1. ESAs publish final report on draft RTS on the sub-contracting of ICT services supporting functions under DORA
On 25 July 2024, the Joint Committee of the European Supervisory Authorities (“ESAs”) published its final report into the draft regulatory technical standards (“RTS”) required when sub-contracting ICT services. They set out the components that a financial entity must identify and examine when they sub-contract ICT services which support critical or important functions, as mandated by Article 30(5) of Regulation (EU) 2022 / 2554 (“DORA”).
The draft RTS highlight what is required when using sub-contracted ICT services that support critical or important functions - or at least the material parts of those functions - by ICT third-party service providers authorised by financial entities. They also highlight the applicable conditions to such sub-contracting.
Specifically, the draft RTS require financial entities to:
- examine the risk involved with sub-contracting throughout the pre-contractual stage, including the due diligence process; and
- implement, monitor and manage the contractual arrangements relating to the sub-contracting conditions for the use of ICT services, to ensure that financial entities can monitor the entire chain of services which support their critical or important functions.
Section 6 contains the ESAs' analysis, accompanied by a summary of the responses received during the consultation process initiated in December 2023, and specifying any amendments that were made to the RTS as a result. According to the ESAs, the main areas of focus in the responses were as follows:
- proportionality;
- monitoring of the sub-contracting chain;
- imposing requirements on ICT third-party service providers;
- termination; and
- the transition period.
Next Steps
The ESAs will submit the draft RTS to the European Commission for adoption.
2. Commission proposes to postpone by one year the market risk prudential requirements under Basel III in the EU
On 24 July 2024, the European Commission (“Commission”) adopted a Delegated Regulation, amending the Capital Requirements Regulation (575 / 2013) which delays the implementation of that part of Basel III which relates to the date of application of the own funds requirements for market risk (the Fundamental Review of the Trading Book (“FRTB”) introduced by Basel III).
According to Article 461a of the CRR, as amended by the CRR III Regulation, the Commission is required to supervise the international implementation of the Basel III FRTB standards throughout all jurisdictions. Article 461a of the CRR also empowers the Commission to adopt delegated acts to ensure equal opportunities, if there are significant deviations in the implementation by third countries. The Commission has found that some jurisdictions such as Canada and Japan have implemented the standards, while other jurisdictions such as the United States have fallen behind, with uncertainty relating to timelines and possible deviations in implementation.
The Commission envisages that the implementation date in the United States is likely to be in January 2026, at the earliest. Therefore, the Commission has recommended that the application of the FRTB standards be postponed by one year. Mairead McGuinness, Commissioner for Financial Services, Financial Stability and Capital Markets Union, affirmed the Commission’s decision and described it as necessary “to preserve the international level playing field for EU banks”. The current market risk requirements will remain applicable until this date.
The delegated act has been adopted in accordance with the mandate received by the Commission from the European Parliament and Council.
Next Steps
The European Parliament and the Council of the EU will now examine the Delegated Regulation for a period of three months. Subject to this, the Delegated Regulation will enter into force on the day after its publication in the Official Journal of the European Union. The current market risk requirements will remain applicable until 1 January 2026.
3. ECB consults on governance and risk culture
On 24 July 2024, the European Central Bank (“ECB”) published a draft guide (“Guide”) on governance and risk culture for public consultation. The objective of the Guide is to act as a practical tool for the analysis of individual situations and the exercise of supervisory judgement. It does not impose legally binding requirements or replace or introduce any legal rules.
The Guide outlines the ECB’s emphasis on diverse and effective management bodies, which is a supervisory priority of the Single Supervisory Mechanism (“SSM”), and sets out supervisory expectations relating to the governance and risk culture of supervised banks. The Guide also utilises evidence gathered through the ECB’s supervisory activities.
The Guide provides a roadmap to a more productive internal governance and risk culture, taking the place of the 2016 SSM supervisory statement on governance and risk appetite. When published, the Guide will supersede this supervisory statement.
In particular, the Guide:
- reflects recent updates to standards by the European Banking Authority (“EBA”), providing examples of good practices;
- clarifies supervisors’ expectations relating to the composition and functioning of management bodies and committees;
- outlines the roles and responsibilities of the internal control functions;
- highlights the significance of risk culture; and
- sets out expectations relating to the risk appetite frameworks of banks.
The ECB also explains that the Guide is intended for the internal use of various supervisory teams to ensure a harmonised approach. The ECB further recommends that national competent authorities comply with the expectations and practices outlined in the Guide while examining the governance of less significant institutions.
The ECB expects banks to continue to improve on their implementation of governance standards, while the ECB will continue to oversee such implementation. Where it is necessary, the ECB will use all available supervisory tools to address supervisory findings that are yet to be remediated.
Next Steps
The public consultation on the Guide closes for feedback on 16 October 2024. The ECB will later publish any comments received, along with a feedback statement and the final Guide.
The ECB will hold a stakeholder meeting on 26 September 2024, where relevant experts from supervised institutions and other interested parties may discuss their thoughts on the Guide.
4. ECB concludes cyber resilience stress test and issues findings
On 26 July 2024, the European Central Bank (“ECB”) announced the conclusion of its cyber resilience stress test (“Stress Test”). The ECB commenced the Stress Test in January 2024 to establish how banks would react to and recover from a serious but feasible cybersecurity incident. The Stress Test evidenced that while banks have measures in place to protect themselves from a cyberattack, these measures can be improved. The findings of the Stress Test will contribute to the 2024 Supervisory Review and Evaluation Process (“SREP”) which evaluates banks’ individual risk profiles.
The Stress Test included a fictional stress test which created a cyber security incident. In this incident, all preventative measures that the bank had in place had failed, and as a result, the incident impacted the banks’ core systems. The Stress Test concentrated on how the bank would react to the cyberattack, rather than how they may prevent it. The Stress Test involved 109 banks directly supervised by the ECB, and a sample of 28 banks selected to experience thorough testing. The selected banks were of various business models and geographical areas in order to test the resilience of banks across Europe.
The banks involved in the Stress Test were expected to undergo an actual IT recovery test and display that this test was successful as well as being visited, on site by a supervisor.
Banks were expected to show their capacity to respond to the scenario by:
- initiating their crisis response plans, as well as their internal crisis management procedures and business continuity plans;
- engaging with external stakeholders such as customers, service providers and law enforcement agents;
- analysing and identifying what services could be affected and how they may be affected; and
- implementing mitigation measures, including workarounds that allow the bank to function throughout the time required to fully recover IT systems.
Banks were expected to show their capacity to recover from the scenario by:
- initiating their recovery plans, as well as restoring backed – up data and corresponding with critical third – party service providers on how to react to the incident;
- confirming the recovery of the affected areas; and
- implementing the lessons that were learned from the incident, such as their response and recovery plans.
The ECB is focused on improving the cyber resilience framework of the banks it works with. The ECB recommends that banks continue to meet supervisory standards by having sufficient business continuity, communication and recovery plans in place which should protect them from any potential cyberattacks. Banks are expected to be able to achieve their own recovery objectives, evaluate dependencies on critical third – party ICT service providers and envisage direct and indirect losses from a cyberattack.
Next Steps
As mentioned above, the findings of the Stress Test will feed into the 2024 SREP. In addition, individual feedback has been issued to each participating bank by supervisors. Supervisors will be in contact with the individual banks involved with further information and recommendations. Some banks have already responded to the feedback from the Stress Test by improving or planning to improve the deficiencies identified in the exercise.
5. European Regulators Input on SFDR Review
On 18 June 2024, the European Supervisory Authorities issued a joint opinion on the assessment of the Sustainable Finance Disclosure Regulation (“SFDR”). The publication of the own-initiative opinion follows the European Commission’s consultation on the review of the SFDR issued in September 2023. On 25 July 2024, the European Securities and Markets Authority also followed up by issuing its own opinion on the functioning of the sustainable finance framework.
For a detailed consideration of both opinions, please see an Insight produced by Matheson’s Asset Management Department which can be accessed here.