On 24 April 2024, the Central Bank of Ireland (“Central Bank”) published a Dear CEO Letter on its Thematic Review on Early Mortgage Arrears (“Letter”). The Central Bank had carried out the Thematic Review on Early Mortgage Arrears (“Review”) across 7 mortgage lenders including retail banks, retail credit firms and credit servicing firms which represented 90% of all private dwelling house mortgage arrears accounts in H2 of 2023.

The Review took place to coincide with the expected stress of borrowers’ finances due to the rising cost of living and interest rates. However, as evidenced in the Central Bank’s recent Statistics, while there is an upward trajectory in the level of early mortgage arrears, the increases seen to date are not yet significant.

The Review builds on the Dear CEO Letter that the Central Bank had published in November 2022 on its expectations for protecting consumers in the changing economic landscape and beyond, a note describing the ongoing supervisory work on mortgages issued in April 2023 as well as the Regulatory and Supervisory Outlook Report (“Report”).

The Review aimed to ensure that the regulatory framework operates as it is intended to in supporting borrowers in/facing early arrears. The Letter outlines a number of findings from the Review, including:

• firms are progressing those who are in pre- and early arrears through the Mortgage Arrears Resolution Process and finding solutions for such customers which implies that the framework contained in the Code of Conduct on Mortgage Arrears (“CCMA”) is ”well positioned to support borrowers in or facing financial difficulty”;
• some practices go beyond minimum compliance with regulation, with some firms making further improvements for borrowers;
• some of the issues identified related to: (i) provision of information to borrowers; (ii) engagement with borrowers; and (iii) delays and errors, which may increase the risk that firms are not operationally ready to respond to increases in the volume of such cases in a timely manner, and the risk that borrowers may disengage from the process, resulting in a further deterioration in their financial position; and
• some firms could use the temporary alternative repayment arrangements (“ARA”), prior to the full assessment of the standard financial statement (“SFS”), more effectively to support borrowers and provide more information to improve consumer decision making.

Feedback to Industry

• the CCMA framework is effective in supporting and identifying solutions for customers;
• firms need to take additional steps to ensure effective customer service and information;
• firms are required to consider and address the findings of the Review and do so using a consumer-centric approach, including the good practices outlined in the appendix, particularly the implementation of functionality which enables borrowers to complete an SFS online and enable them to save progress and return later if needed;
• firms must deal with the issues identified in the Review in a timely manner, addressing both the governance and oversight issues, as well as the behavioural and cultural causes including operational capacity and skilled staff; and
• firms should also consider the drivers of risk outlined in the Report, as risk drivers identified in the Report were also seen in the Review, more particularly – poor business practices and weak business processes; ineffective disclosures to consumers; and inadequate support of borrowers in the context of the changing operational landscape.

Follow Up Actions

The Central Bank has outlined to each firm included in the Review, the issues and concerns identified and how to address them, including Risk Mitigation Programmes. It also provided feedback to firms on aspects of the Review prior to completion of all supervisory work so as to drive further improvements for borrowers as early as possible. The Letter also noted that the Central Bank had seen some firms respond to and self-identify changes relating to the Review before they were formally communicated.

On 30 April 2024, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a report on the digitalisation of the European insurance sector. In March 2023, EIOPA had launched a survey which aimed to better understand the dynamics, opportunities, and risks associated with ongoing digitalisation projects in the European insurance sector.

Some of the key results of the survey outlined in the Report include:

• the digitalisation of the European insurance sector is varied but mostly still at an incipient stage;
• for life insurers in particular, pure digital distribution channels play a secondary role;
• most customers purchase insurance products through physical channels;
• telephone, email and face-to-face communication are the most popular methods of engaging with insurance undertakings to date;
• the use of chatbots is expected to increase significantly in the near future;
• most insurance undertakings have a social media presence which they use to interact with consumers and launch marketing and education campaigns, with some using influencers;
• almost 80% of respondents outsourced cloud computing data storage to BigTech cloud services;
• 50% of non-life insurance respondents and 24% of life insurance respondents use AI, with an additional 30 and 39% respectively expecting to use it within the next 3 years;
• most AI use cases are developed in house, mostly used with human oversight;
• only a small number of insurance undertakings use the Internet of Things, blockchain and parametric insurance products;
• while there has been a growth in the number of cyber insurance markets in the past 10 years, most cyber insurance products include marked coverage exclusions, and are aimed at corporate customers, rather than retail customers;
• acquiring adequate talent is seen as a barrier to digital transformation; and
• cyber risks are perceived as the main risk arising from digitalisation.
  

Next Steps

EIOPA will incorporate the findings from the survey in its approach to implementing its Digital Strategy, and will assess in particular the use and impact of AI. EIOPA will also continue its work on data accessibility, data standards including contributions to the Financial Data Access Framework Regulation.

Alongside the other European Supervisory Authorities, EIOPA will work on the implementation of DORA, and the development of guidelines on the classification of crypto-assets. EIOPA is also expected to provide technical advice to the European Commission regarding the prudential treatment of crypto-assets.

Finally EIOPA will conduct more analyses in relation to cyber insurance, and promote the financial inclusion of vulnerable customers, customer protection and the ethical use of data in relation to AI and digitalisation.

On 29 April 2024, the European Banking Authority (“EBA”) published its Opinion on new types of payment fraud and possible mitigants (“Opinion”). The purpose of the Opinion is to strengthen the legislative framework under the proposed Payment Services Regulation (“PSR”) and proposed Third Payment Services Directive (“PSD3”) and enshrine anti-fraud requirements for retail payments.

The EBA originally published an opinion in June 2022 which made a number of initial recommendations, which the European Commission (“Commission”) has incorporated into its proposals for PSD3 and PSR. Since then, the EBA has carried out further work, in assessing new fraud trends and types of payment fraud. This was informed by the collection of data in collaboration with national competent authorities, on data points that are not requested under the EBA Guidelines.

Emerging fraud trends

The Opinion highlights a number of new types of fraud including:

• instant credit transfers, or instant payments: data from H1 of 2022 indicated that fraud rates in value are on average 20 time higher than conventional Credit Transfers. While it is too early to identify the root cause of this, it may be in part due to the fact that the possibility of payment service providers (“PSPs”) to recover funds in the case of fraudulent instant transfers is extremely limited; or the technical constraints associated with transaction monitoring and subsequent treatment of suspicious transactions by PSPs;
• fraud rates for cross-border transactions: these are much higher than domestic transactions with EBA data from 2022 suggesting cross-border fraud rates are 9 times higher than domestic transactions. Evidence suggests that this may be due to insufficient cross-border cooperation between PSPs to deal with international criminal activities; and uneven application of Strong Consumer Authentication; and
• distribution of liability for fraud losses: data from 2022 indicated that losses from card payments were equally split between PSPs and payment service users (“PSUs”), while with losses from credit transfers, 79% was borne by the PSU equating to €1.2 billion. This may be due to the increasing numbers of payment fraud manipulating the payer; a lack of clear delineation between authorised and unauthorised transactions in PSD2; and the broad interpretation of ”gross negligence” by Member States.

Emerging Fraud Types

While significant progress has been made in preventing fraud based on the stealing of consumers’ credentials, other types of fraud have emerged including:

• manipulation of the payer;
• mixing social engineering and technical scam; and
• enrolment process compromise.

Specific Proposals

The EBA welcomed the Commission’s new security provision within PSD3 and PSR, and the Instant Payments Regulation including mandatory IBAN/Name check; enhanced transaction monitoring; supporting sharing of fraud-related information between PSPs; and requiring PSPs to conduct educational initiatives regarding payment fraud. The EBA raised concerns that 9 months after the Instant Payments Regulation enters into force, all PSPs in the eurozone will have to accept instant payments but only some of them will support the IBAN/ Name check, and emphasised that adequate safeguards are needed to prevent an increase in fraud levels.

The EBA identified additional measures that it believes should be considered by the co-legislators and the Commission in the negotiation of the PSD3/PSR proposals:

• reinforced security requirements for PSPs aimed at further strengthening the procedure for authentication of transactions;
• fraud risk management framework to be established by PSPs, in addition to the mandatory security requirements;
• amended liability rules including a proper delineation between authorised and unauthorised transactions, and clarification on the term “gross negligence”;
• strengthened and harmonised supervision on fraud management; and
• appropriate security requirements for a single EU-wide platform for information sharing to prevent and identify potentially fraudulent payment transactions.

On 24 April 2024, the European Commissioner for Financial Stability, Financial Services and the Capital Markets Union, Mairead McGuinness, gave a speech entitled “An innovative and integrated European retail payments market” at the European Central Bank (“ECB”) conference. The following is a summary of the key messages delivered in the Commissioner’s speech.

Integration

Commissioner McGuinness noted that the Regulation on Instant Payments in Euro which enters into force this month, will benefit consumers by avoiding late payment penalties and improve cashflow for SMEs. She noted that it also represented an opportunity to tackle challenges such as fraud and to provide a level playing field for existing and new players. From early 2025, payment service providers will have to offer to carry out an IBAN-name verification service to provide additional security against fraud.

Innovation

The Payment Services Regulation improves conditions for innovative players and strengthens non-bank providers’ access to a bank account. Commissioner McGuinness highlighted that while the open banking market continues to grow, payment initiation services are yet to deliver their full benefit. In order to develop open banking, the European Commission (“Commission”) has clarified the rules surrounding open banking interfaces, as well as measures to ensure that consumers trust that they are truly in control of their own data such as the proposed “permission dashboards”.

IBAN discrimination

Commissioner McGuinness noted that the Commission is still working to prevent IBAN discrimination, 9 years after the SEPA implementation deadline. She noted that the refusal of companies or public administrators to make or receive euro payments involving non-domestic accounts affects citizens, as well as new market entrants such as fintechs.

While national authorities are responsible for the correct implementation and application of EU law, the Commission is also working to ensure that national law “properly equips local authorities to enforce SEPA Regulation”. Complaints that the Commission receives enables it to assess whether there are systemic breaches in EU law in certain member states, and to take enforcement actions where necessary.

Payment fraud

To ensure that consumers can benefit from an integrated and innovative payments market, payment fraud must be tackled. While Strong Consumer Authentication has been successful in reducing fraud, accessibility could be improved, particularly for those who do not have smartphones. New forms of fraud are also evolving such as spoofing, and the Commission must also ensure that their rules on tackling fraud evolve in tandem. The introduction of the IBAN-name check, and revised rules which require payment service providers to run fraud awareness campaigns for their customers and employees will help this. In addition, social networks and search engines will have a role to play, and the European Parliament and member states are in discussions as to what this role will look like.

Financial literacy will also play an important role alongside consumer protection. Certain groups, particularly young people, women and older age groups have low financial literacy. The Commission, in collaboration with the OECD have developed 2 financial competence framework, one aimed at adults and the other at children and young people to improve skills such as saving, investing, recognising fraud and scams.

Digital Euro

The Commission adopted a single currency package in June 2023, which included the proposal for a digital euro and the proposal on accessibility and acceptability of cash. Commissioner McGuinness noted that the digital euro could well offer an additional method of payment across the euro area, and will complement cash and private payments. It may also act as a catalyst for payments innovation. She cautions that the digital euro must be well designed and the Commission is working alongside the Parliament, member states and ECB as the process continues.

Cash still has an important role to play in terms of financial inclusion. Proposals such as facilitating retailers in offering cash withdrawals up to €50 without the need for a purchase, and proposed safeguards for cash will help to ensure that cash is widely available and easily accessible.

AML Legislative Updates

On 24 April 2024, the European Parliament announced that it had voted in plenary to adopt 3 pieces of anti-money laundering legislation, and published the adopted texts of:

• proposed Regulation on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing (“AL/TF”) (“AML Regulation”);
• proposed Regulation establishing the Anti-Money Laundering Authority (“AMLA”); and
• proposed 6^th Money Laundering Directive (“MLD6”).
  

The European Commission also published a factsheet, an FAQ document, and an article which can be accessed here.

Next Steps

The Council of the European Union must now adopt the legislation formally, after which it will be published in the Official Journal of the European Union (“OJ”).

• AML: this will enter into force 20 days after publication in the OJ, and apply 3 years from the date it enters into force, except in relation to Article 3(3)(n) and (o) which will apply 5 years after entry into force.
• AMLA: this will enter into force 7 days after publication in the OJ and will apply from 1 July 2025, with the exception of Articles 1, 4, 49, 53-55, 57-66, 68-71, 100, 101 and 107 which will apply from 31 December 2025.
• MLD6: this will enter into force 20 days after publication in the OJ. Member States will have 36 months from the date of entry into force to transpose MLD6, with the exception of:
  • Article 74 which will apply 12 months after;
  • Articles 11, 12, 13 and 15 which will apply 24 months after; and
  • Article 18 which will apply 60 months after.

On 25 April 2024, the European Parliament adopted the proposed Regulation amending the Capital Requirements Regulation (“CRR III”) in relation to the requirements for credit risk, credit valuation adjustment risk, operational risk, market risk and the output floor. It also adopted the proposed Directive amending the Capital Requirements Directive IV (“CRD IV”) in relation to supervisory powers, sanctions, third country branches and ESG risks.

For more information on the CRR and CRD, please see FIG Top 5 at 5, dated 29 June 2023.

Next Steps

The European Council must now adopt the legislation, and if adopted it will enter into force 20 days after it is published in the Official Journal of the EU. CRR III will apply from 1 January 2025, with certain elements being phased in. Member States are expected to apply measures implementing CRD IV 18 months and one day after it enters into force.

On 25 April 2024, the European Parliament voted in plenary to adopt the proposed Regulation on the transparency and integrity of environmental, social and governance (“ESG”) rating activities which reflects the provisional agreement that was reached in February 2024.

The rules will add more transparency and structure around how ESG ratings are undertaken and communicated:

• separate E, S and G ratings shall be provided rather than an aggregate rating. E ratings should include information on whether that rating takes into account alignment with the Paris Agreement or other international agreements; and S and G factors should also provide information on what account the rating takes of relevant international agreements;
• the rating agency should explicitly disclose whether the delivered rating assesses how the rated entity affects and is affected by E, S, and G factors, which will encourage ESG raters to address the materiality impact entity on the environmental and society – known as the double materiality approach; and
• an ESG rating provider established in the EU as a small undertaking or small group will only be subject to some of the provisions for its first 3 years in existence.

Next Steps

The text has not yet undergone lawyer-linguist revision, after which the Parliament will confirm the final text under the corrigenda procedure. This will likely happen in September, following the European elections.

The Council of the European Union must then adopt the final text, which will enter into force 20 days after its publication in the Official Journal of the European Union. It will apply 18 months after it enters into force.