FIG Top 5 at 5 - 23/01/2025

1. Central Bank announces participants in the inaugural innovation sandbox programme

On 9 January 2025, the Central Bank of Ireland (“Central Bank”) announced details of the seven participants in its inaugural innovation sandbox programme (“Programme”).

The Central Bank first announced its intention to establish the Programme in June 2024, with a call for applicants announced in October 2024. For more information, please see FIG Top 5 at 5 dated 6 June 2024 and FIG Top 5 at 5 dated 3 October 2024, respectively.

The theme of the Programme is “Combatting Financial Crime” with the aim of employing innovative technology to develop innovative solutions to minimise fraud, enhance KYC / AML / CFT frameworks and improve transaction security for consumers.

The Central Bank note that 38 applications were received from Ireland, the rest of the EU and the UK with the applicants including start – ups, established fintech firms and other existing financial services providers. The seven participants are:

• AMLYZE who are building an AML / CFT information sharing framework that will use structured taxonomies and synthetic data to simplify the detection and prevention of fraudulent activities;
• Expleo who have developed an anti – SMS fraud solution which installs on mobile phones to combat SMS fraud;
• a joint innovation between Forward Emphasis and Pasabi, who will develop and test a motor insurance application fraud analytics solution;
• Roseman Labs, who enable secure, GDPR - compliant collaboration and analysis on sensitive data for regulated industries;
• a partnership between Sedicii and PTSB to create a secure and private collaboration using zero knowledge proofs to verify names and addresses, in real-time, as part of their customer KYC process;
• TrustElevate, who offer a privacy - preserving solution for verifying parental responsibility and child age; and
• Vidos.Id, who are developing digital identity verification solutions to help financial institutions verify digital identity documents and wallet - based credentials.

The Programme will promote collaboration across the ecosystem to support the fight against financial crime. The Programme will also focus on the development of new business models and ventures that will solve problems identified in the sandbox theme, ultimately allowing for faster and safer deployment of new technologies, services or products.

The Programme comprises of the following elements:

• a structured programme of workshops, with participants engaging with specific topics each month that are relevant to the theme of the Programme;
• ongoing tailored engagement with dedicated sandbox relationship managers; and
• access to a data platform which will offer data sets and tools relevant to the theme of the Programme. This will also facilitate participants in testing and developing their innovation. 

Next Steps

The Programme will operate over a period of six months in order to allow the innovation to develop. The Central Bank has stated that the methodology and delivery of the Programme will be subject to continual assessment and review.

2. DORA Updates: (1) Central Bank publishes systems guidance for ICT incident reporting under DORA (2) ESAs publish report on potential further centralisations of ICT incident reporting

1. Central Bank publishes systems guidance for reporting major ICT incidents and significant cyber threats under DORA  

On 16 January 2025, the Central Bank of Ireland (“Central Bank”) published its guide to submitting major ICT – related incidents and significant cyber threats reports to the Central Bank under DORA (“Guide”). As reported in last week’s Top 5 at 5, the Central Bank recently published two reporting templates (“Templates”) for that purpose, for more information, please see FIG Top 5 at 5 dated 9 January 2025.

The Guide sets out systems guidance for financial entities, in scope of DORA, as regards the submission of major ICT – related incidents and significant cyber threats reports on the Central Bank’s Portal.

The Guidance states that it is applicable to financial entities, in scope of DORA and also where the Central Bank is the designated competent authority. The Central Bank advises that the Guidance is to be read in conjunction with other relevant documentation and legislative texts regarding DORA incident and cyber threat reporting, for example, the Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents and the Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat.

The Central Bank reminds relevant financial entities that the relevant Templates, published last week, must be used.

Finally, the Central Bank highlights the importance of not altering the structure and formatting of the Templates, due to the validation rules applicable to the structure of the Templates.

2. Joint committee of ESAs publish report on potential for further centralisation of major ICT  incident reporting under DORA 

On 17 January 2025, the joint committee of the European Supervisory Authorities (“ESAs”)  published a report on the feasibility for further centralisation of reporting of major ICT – related incidents under DORA (“Report”).

The ESAs were obliged to produce the Report under article 21 of DORA. The Report aims to understand and assess the options for further centralisation of incident reporting under DORA.

The Report identifies three possible scenarios for the reporting of incidents as follows:

• the baseline, being the model which implements the existing DORA incident reporting flows under article 19, which have been operational since 17 January 2025. This is a mainly decentralised model, with financial entities reporting directly to the designated competent authority, who, in turn, transmit the reports to other national and European authorities, with the ESAs then disseminating the incidents to relevant competent authorities;
• the data sharing, being a model based on the baseline scenario but where financial entities would continue to report to the competent authority responsible for their supervision as per the reporting modalities and tools in place at national level, However, there would be no need for decentralised dissemination as once the report is submitted to the single solution available to competent authorities, it is automatically disseminated both nationally and at the European level to the relevant stakeholders; and
• the fully centralised model which envisages financial entities reporting directly to a single EU hub, which is accessible to stakeholders based on their specific roles and responsibilities and from which they receive notifications. In this scenario, while the financial entities will report into a centralised system, the competent authorities are still expected to be a first point of contact from the perspective of supervisory engagement, response, and follow-up. This solution would aim at facilitating the collection, dissemination and offering of advanced analytical capabilities of the incidents and at creating efficiencies at EU level.  

The Report concludes that all three scenarios are feasible and notes that the baseline scenario was already required to be implemented by 17 January 2025. As regards the other two scenarios, their implementation is thought to be feasible with three years for the data sharing model and a minimum of five years for the fully centralised model. These timelines take account of the amendments that would need to be made to DORA together with the complexity of other elements that would need to be in place. From a costs perspective, the Report notes that there are no significant cost differences. 

The Report states that it is clear that the fully centralised model would bring certain benefits, however, the Report also notes that local solutions have been in place since 17 January 2025 and highlights that the centralised option will become less attractive over time. Added to this is that fact that National Competent Authorities would need to continue to invest in infrastructures enabling a supervisory response and follow - up at national level, even if incident data collection, validation and analytical capabilities were fully centralised. In that regard, the Report emphasises the importance of the continuation, by the co – legislators, of the assessment of the further centralisation into a single EU hub.  

Next Steps

The Report has been submitted to the European Parliament, the European Council and the European Commission. They will consider its findings for potential future developments in the further centralisation of ICT - related incident reporting in the financial sector.

3. MiCA Updates: (1) EBA and ESMA report on recent developments in crypro – assets (2) ESMA publishes statement on non – MiCA compliant ARTs and EMTs

1. EBA and ESMA publish joint report on recent developments in crypto – assets

On 16 January 2025, the European Banking Authority (“EBA”) and the European Securities and Markets Authority (“ESMA”) published a joint report (“Report”) on recent developments in crypto – assets under article 142 of MiCA.

The Report sets out the outcome of an analysis carried out by the EBA and ESMA on specific elements covered by article 142 of MiCA and is part of the EBA’s and ESMA’s contribution to the European Commission’s report to the European Parliament and the European Council on recent developments in crypto – assets.

The first chapter of the Report focuses on Decentralised Finance (“DeFI”), including the engagement of EU consumers and businesses in DeFI. Some of the findings include:

• DeFi remains a niche phenomenon, with amounts locked in DeFi protocols representing 4% of all crypto - asset market value at a global level;
• EU adoption of DeFi, while above global average, is behind other developed economies, for example, the US and South Korea;
• the Report sets out the different types of businesses providing access to DeFi, namely DeFi application interfaces, self - custodial wallets, and centralised platforms. The Report also finds that the preferred method of access to DeFi depends on the financial activity that a user is engaging in;
• the implications of maximal extractable value (“MEV”) on DeFi markets are widespread in DeFi and negative externalities of MEV would require technical solutions;
• the number of DeFi hacks and the value of stolen crypto – assets has evolved in correlation with the DeFi market size; and
• DeFi protocols present considerable money laundering and terrorism financing risks mainly due to the fact that there is a current absence of adequate AML / CFT controls, with the risk further increased by the cross border nature of transactions. 

Some of the matters highlighted in the second chapter of the Report are as follows:

• crypto lending, borrowing and staking services are offered by a number of crypto – asset service providers in EU jurisdictions, which in some cases also offer regulated crypto - asset services;
• users may receive insufficient information on conditions in relevant areas such as fees, interest rates paid or yields, changes to collateral requirements, the actions the service provider may take with regard to any assets used as collateral or placed in a staking account, or rights and liabilities in case of dispute or insolvency;
• there appears to be little engagement by EU consumers and financial institutions with crypto lending, borrowing and staking services. The Report also sets out the specific risks associated with each of those services.
  

Next Steps

The EBA and ESMA have stated that they will continue to assess market developments as part of their ongoing mandate to monitor innovative activities in the EU banking, payments and securities sectors.

2. ESMA publishes statement on non – MiCA compliant ARTs and EMTs

On 17 January 2025, the European Securities and Markets Authority (“ESMA”) published a statement (“Statement”) on the provision of certain crypto – asset services in relation to non – MiCA compliant asset – referenced tokens (“ARTs”) and electronic money tokens (“EMTs”).  

In the Statement, ESMA recalls the July 2024 statement of the European Banking Authority (“EBA”) bringing the application of MiCA to the attention of issuers, consumers, and other relevant stakeholders and announcing its priorities for the supervision of issuers of ARTs and EMTs for 2024 / 2025. In that statement, the EBA called on stakeholders to assess compliance with MiCA, and from 30 June 2024, to refrain from carrying out services that constitute offering to the public, seeking admission to trading or placing non - compliant ARTs  /EMTs. For more information, please see FIG Top 5 at 5 dated 11 July 2024.

The European Commission (“Commission”) has adopted a Q&A which clarifies which crypto – asset services provided in the EU may constitute an offering to the public or an admission to trading of non -MiCA compliant ARTs and EMTs.

Some of the matters addressed in the Statement are as follows:

• crypto – asset service providers (“CASPs”) are expected to take action to align their services promptly with the Statement, in order to avoid violating Titles III and IV of MiCA. In this regard, ESMA has stated that guidance from National Competent Authorities (“NCAs”) is important to ensure consistency throughout the EU, with NCAs encouraged to cooperate and coordinate actions;
• sudden actions to comply with MiCA may lead to disorderly crypto - assets markets and so ESMA states that NCAs should ensure compliance by CASPs regarding non-compliant ARTs or EMTs as soon as possible and no later than the end of Q1 2025.
• effectively, this means that CASPs operating a trading platform for crypto - assets are expected to stop making all crypto – assets, that would qualify as ARTs and EMTs but for which the issuer is not authorised in the EU, available for trading;
• if there is a doubt as to classification of a crypto – asset, CASPS are expected to contact their relevant NCA for guidance;
• CASPs providing services that amount to offering to the public or seeking admission to trading are expected to prioritise restricting existing services when they facilitate the acquisition of non-MiCA compliant ARTs and EMTs. They should also avoid entering into new products and offering services involving non-MiCA compliant ARTs and EMTs. Restrictions on existing services should be completed by the end of January 2025; and
• to allow EU investors to liquidate or convert their position in non - MiCA compliant ARTs and EMTs, concerned CASPs may, maintain crypto - asset services for these products on a “sell only” basis for a longer period, until the end of Q1 2025.

Next Steps

ESMA has stated that CASPs should launch effective communication campaigns aimed at raising awareness among EU investors about the impact of MiCA’s application on ARTs and EMTs that are not authorised in the EU. CASPs are also expected to implement technical procedures and initiatives to facilitate the liquidation of EU investors’ holdings in non-MiCA compliant ARTs and EMTs or their conversion into MiCA - compliant alternatives. ESMA has also advised that, when processing applications for authorisation as CASPs under Title V of MiCA, NCAs should carefully consider compliance with Titles III and IV of MiCA. 

4. EIOPA publishes its 2024 consumer trends report

On 15 January 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) published its 2024 consumer trends report (“Report”).

From an insurance perspective the Report considers the following:

1. trends in both value for money and digitalisation;
2. a focus on AI and its impact on policy servicing in insurance; and
3. developments as regards access to insurance, exploring enduring trends and risks that continue to be of significance.

Value for money (“VfM”)

Some of the observations highlighted in the Report, as regards VfM in insurance, include:

• although VfM risks are not widespread, the continued presence of some products in the market offering low VfM causes consumer detriment and can have a wider effect of diminishing consumer trust;
• when compared with other insurance products, insurance - based investment products (“IBIPs”) are the products with the lowest percentage of consumers believing that they offer VfM;
• when it comes to assessing whether their insurance product offer VfM, the Report found that low costs and good returns are the most important factors for consumers;
• Solvency II reporting shows that, despite inflationary pressures, commission rates remained stable or declined in 2023, indicating that the VfM supervisory focus is delivering better outcomes, though divergences across Member States exist; and
• product complexity can contribute to consumers not understanding their products and result in the non - purchase and  /or non  -renewal of such products.

Artificial intelligence (“AI”)

The Report considers how the increased use of AI - based tools by insurers is set to transform the insurance industry. Recent developments, particularly as regards generative AI technology, are expected to enhance and accelerate AI’s impact in the insurance industry, with motor, health and household insurance expected to be most affected by it. It is expected that generative AI will result in, amongst others, an easier and faster claims handling process, increased efficiency of insurance digital distribution and increased coverage of risks due to more precise risk assessment.

However, the Report also sounds a note of caution as regards risks and poor decision making arising from AI. Some of the risks highlighted in the Report include:

• inadequate support provided by Gen AI solutions, for example, chatbot;
• limited understanding of consumers’ specific or non - standard situations;
• excessive standardisation of settlement procedures which could trigger an increase in litigation, and could fail in non - standard situations;
• higher premiums or reduced access for high - risk or vulnerable clients; and
• concerns about data privacy, security and ethical use.

Additional developments

The Report highlighted some additional trends in the EU’s insurance sector, including:

• access to investment products and to non - life insurance products slightly declined from 2023 to 2024, partly due to the difficult financial situation of European households and to higher costs, driven by inflation;
• an increasing proportion of consumers are considering purchasing insurance with sustainability features (16% in 2024, compared to 13% in 2023). Given the risk of greenwashing, the Report notes the importance of the continuation of supervisory activities and the ensuring of fair commercial practices; and
• the sale of cross - border insurance products continues to increase moderately, due to digitalisation. While some consumers say they have access to better - value products, others have little trust in insurance products that are sold from a different country. The Report observes that this barrier may be exacerbated by the current challenges to cross - border supervision.
  

5. EBA Updates: (1) EBA consults on draft guidelines on ESG scenario analysis (2) EBA repeals guidelines on major incident reporting under PSD2 (3) EBA launches its 2025 EU - wide stress test

1. EBA consults on draft guidelines on ESG scenario analysis

On 16 January 2025, the European Banking Authority (”EBA”) launched a consultation paper (“Consultation”) on draft guidelines on ESG scenario analysis (“Guidelines”).

Background

As reported in last week’s Top 5, the EBA published its final report containing guidelines on the management of environmental, social and governance(“ESG”) risks. For more information, please see FIG Top 5 at 5 dated 9 January 2025. The EBA has stated that the Guidelines set out in the Consultation complement those guidelines on the management of ESG risks on the area of scenario analysis.

For institutions using the internal ratings - based (“IRB”) approach for calculating the own funds requirements for credit risk, the draft guidelines specify the way in which ESG risks (in particular, physical and transition risks stemming from climate change) are taken into account in the scenarios used for credit risk internal stress testing.

Consultation

The Guidelines focus on the role of scenario analysis in promoting the resilience of institutions as regards environmental risks, starting with climate. The Guidelines are structured around the distinction between scenario analysis used:

1. to test an institution’s financial resilience to severe shocks in the short to medium term and verify its capital and liquidity adequacy; and
2. to challenge the business model resilience of an institution, including in the long term, and help it navigate an uncertain future.

The Guidelines are divided into three sections as follows:

• the different uses institutions should make of scenario analysis and the proposal of a progressive and proportionate approach to incorporating scenario analysis into the institution management system;
• guidance on what is required before undertaking a scenario analysis and more specifically on the criteria for setting scenarios and identifying the transmission channels for translating climate risks into financial risks; and
• the third section sets out:
• the distinctive features to be taken into account when conducting a climate stress test in addition to the requirements set out in the guidelines on institutions’ stress testing; and
• the use of scenarios to help define and adjust the institution’s strategy and test the robustness of its business model to a range of plausible futures.

In between the text of the draft Guidelines, specific questions for the Consultation process, are set out.

Next Steps

The EBA has stated that it is consulting on the Guidelines until 16 April 2025 . Feedback received will be taken account of when finalising the Guidelines. The EBA plans to finalise the Guidelines by H2 2025 and they will apply from 11 January 2026 for institutions other than small and non - complex institutions, to which they will apply from 11 January 2027, at the latest.

2. EBA repeals guidelines on major incident reporting under PSD2

On 17 January 2025, the European Banking Authority (“EBA”) announced the repeal of its guidelines (“Guidelines”) on major incidents reporting under the Payment Services Directive (“PSD2”).

This development stems from the application of harmonised critical incident reporting under DORA since 17 January 2025. The repeal will avoid major incident reporting overlaps for payment service providers (“PSPs”) in scope of DORA and will promote legal certainty.

The EBA highlights that DORA has introduced harmonised incident reporting applicable to financial entities across the banking, securities / markets, insurance and pensions sectors. The EBA also notes that this includes most PSPs.

Importantly, the EBA highlights that incident reporting requirements under PSD2 will still be applicable to other types of PSPs, such as credit unions, that are not in scope of DORA. Notwithstanding this, the EBA has repealed the Guidelines in their entirety due to:

• the low number of PSPs not in scope of DORA and the fact that their market share at EU level is not sizeable;
• these PSPs operate in less than half of the EU member states and provide services at national level only; and
• the amount and significance of incident reports received from these PSPs at an EU level is negligible.

Next Steps

PSPs not in scope of DORA continue to be subject to national incident reporting requirements and competent authorities can continue to apply the incident reporting requirements under the Guidelines, through their national legal and supervisory frameworks, if they wish to do so.

3. EBA launches its 2025 EU - wide stress test

On 20 January 2025, the European Banking Authority (“EBA”) launched its 2025 EU – wide stress test (“Stress Test”).

The Stress Test is designed to assess the resilience of the European banking sector in the current uncertain and changing macroeconomic environment covering the period 2025 - 2027. It will be used to identify residual areas of uncertainty and will also feed into the supervisory decision making process to decide on appropriate mitigation actions.  Additionally, the Stress Test allows National Competent Authorities (“NCAs”) to assess whether the capital that has been built up by banks in recent years is enough in order to cover losses and support the economy in stressed times.

The Stress Test will be carried out across a sample of 64 banks – 51 from the Eurozone, representing approximately 75% of banks’ total assets in the EU and Norway.

The adverse macro – financial scenario (“Scenario”) set out in the Stress Test reflects the high degree of uncertainty in the current economic and geopolitical environment. Some of the key features of the Scenario are as follows:

• a severe loss of real GDP for the EU, reaching 6.3% from the starting point in 2024 to 2027;
• a significant increase in EU unemployment rate, of 5.8 percentage points from the starting point in 2024 to 2027;
• a strong fall in EU stock prices from the starting point, of 50% in 2025, 46% in 2026 and 42% in 2027;
• a substantial drop in EU residential and commercial real estate prices from the starting point over the three-year horizon, by 15.7% and 29.5% respectively; and
• inflation shifts upwards to 5.0% and 3.5% respectively in 2025 and 2026, before falling back to 1.9% in 2027.

The Scenario also includes information on the growth of gross value added in 16 sectors of economic activity, as was the case in the 2023 stress test.

Next Steps

The EBA expects to publish the results of the Stress Test at the beginning of August 2025.

Separately, on 20 January 2025, the European Central Bank (“ECB”) announced that it will stress test a total of 96 directly supervised banks in 2025. ECB supervisors will examine 51 of the euro area’s largest banks, representing around 75% of the euro area’s banking assets, as part of the 2025 EU - wide stress test coordinated by the EBA. The ECB will carry out its own stress test of 45 medium sized banks that are not included in the EBA sample. The ECB’s stress test will run in parallel with that of the EBA, with results planned to also be published in early August 2025.