News Update Financial Regulatory

In this News Update we discuss: ESMA’s opinion on crypto firms seeking authorisation under MiCAR while keeping a substantial part of their group activities outside the EU regulatory scope; the European Supervisory Authorities publish the second batch of policy products under DORA and final draft RTS on subcontracting; and AFM guidance on testing digital operational resilience under DORA. We further highlight some other financial regulatory publications issued since our last News Update. Subscribe here to the News Update Financial Regulatory. 

ESMA’s opinion on crypto firms seeking for authorisation under MiCAR while keeping a substantial part of their group activities outside the EU regulatory scope

The European Securities and Markets Authority (ESMA) published an opinion to address the risks presented by global crypto asset firms seeking authorisation under the Markets in Crypto-Assets Regulation (MiCAR) for part of their activities (crypto brokerage) while keeping a substantial part of their group activities (intra-group execution venues) outside the EU and the scope of MiCA, increasing the risk of regulatory arbitrage. In their publication the ESAs provide guidance to identify such situations. This guidance builds on the guidance formulated during Brexit to identify international structures circumventing EU license requirements. According to ESMA, this can potentially lead to diminished consumer protection and to an uneven playing field for EU-authorised execution venues.

National Competent Authorities are advised to be vigilant during the authorisation process and to assess global firms’ business structures to ensure that they do not bypass MiCAR obligations, aimed at consumer protection and a transparent and orderly crypto market. The NCA's should put focus in their assessment of individual applications on the specific requirements that should be met regarding the following topics, as noncompliance with these topics could indicate situations in which EU authorised brokers are mainly routing transactions to group trading venues not authorised in the EU:

• Best execution (Article 78 MiCAR requires crypto-asset service providers to take all necessary steps to obtain the best possible result for their clients while executing orders);
• conflict of interests (Article 72 MiCAR requires crypto-asset service providers to identify, prevent, manage and disclose conflicts of interests between, inter alia, themselves and their clients);
• the obligation to act honestly, fair and professionally in the best interests of clients (Article 66 MiCAR); and
• the obligation relating to the custody and administration of crypto-assets on behalf of clients (Article 75(9) MiCAR provides that if crypto-asset service providers providing custody and administration of crypto-assets on behalf of clients rely on other entities to deliver that service, they must ensure that these entities are also authorised as crypto-asset service providers in accordance with MiCAR).
  
  

If an international crypto-asset service provider aims to obtain a MiCAR license, it can improve the quality of its license application by preparing for this assessment by the national competent authority and possibly speeding-up the licence application process.

The European Supervisory Authorities publish the second batch of policy products under DORA and final draft RTS on subcontracting

The European Supervisory Authorities (ESAs), comprising ESMA, the European Insurance and Occupational Pensions Authority (EIOPA) and the European Banking Authority (EBA) recently published their second batch of policy products under the Digital Operational Resilience Act (DORA) on 17 July 2024. This batch consists of four final draft regulatory tech-nical standards, one set of Implementing Technical Standards and two guidelines. On 26 July 2024 the ESA's also published the final draft RTS under DORA on subcontracting ICT services supporting critical or important functions.

Second batch of policy products from 17 July 2024

The ESAs emphasise the importance of enhancing the digital operational resilience of the EU financial sector, and thus ensuring continuous and uninterrupted provision of financial services to customers. The key topics covered by the package of 17 July 2024 for financial entities in scope of DORA are:

• The content, format and timelines for reporting of ICT-related incidents and significant cyber threats (including templates);
• threat led penetration testing; and
• the estimation and aggregation of costs/losses caused by major ICT-incidents.
  
  

The Autoriteit Financiële Markten (AFM) already included this second package in its guidance on the testing of digital operational resilience as further discussed below. The guidelines have already been adopted.

Final draft RTS on subcontracting from 26 July 2024

The final draft RTS published on 26 July 2024 specifies how to determine and assess the conditions for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Act.

Furthermore, the RTS outline the conditions that must be met at every stage of the contractual relationship between financial entities and ICT third-party service providers. Specifically, they require that financial entities evaluate the risks connected to subcontracting in the precontractual stage, which includes the due diligence procedure.

In order to ensure that financial entities effectively monitor the subcontractors supporting the ICT services that support critical or important functions and maintain control over their risks, requirements for the implementation and management of contractual arrangements on subcontracting conditions are defined with these RTS.

The RTS on subcontracting still need to be adopted by the European Commission.

AFM guidance on testing digital operational resilience under DORA

The AFM regularly publishes guidance on the key aspects of DORA. In its latest update of 23 September 2024, the AFM focuses on the testing of digital operational resilience. The update aims to help firms analyse the current status of their testing programmes and determine what actions they may need to take to ensure compliance with DORA. Previous AFM updates on DORA can be found here.

Two categories of testing requirements

Testing operational resilience is one of the elements in DORA geared to ensuring that financial firms have better control of ICT risks. The requirements for testing are laid down in Articles 24 through 27 of DORA:

• Articles 24 and 25 describe the general requirements for conducting tests, like how organisations should set up their testing programme and how often tests should be performed;
• Articles 26 and 27 describe requirements for advanced testing based on threat led penetration tests (TLPT).
  
  

Below we describe the general requirements. TLTP has to be performed at least every three years and has to cover all or several critical or important functions of a financial enterprise (article 26 (1) and (2) DORA). As the TLPT requirements are highly detailed, we kindly refer to the AFM update.

General requirements for testing ICT tools

The testing programme for operational resilience has to explicitly specify and describe the tests, practices, methodologies and tools regularly applied to assess the organisation’s ICT systems, tools and processes. The assessment considers the processes designed to detect and solve any ICT-related incidents in a timely manner. Additionally, financial entities have to assess their own ability to detect any vulnerabilities and deficiencies in their digital resilience. Finally, the tests should demonstrate the extent to which organisations can implement timely remediation measures to minimise disruptions' duration and impact. Testing programmes should involve due consideration of the evolving ICT risk landscape, exposure to any specific risks, and the criticality of ICT systems and services provided. The programme should entail at least annual testing of the ICT systems by internal or external testers.

The testing programme should be riskbased. Article 25 DORA provides guidance on the tests that firms can conduct in line with this approach. The firm has to determine which tests are relevant in accordance with the proportionality principle.

These requirements do not apply to microenterprises. However, microenterprises are required to combine a risk-based approach with strategic planning, seeking to maintain a balance between the scale of resources and the time to be allocated to the ICT testing, and the urgency, type of risk, and criticality of the ICT system, as well as any other relevant factors. Considering the low materiality thresholds applicable to micro enterprises, this light regime will hardly be relevant for the Dutch situation.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our August 2024 News Update.

AFM

• AFM published news (second link) (in Dutch) on 19 September 2024 of fines imposed on two finfluencers for collaborating with illegal asset manager Grinta Invest. The finfluencers promoted Grinta Invest and introduced investors, resulting in these investors losing their money because of Grinta Invest’s fraud.
  
  

DNB

• The Dutch Central Bank (DNB) published a news item (in Dutch) explaining that supervised institutions will regain access to the Ultimate Beneficial Owner (UBO) register in stages. Furthermore, for institutions in scope of the Money Laundering and Financing of Terrorism Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) that do not yet have direct access to the UBO register, it has been mandatory since 1 August 2024 to request a certified extract of the UBO data from the client. From 1 October, the obligation under Article 10c Wwft to report back to the UBO register will also apply if a Wwft institution receives a certified extract from the client.
• DNB published news that a number of elements of the regulations governing the Dutch deposit guarantee scheme would change on 1 September 2024. The most important changes relate to the target size of the Deposit Guarantee Fund, transfers of deposits, risk methodology and non-natural persons without legal personality.
• DNB published a news release on 22 August 2024 (in Dutch) stating that a preliminary format and process for reporting the information register under DORA is available. Under Article 28(3) DORA, financial institutions must maintain an information register for all contractual agreements on the use of ICT services provided by third-party providers. A draft standard template is available for the information register, which will apply to all financial institutions subject to DORA.
• DNB announced that it was extending the period during which it would take no enforcement action on the boundary between the banking book and the trading book. It concurs with the EBA’s opinion that competent authorities should not prioritise any supervisory or enforcement action in relation to the new banking book/trading book boundary provisions.
• DNB published news that lending by other non-bank financial intermediaries has declined over the past two years.
  
  

ESAs

• ESMA published its newsletter for July 2024 in which it discusses its opinion on global crypto firms using their non-execution venues, the ESAs’ second batch of policy products under DORA (considering above), the ESAs’ final report on the draft technical standards on subcontracting under DORA, the EU systemic cyber incident coordination framework, ESMA’s long term vision on the functioning of the sustainable finance framework, ESMA’s stress test of central counterparties, frauds and scams, data on cross-border investment activity of firms, the Central Securities Depositaries Regulation Refit and new consultations under the Markets in Financial Instruments Regulation.
  
  

The Dutch government

• The Financial Markets Amendment Act 2024 (Wijzigingswet financiële markten 2024) has been published in the Government Gazette. It contains amendments to the Dutch Financial Supervision Act (Wet op het financieel toezicht), the Trust Offices (Supervision) Act 2018 (Wet toezicht trustkantoren 2018) and some other laws. The amendments cover matters including crowdfunding service providers, insurers and trust offices.