On 8 November 2024, Jack Chambers, Minister for Finance signed statutory instrument no. 607 of 2024, European Union (Markets in Crypto - Assets) Regulations 2024 (“Statutory Instrument”).

The Statutory Instrument:

• designates the Central Bank of Ireland (“Central Bank”) as the relevant national competent authority for the purpose of Article 93(1) of the MiCA;
• sets out the supervisory and investigative powers of the Central Bank in Part III;
• sets out the administrative penalties and measures for regulated and non – regulated financial service providers, in Parts IV and V of the Statutory Instrument, respectively; and
• specifies the duration of the transition period for firms that were engaged in providing crypto services before 30 December 2024, stating that such firms may continue to do so until 30 December 2025 or until such time as they are granted or refused an authorisation under Article 63 of MiCA, whichever is sooner.   

The Statutory Instrument paves the way for the Central Bank to take enforcement actions against regulated financial service providers who breach MiCA or against unregulated firms who have prospectus obligations under MiCA and breach those provisions.

Next Steps

The commencement date of the Statutory Instrument was 8 November 2024. In view of the fact that the Central Bank is now officially the competent authority under the Statutory Instrument, we will continue to monitor the Central Bank’s dedicated MiCA webpage and in particular for developments in respect of the Central Bank’s key facts document template and crypto - asset service provider authorisation forms. 

On 6 November 2024, the Central Bank of Ireland (“Central Bank”) hosted an industry briefing on the Digital Operational Resilience Act (“DORA”). The briefing included:

• a speech from Gerry Cross, Director of Financial Regulation, Policy and Risk at the Central Bank;
• presentations from various members of the DORA readiness team, slides in respect of same are available here; and
• a Q&A session with a number of Central Bankers and European experts, which can be viewed here.

The Central Bank also stated that it will update its dedicated DORA webpage with an FAQ document in due course, we will continue to monitor the situation and update clients accordingly.

Speech by Gerry Cross:

Director Cross began by summarising the work, and focus, of the Joint Committee Sub-Committee on Digital Operational Resilience (“JCSCDOR”), of which he was chair. He noted that they had been successful in the submission of the Level 2 technical standards to the European Commission (“Commission”), with the Commission now being close to adopting the final regulatory products. However, it should be noted that he did highlight that there may be a short delay with one or two of the final regulatory products as the Commission “looks again at a couple of discrete aspects.”  

Director Cross stated that the focus of competent authorities and financial entities has now shifted to the implementation and supervision of DORA confirming the following:

• as of 17 January 2025, DORA will be the legally binding digital operational resilience framework for financial firms across the EU;
• it will be the case that many firms will already have many of the required practices and procedures in place, as DORA represents what many well managed firms have already been doing, but that some aspects are becoming clearer with the advent of DORA;
• many of the requirements under DORA are already in place under sectoral legislation, noting that closing the gaps for such firms will be less onerous, but nonetheless, momentum in closing such gaps must be maintained;
• the expectations of the Central Bank will be demanding with an expectation that gaps will have been identified with action being taken to close such gaps;
• the Central Bank will assess firms’ performance with reference to their starting point, the quality of their approach and the timely closing of any identified gaps; and
• incident identification and reporting will be expected to be in place without delay.

Director Cross confirmed that the structures that were put in place in Europe to develop the Level 2 regulations will be maintained to support supervisory convergence and consistency of implementation of DORA across the EU.

For firms subject to DORA’s advanced threat - led penetration testing (“TLPT”), Director Cross stated that the Central Bank will hold dedicated workshops for those entities that they are identifying as being in scope and stated that those invites should issue in the coming weeks. 

Finally, the Director discussed DORA’s oversight regime of critical ICT third - party service providers  (“CTPPs”) noting that will CTPPs will not be regulated but that the European Supervisory Authorities (“ESAs”) will have oversight of such providers, including the right of inspection. He pointed out that the ESAs have appointed a new director on oversight, who will jointly report to the three ESAs. Director Cross also highlighted the initial designation of CTPPs noting the urgency required in the completion of registers of information by financial firms in scope in the first few months of 2025, as soon as the relevant specifications are finalised by the Commission.

Q&A Session:

While much was discussed during the Q&A session, a number of takeaways are particularly worth noting.

• Timeline For Implementation

Reinforcing Director Cross’ comments, the Central Bank added during the Q&A that 2025 would be about seeking clear evidence of high quality implementation.  To this end the Central Bank explained that it would expect firms to be in a position to demonstrate the gap analysis which they have carried out to establish where the firm stands as against the standards expected under DORA. Where gaps are identified, the Central Bank’s response to those gaps will be influenced by:

• the seriousness of the non-compliance;
• the impact the non-compliance will have;
• the persistent nature of the non-compliance; and
• if there has been a pattern of non-compliance within the firm more generally.

All these factors will be considered to determine if escalation of the matter is needed, and the full range of tools will be considered by the Central Bank in this situation.

They added that the time allowed to address those gaps would be proportionate to the size / materiality of the gap.  It should also be noted that where gaps are in relation to existing requirements under sectoral specific legislation, the Central Bank’s response will be more stringent.

Finally, the Central Bank added that firms must be in a position to furnish a copy of the gap analysis performed, if requested, and produce evidence of how resources have been allocated to ensure that such firms will achieve compliance.

• Contract Reviews

Regarding the review of contracts, the Central Bank explained that the following areas should be given specific consideration:

• the strengthening of access for audit purposes;
• receiving updates regarding the testing that the ICT provider is conducting on its own systems; and
• ensuring that there is transparency regarding sub – contracting.
  

• Review of Existing Central Bank Guidance

It was explained that the Central Bank is currently undertaking a significant exercise to identify national guidance which is impacted by DORA and to establish if any conflicts arise.  In particular, it was indicated that an update on the “Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks” can be expected and that both the Cross Industry Guidance on Operational Resilience and Outsourcing respectively will also be reviewed.

On 8 November 2024, Governor of the Central Bank of Ireland (“Central Bank”), Gabriel Makhlouf delivered a speech (“Speech”) at a fintech event in Singapore. The theme of the speech centred around how the Central Bank is navigating its way through change and the rapidly evolving financial system landscape. While discussing matters such as, innovation and the changing landscape of the global financial system, Governor Makhlouf took the opportunity to set out the priorities of the Central Bank for 2025. He cited two of the Central Bank’s main priorities as being:

• the implementation of the Digital Operations Resilience Act (“DORA”), noting it as being of particular focus due to Ireland’s large technology sector; and
• the implementation of the Marlets in Crypto Assets Regulation (“MiCA”), to include technical standards and engagement with firms seeking authorisation under MiCA.

The Governor set out a number of other priorities for 2025, as follows:

• the modernising of other frameworks, particularly as regards the Consumer Protection Code together with work at an EU level in terms of the digital euro and the Financial Data Access Regulation;
• the continuation of the strengthening of capabilities, particularly when it comes to AI and tokenisation, as Governor Makhlouf stated in the Speech that those areas are likely to be “the next significant widespread technological development in the financial system”;
• ensuring that public money continues to act as an anchor for a well - functioning payments system; and
• the continuation of Central bank engagement with industry and collaboration with peer supervisors. 
  

1. EIOPA publishes its final report on the prudential treatment of sustainability risks

On 7 November 2024, the European Insurance and Occupational Pensions Authority (“EIOPA”) published its final report on the prudential treatment of sustainability risks within Solvency II (“Report”) in response to mandate given to EIOPA by the European Commission (“Commission”). The Report advises additional capital requirements for fossil fuel assets on insurers’ balance sheets to cushion against transition risks.

The Report goes into extensive detail on three key areas:

• the market risk of assets exposed to the climate transition;
• the impact of climate risk-related prevention measures on non-life underwriting risks; and
• the treatment of social risks.

Market risk of stocks and bonds exposed to the transition

EIOPA’s findings reveal that fossil fuel-related stocks and bonds are more exposed to transition risks than assets connected to other economic activities. To ensure that European insurers set aside enough capital to withstand potential losses from investments in assets with high transition risks, EIOPA is recommending additional capital charges for these assets so as to better align capital requirements with insurers' actual risk exposures.

For stocks, EIOPA proposes raising capital requirements by up to 17% in additive terms on top of the current capital charge, leading to a moderate increase in insurers' capital requirements. An impact assessment has indicated that such a surcharge would have a limited impact on undertakings' solvency ratio given their relatively low exposure to directly held fossil fuel stocks.

For bonds, EIOPA recommends a capital charge of up to 40% in multiplicative terms in addition to existing capital requirements, instead of introducing no change at all or applying rating downgrades to fossil fuel-related bonds. The capital surcharge option is considered to better reflect the high risk profile of these bonds while preserving the risk-sensitive design of the Solvency II standard formula for spread risk.

Adaptation measures in non-life underwriting

This area of the Report focused on the non-life underwriting activities of insurers regarding climate change adaptation as a risk-based environmental objective. EIOPA analysed to what extent preventive, climate-related adaptation measures (e.g. installation of anti-flood doors or fire-proof vegetation around properties) could influence non-life underwriting risks in terms of premium risk.  The focus of the analysis was on private adaptation measures that can be directly implemented in insurance products either by policyholders or by insurance undertakings.  While the findings do indicate a potential reduction in premium risk, the collected data sample is too small to draw a justified conclusion. EIOPA proposes to repeat the analysis in the future once higher quality data is available.

Social risks

The Report also discussed how social risks could potentially materialise into prudential risks on insurers' balance sheets. EIOPA argues that conceptually, all components of sustainability risks, such as climate and social risks, are to be treated in a similar manner. Hence, social risks need to be identified and managed. Moreover, in the context of the double materiality principle, social impacts matter from a prudential perspective. However, EIOPA also highlights in its qualitative analysis that not all concepts and prudential measures from climate analysis may apply in a similar manner to social aspects. Due to the current lack of data and risk models, EIOPA does not recommend specific prudential treatment of social risks at this stage. EIOPA suggests continuing work on this topic in terms of developing an application guidance to support the social risk materiality assessment for the purpose of (re)insurers’ own risk and solvency assessment .

Next Steps

EIOPA has submitted its recommendations to the Commission for review. The Commission will then consider whether to implement the proposed additional capital requirements for fossil fuel assets.

2. EIOPA consults on mass-lapse reinsurance and reinsurance termination clauses to enhance guidance on risk mitigation techniques

On 8 November 2024, the EIOPA published a consultation on two annexes expected to be added to its  Opinion on the use of risk-mitigation techniques by insurance undertakings under the Solvency II Directive (2009/138/EC) which was published in July 2021 (“Opinion”).

The Opinion addresses the use of risk mitigation techniques including recommendations to national competent authorities (“NCAs”) to ensure convergent supervision following the emergence of new, non-traditional mitigation techniques in the European market in the wake of Solvency II.  The first and second annexes proposed to be added to the Opinion consider Mass-lapse Reinsurance and Reinsurance Agreements’ Termination Clauses respectively and aim to extend the guidance provided in the Opinion.

Annex One

The first annex extends guidance to supervisors on the treatment of mass-lapse reinsurance. It aims to promote greater supervisory convergence across the EU due to evolving risk mitigation methods through the use of reinsurance.

It addresses the principal elements of mass-lapse reinsurance treaties and mostly focuses on the cedent’s perspective. It outlines the most relevant elements of mass-lapse reinsurance to be considered when assessing the efficiency of the risk transfer and the consequent reduction of the Solvency Capital Requirement (“SCR”). It also addresses the impact of mass-lapse reinsurance on the balance sheet, such as the valuation of reinsurance recoverables and risk margin calculation. The annex briefly discusses the reinsurer’s perspective, in particular the nature of the risk accepted when calculating the SCR.

Annex Two

The second annex addresses specific terms of reinsurance agreements' termination clauses that can compromise the effective transfer of risk. In particular, this concerns termination clauses in reinsurance agreements that absolve the reinsurer from its share on legitimately incurred losses within the reinsurance treaty period. The Annex also addresses reinsurance contracts where the assets are transferred and where the accompanying clauses allow reinsurers, in case of termination, to unconditionally retain all premiums and assets previously transferred and be freed from all obligations.

Next Steps

The consultation is open for feedback via online survey and will close on 7 February 2025. 

On 8 November 2024, the European Central Bank (“ECB”) launched a consultation (“Consultation”) on its revised policies (“Policies”) for applying options and discretions (“O&Ds”) available to supervisory authorities under EU law. The Policies outline how the ECB will exercise the O&Ds when supervising banks, with the aim of making the process more transparent, consistent and effective for the ECB and national competent authorities (“NCAs”).

The Policies consist of the following:

1. a guide covering the exercise of O&Ds applicable on a case by case basis;
2. a regulation addressing the ECB’s exercise of several O&Ds of a generally applicable nature in relation to significant institutions;
3. a recommendation addressed to NCAs regarding the exercise of O&Ds applicable on a case by case basis regarding less significant institutions; and
4. a guideline addressed to NCAs regarding the exercise of O&Ds of a generally applicable nature in relation to less significant institutions.

The  Policies are accompanied by an explanatory memorandum which summarises the updates under the Consultation.

The O&Ds relate to several prudential topics, some of which are as follows:

• the definition of own funds;
• how to calculate capital requirements for certain risk categories;
• which asset types are included in the trading book; and
• permitted exclusions when determining the consolidation scope of a banking group.

The revision of the Policies has been necessary due to the adoption of the Capital Requirements Regulation (“CRR III”) and the Capital Requirements Directive (“CRD IV”). However, the Policies do also encompass other supervisory developments since the last revision in 2022.

Next Steps

The Consultation is open until 10 January 2025.