ systems and controls framework. The revised Guidelines also emphasise the importance of cooperation between AML/CFT supervisors and other stakeholders, including prudential supervisors, Financial Intelligence Units ("FIUs") and tax authorities.

Final Guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors and financial intelligence units
These final Guidelines, published on 16 December 2021, set out how prudential supervisors, AML/CFT supervisors and FIUs should cooperate and exchange information in relation to AML/CFT, in line with provisions laid down in the Capital Requirements Directive.

Draft Regulatory Technical Standards on an AML/CFT central database in the EU
EBA is legally required to establish and keep up to date an AML/CFT central database. This database, the European Reporting system for material CFT/AML weaknesses ("EuReCA"), will contain information on material weaknesses in individual financial institutions that make them vulnerable to ML/TF. EU supervisors will have to report such weaknesses, as well as the measures they have taken to rectify them. The draft Regulatory Technical Standards ("RTS"), published on 20 December 2021, specify when weaknesses are material, the type of information supervisors will have to report, how information will be collected and how EBA will analyse and disseminate the information contained in EuReCA.

Opinion on de-risking
On 5 January 2022, EBA published its Opinion on the scale and impact of de-risking in the EU and the steps supervisors should take to tackle unwarranted de-risking. De-risking refers to decisions taken by financial institutions not to provide services to customers in certain risk categories. According to EBA, de-risking can be a legitimate risk management tool, but it can also be a sign of ineffective ML/TF risk management, with possible severe consequences. EBA considers that its regulatory guidance on how to manage ML/TF risks, if applied correctly, should help avert unwarranted de-risking. To further complement this guidance, EBA encourages supervisors to engage more actively with institutions that de-risk and with users of financial services that are particularly affected by de-risking, to raise mutual awareness of their respective rights and responsibilities. EBA also advises the European Commission to clarify, in the Payment Account Directive, the interaction between AML/CFT requirements and the right to open and use a payment account with basic features, and to take advantage of the forthcoming review of the Payment Services Directive to ensure more convergence in the way payment institutions access credit institutions’ payment accounts services.

DNB and EBA | Information security and related cyber risks

The Dutch Central Bank (De Nederlandsche Bank, "DNB") considers information security and related cyber risks to be one of the important operational risks in financial institutions. Because cyberattacks have the potential to severely damage the continuity of business operations, DNB shares examples for managing these risks in Q&As and Good Practices, conducts sector-wide and individual surveys at institutions, and cooperates with the financial sector in parts to further strengthen the institutions' resilience. The IB Monitor 2021, which was published (only in Dutch) on 22 December 2021, shares the most recent observations regarding IT and cyber risks, based on supervisory examinations and queries from pension funds and insurers. It also includes a threat analysis and an outlook on planned supervisory activities in 2022. Supervisory interviews and surveys of banking institutions have shown that the observations mentioned in the IB Monitor 2021 are also relevant for the entire Dutch financial sector. The three main observations, which are further elaborated in the IB Monitor 2021, are that:

• the risk management cycle within institutions focusing on information security is insufficiently effective;
• controlling information security throughout the entire outsourcing chain is crucial; and
• the resilience against cyberattacks must be strengthened.

On the same subject, DNB published a Q&A Assessment Framework for DNB Information Security Examination on its website.

EBA also drew attention to cyber risk. In its Risk Dashboard Q3 2021, EBA established that cyber and information and communication technology related risks remain elevated and operational risk losses increased during the pandemic. EBA finds that relying on third-party providers further aggravate these risks.

AFM | The pitfalls of 'finfluencing'

On 20 December 2021, the Dutch Authority for the Financial Markets ("AFM") published an exploratory study, The pitfalls of 'finfluencing' ('De valkuilen bij ‘finfluencen’, only in Dutch), on approximately 150 financial influencers ("finfluencers") who comment in social media on investing. Although these finfluencers provide accessible information about investing and therefore meet a need, according to the AFM, the working methods of almost all finfluencers involve the following risks:

• Investment advice without a licence;
• Insufficient care with investment recommendations;
• Recommending high risk products;
• Working with unlicensed parties; and
• Fees for introducing clients to finfluencers.

Rules apply with respect to these subjects and should also apply to finfluencers. The AFM has ascertained that not all finfluencers, nor the investment firms that pay them, comply with these rules. Industrial associations indicated they wanted stricter supervision, but the AFM saw no reason for this.

In this context, the AFM has also drawn attention (see this statement, only in Dutch) to the ban on commission for investment firms, which also applies on paying finfluencers. This is the case when finfluencers bring in customers through their channels. According to the ban on commissions, this is not allowed.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our December 2021 News Update was published.

• The 'Implementation act on loss absorption and recapitalisation capacity of banks and investment firms' (Implementatiewet verliesabsorptie- en herkapitalisatiecapaciteit van banken en beleggingsondernemingen, only in Dutch) entered into force on 21 December 2021.
• The AFM, together with the French Autorité des Marchés Financiers, published the position paper 'Strengthening conduct supervision in cross-border retail financial services to create a more efficient EU capital market'. The AFM also published the discussion paper 'The role of information documents in effective consumer protection', and the documents 'Principles for the ongoing support of clients' (Principes voor de doorlopende ondersteuning van klanten, only in Dutch) and 'Interpretation information and advice' (Interpretatie informeren en adviseren, only in Dutch).
• DNB announced that, as of 1 January 2022, based on the Financial Supervision Funding Regulation one-off actions (Regeling bekostiging financieel toezicht eenmalige handelingen, only in Dutch) a fee will be payable for fitness, propriety and reputation tests at trust offices.
• EBA published two final draft RTS regarding the reclassification of investment firms as credit institutions, on the reclassification of investment firms as credit institutions and on the provision of information for the effective monitoring of the credit institution thresholds. It also published a report on the application of its Guidelines on the remuneration of sales staff and a consultation paper on draft RTS on credit scoring and loan pricing disclosure, credit risk assessment and risk management requirements for crowdfunding service providers.
• The European Insurance and Occupational Pension Authority launched a consultation on the application guidance on running climate change materiality assessment and using climate change scenarios in the own risk and solvency assessment.
• The European Securities and Markets Authority ("ESMA") updated the Questions and Answers on application of the AIFMD, improving securities settlement in the EU and on central securities depositories, application of the UCITS Directive, and SFTR data reporting. ESMA also published the final report on its Guidelines on certain aspects of the MiFID II appropriateness and execution-only requirements, and its letter to the European Commission with input for the report on reverse solicitation.
• The Single Resolution Board published its guidance on solvent wind-down of derivatives and trading books in resolution.
• The European Systemic Risk Board published a report on the overlap between capital buffers and minimum requirements.

If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk and Roel Theissen. For questions related to Investment Management, you can also contact our colleagues Oscar van Angeren and Marthe Bollen.

 

17 January 2022

In this News Update, we discuss developments in European anti-money laundering and countering the financing of terrorism supervision, information security and related cyber risks; and the pitfalls of 'finfluencing'. We further highlight some other financial regulatory publications issued last month.

EBA | Developments in European AML/CFT supervision

As part of its task of ensuring the integrity, transparency and orderly functioning of financial markets, the European Banking Authority ("EBA") focuses on preventing the use of the financial system for money laundering and terrorist financing purposes. Recently, EBA has been very active in this area, as evidenced by the following publications.

Draft Guidelines on the use of remote customer onboarding solutions
Financial institutions have seen a growing demand for remote customer onboarding solutions, partly due to movement restrictions prompted by the COVID-19 pandemic. As a result, EBA stresses the importance for supervisors and financial institutions to understand the capabilities of remote solutions to make the most of the opportunities they offer. To support their sound and responsible use, they also need to be attuned to money laundering and terrorist financing ("ML/TF") risks arising from the use of such tools and take steps to mitigate those risks effectively. The Guidelines set out the steps financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism ("AML/CFT") legislation and the EU’s data protection framework. The public consultation on these Guidelines is open until 10 March 2022.

Revised Guidelines on risk-based supervision of credit and financial institutions’ compliance with AML/CFT obligations
These revised Guidelines, published on 16 December 2021, build on the existing four-step approach to the risk-based AML/CFT supervision and provide additional guidance on ML/TF risk assessments, including the sectoral risk assessment. They also help supervisors choose the most effective tools to meet their supervisory objectives, especially in situations where they have identified breaches and weaknesses in institutions’ systems and controls framework. The revised Guidelines also emphasise the importance of cooperation between AML/CFT supervisors and other stakeholders, including prudential supervisors, Financial Intelligence Units ("FIUs") and tax authorities.

Final Guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors and financial intelligence units
These final Guidelines, published on 16 December 2021, set out how prudential supervisors, AML/CFT supervisors and FIUs should cooperate and exchange information in relation to AML/CFT, in line with provisions laid down in the Capital Requirements Directive.

Draft Regulatory Technical Standards on an AML/CFT central database in the EU
EBA is legally required to establish and keep up to date an AML/CFT central database. This database, the European Reporting system for material CFT/AML weaknesses ("EuReCA"), will contain information on material weaknesses in individual financial institutions that make them vulnerable to ML/TF. EU supervisors will have to report such weaknesses, as well as the measures they have taken to rectify them. The draft Regulatory Technical Standards ("RTS"), published on 20 December 2021, specify when weaknesses are material, the type of information supervisors will have to report, how information will be collected and how EBA will analyse and disseminate the information contained in EuReCA.

Opinion on de-risking
On 5 January 2022, EBA published its Opinion on the scale and impact of de-risking in the EU and the steps supervisors should take to tackle unwarranted de-risking. De-risking refers to decisions taken by financial institutions not to provide services to customers in certain risk categories. According to EBA, de-risking can be a legitimate risk management tool, but it can also be a sign of ineffective ML/TF risk management, with possible severe consequences. EBA considers that its regulatory guidance on how to manage ML/TF risks, if applied correctly, should help avert unwarranted de-risking. To further complement this guidance, EBA encourages supervisors to engage more actively with institutions that de-risk and with users of financial services that are particularly affected by de-risking, to raise mutual awareness of their respective rights and responsibilities. EBA also advises the European Commission to clarify, in the Payment Account Directive, the interaction between AML/CFT requirements and the right to open and use a payment account with basic features, and to take advantage of the forthcoming review of the Payment Services Directive to ensure more convergence in the way payment institutions access credit institutions’ payment accounts services.

DNB and EBA | Information security and related cyber risks

The Dutch Central Bank (De Nederlandsche Bank, "DNB") considers information security and related cyber risks to be one of the important operational risks in financial institutions. Because cyberattacks have the potential to severely damage the continuity of business operations, DNB shares examples for managing these risks in Q&As and Good Practices, conducts sector-wide and individual surveys at institutions, and cooperates with the financial sector in parts to further strengthen the institutions' resilience. The IB Monitor 2021, which was published (only in Dutch) on 22 December 2021, shares the most recent observations regarding IT and cyber risks, based on supervisory examinations and queries from pension funds and insurers. It also includes a threat analysis and an outlook on planned supervisory activities in 2022. Supervisory interviews and surveys of banking institutions have shown that the observations mentioned in the IB Monitor 2021 are also relevant for the entire Dutch financial sector. The three main observations, which are further elaborated in the IB Monitor 2021, are that:

• the risk management cycle within institutions focusing on information security is insufficiently effective;
• controlling information security throughout the entire outsourcing chain is crucial; and
• the resilience against cyberattacks must be strengthened.

On the same subject, DNB published a Q&A Assessment Framework for DNB Information Security Examination on its website.

EBA also drew attention to cyber risk. In its Risk Dashboard Q3 2021, EBA established that cyber and information and communication technology related risks remain elevated and operational risk losses increased during the pandemic. EBA finds that relying on third-party providers further aggravate these risks.

AFM | The pitfalls of 'finfluencing'

On 20 December 2021, the Dutch Authority for the Financial Markets ("AFM") published an exploratory study, The pitfalls of 'finfluencing' ('De valkuilen bij ‘finfluencen’, only in Dutch), on approximately 150 financial influencers ("finfluencers") who comment in social media on investing. Although these finfluencers provide accessible information about investing and therefore meet a need, according to the AFM, the working methods of almost all finfluencers involve the following risks:

• Investment advice without a licence;
• Insufficient care with investment recommendations;
• Recommending high risk products;
• Working with unlicensed parties; and
• Fees for introducing clients to finfluencers.

Rules apply with respect to these subjects and should also apply to finfluencers. The AFM has ascertained that not all finfluencers, nor the investment firms that pay them, comply with these rules. Industrial associations indicated they wanted stricter supervision, but the AFM saw no reason for this.

In this context, the AFM has also drawn attention (see this statement, only in Dutch) to the ban on commission for investment firms, which also applies on paying finfluencers. This is the case when finfluencers bring in customers through their channels. According to the ban on commissions, this is not allowed.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our December 2021 News Update was published.

• The 'Implementation act on loss absorption and recapitalisation capacity of banks and investment firms' (Implementatiewet verliesabsorptie- en herkapitalisatiecapaciteit van banken en beleggingsondernemingen, only in Dutch) entered into force on 21 December 2021.
• The AFM, together with the French Autorité des Marchés Financiers, published the position paper 'Strengthening conduct supervision in cross-border retail financial services to create a more efficient EU capital market'. The AFM also published the discussion paper 'The role of information documents in effective consumer protection', and the documents 'Principles for the ongoing support of clients' (Principes voor de doorlopende ondersteuning van klanten, only in Dutch) and 'Interpretation information and advice' (Interpretatie informeren en adviseren, only in Dutch).
• DNB announced that, as of 1 January 2022, based on the Financial Supervision Funding Regulation one-off actions (Regeling bekostiging financieel toezicht eenmalige handelingen, only in Dutch) a fee will be payable for fitness, propriety and reputation tests at trust offices.
• EBA published two final draft RTS regarding the reclassification of investment firms as credit institutions, on the reclassification of investment firms as credit institutions and on the provision of information for the effective monitoring of the credit institution thresholds. It also published a report on the application of its Guidelines on the remuneration of sales staff and a consultation paper on draft RTS on credit scoring and loan pricing disclosure, credit risk assessment and risk management requirements for crowdfunding service providers.
• The European Insurance and Occupational Pension Authority launched a consultation on the application guidance on running climate change materiality assessment and using climate change scenarios in the own risk and solvency assessment.
• The European Securities and Markets Authority ("ESMA") updated the Questions and Answers on application of the AIFMD, improving securities settlement in the EU and on central securities depositories, application of the UCITS Directive, and SFTR data reporting. ESMA also published the final report on its Guidelines on certain aspects of the MiFID II appropriateness and execution-only requirements, and its letter to the European Commission with input for the report on reverse solicitation.
• The Single Resolution Board published its guidance on solvent wind-down of derivatives and trading books in resolution.
• The European Systemic Risk Board published a report on the overlap between capital buffers and minimum requirements.

If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk and Roel Theissen. For questions related to Investment Management, you can also contact our colleagues Oscar van Angeren and Marthe Bollen.