Welcome to the FIG Top 5 at 5

On 26 May 2026, the Central Bank of Ireland (“Central Bank”) updated its February 2025 document entitled “Our Approach to Supervision”.

The 2025 document, which provides an overview of the Central Bank’s supervisory framework, including details as to its supervisory principles and practices, was published on foot of the Central Bank’s initiative as regards the transformation of regulation and supervision – for more information, see FIG Top 5 at 5 dated 6 March 2025.

2026 update

The May 2026 update (“Update”) consists more of a reorganisation of the content, rather than an entirely new document. Some of the main changes are as follows:

• there is a new, comprehensive infographic at the start of the Update that collates infographics from the 2025 version, dealing with safeguarding outcomes, supervisory principles and supervised sectors;
• the introduction in section 1 has been somewhat reorganised with some parts having been moved to different subsections, for example:
  • considerations as to the size and complexity of the financial sector has been reworded and moved to a new “Outcomes Focused” part of section 2.1 which details the Central Bank’s supervisory principles; and
  • a similar approach has been taken with the discussion as to risk-based supervision and that is now to be found in “Risk-Based”, also in section 2.1.
• section 2.1, “Evolution of Our Supervisory Approach”, has been removed. It has been somewhat incorporated into “Our Supervisory Approach” in section 2. However, the previous reference to the 2011 introduction of PRISM has been removed and the Update no longer contains any references to PRISM;
• section 2.1, “Supervision at a Sectoral Level”, has been reorganised, with some parts moved to new subsections in the Update, some of which are as follows:
  • considerations as to the identification and prioritisation of risks has been moved to a new section entitled “Risk Identification and Prioritisation” in section 2.2.3. This new section now also expressly makes reference to the fact that the Central Bank now publishes an overview of its planned activities to achieve its priorities, in its Regulatory and Supervisory Outlook Report; and
  • the part setting out details as to programmatic supervision has been moved to the subsection entitled “Risk Mitigation and Remediation” at 2.2.4
• there is a new section at 2.2.5 entitled “Multi-year Supervisory Strategic Plans”, reference to which was contained in the 2025 version, however, the matter is now contained in its own section; and
• the “Conclusion” has also been updated to highlight that through integration, more of a focus on outcomes and a more holistic approach to risk identification and prioritisation, simplification benefits have been achieved such as:
  • firms hear one voice – improving the clarity and effectiveness of the Central Bank’s interventions;
  • there are streamlined engagement and requests from the Central Bank via integrated, multi-disciplinary teams;
  • the Central Bank is “better living” its risk tolerance and its outcomes focussed, risk-based approach, with “embedded proportionality”; and
  • the Central Bank is regulating and supervising well for a “more effective and efficient framework”.

On 27 May 2026, the European Central Bank (“ECB”) published its May 2026 financial stability review (“Review”).

The Review highlights that the outlook for financial stability in the euro area is being shaped by geoeconomic stress and disruptions to energy supply. The Report notes that the implications for growth, inflation and financial stability are dependent on the severity and duration of the war in the Middle East. The Report also points out that there are lingering risks of further disruption in international trade and cooperation as well as “ever-present cyber threats”.

Some of the matters highlighted by the Report are as follows:

• prolonged geopolitical tensions and lingering fiscal challenges could test financial market sentiment and expose sovereign vulnerabilities;
• vulnerabilities among non-banks, including those active in private markets, could escalate stress in financial markets and increase the risk of cross-sector spillovers;
• overall, resilience in the banking sector has increased, however, credit, liquidity and funding vulnerabilities might “unravel” due to exposure to non-banks and energy and trade-sensitive corporates;
• in the current context of geoeconomic shocks, the resilience of banks and non-banks must be maintained, with the Report highlighting that for banks:
  • macroprudential buffers must be maintained, while also remaining agile;
  • the banking union must be completed and the single market made more efficient; and
  • the supervisory and regulatory framework must be simplified without compromising resilience.

when it comes to preserving the resilience of non-banks, the Report highlights that:

• • internationally agreed reforms to address leverage and liquidity risks must be implemented;
  • supervisory and macroprudential frameworks must be enhanced so as to develop EU capital markets; and
  • data gaps must be dealt with to support risk monitoring, including in private credit.
• when it comes to the insurance sector, the Report highlights that the median solvency ratio of insurance corporations has remained above 200%, which provides a significant buffer to absorb potential losses. The Report highlights that profitability in the sector is strong but that there is a possibility this might moderate in 2026 due to competitive pressures, higher insurance rates and rising operational costs;
• some further matters highlighted by the Report as regards euro area insurance corporations are as follows:
  • euro area insurance corporations’ risks stemming from insurance related to property and activities in the Middle East are contained; and
  • insurance corporations (and pension funds) have exposures to illiquid assets that could lead to additional risks.

Special features

The Report also contains four “special features”, as follows:

• the first feature looks at financial stability sentiment using advanced AI tools;
• the second considers the divergence between rising corporate insolvencies and low non- performing loan ratios in the euro area;
• the third special feature examines the effects of macroprudential policies on household credit and house prices; and
• the final feature analyses stress in global private credit markets and its implications for euro area financial stability.

On 2 June 2026, the Basel Committee on Banking Supervision (“BCBS”) published a report (“Report”) on a range of observed information and communication technology (“ICT”) risk management practices across 16 jurisdictions worldwide.

The Report points out that ICT risk management is a subset of operational risk management, and contributes to the broader goal, and ultimate outcome, of achieving operational resilience.

The Report highlights that operational resilience for banks, when it comes to ICT incidents, has become increasingly important in the context of “an evolving and digitalised technology landscape”. It was with this in mind, the Report goes on to note, that the BCBS analysed global practices and developments in ICT risk management as part of its 2025-2026 work programme.

The Report focuses on non-malicious ICT incidents in global systemically important banks, domestic systemically important banks and other banks of interest, for example, digital-only banks, that affect the delivery of critical operations.

The Report analyses the root causes of non-malicious ICT incidents, providing insights into common weaknesses and patterns across the participating jurisdictions. The Report also considers mitigating practices engaged in by banks including governance frameworks, continuity planning, incident management and third-party risk management. Ultimately, the Report aims to support banks’ development of robust ICT risk management frameworks and to promote greater operational resilience in the financial sector.

Some of the main findings highlighted by the Report are as follows:

• the most common cause of ICT incidents include:
  • change control gaps;
  • gaps in systems design, development and testing;
  • system capacity and performance issues; and
  • external dependency operational failure.
• the most reported ICT risk management practices are as follows:
  • ICT change management – managing the risks arising from changes to ICT systems and infrastructure;
  • third-party risk management – to managing the ICT risks arising from using and reliance on third party services;
  • ICT continuity testing – maintaining the banks’ ICT business continuity and testing the effectiveness and robustness of their business continuity and disaster recovery measures;
  • ICT incident and problem management – ensuring effective incident response, containment, root cause identification and remediation; and
  • ICT project management and system development – implementing ICT systems to meet business requirements and to achieve the necessary quality, reliability and security assurance.
• all surveyed banking authorities have ICT risk management regulations and / or guidance in place.
• Some of the challenges faced by banks, as regards their implementation of ICT risk management practices, include:
  • maintaining traceability from business services to ICT assets and ensuring the completeness of system dependency mapping and ICT asset inventory;
  • talent shortages, particularly in cyber security, cloud, artificial intelligence / machine learning and legacy systems, are exacerbated by competition with the technology industry; and
  • lack of visibility into risk management controls at their technology service providers, as well as their own third-party concentration risks and supply chain interdependencies.

Next Steps

The BCBS has stated that it will continue to monitor developments related to the digitalisation of finance and financial technology, including developments in artificial intelligence models and the implications for banks’ cyber security.

1. Delegated regulation amending RTS on volume cap and transparency calculations under MiFIR II published in OJEU

 

On 1 June 2026, commission delegated regulation (“Delegated Regulation”) (EU) 2026/392 amending regulatory technical standards (“RTS”) laid down in delegated regulation (EU) 2017/577, as regards the  volume cap and the provision of information for the purposes of transparency and other calculations under MiFIR II, was published in the official journal of the European Union (“OJEU”).

The RTS come on foot of the change from double to single volume cap introduced by the MiFIR review, together with the upcoming use of transaction reporting data for transparency calculations. The European Securities and Markets Authority (“ESMA”) published a final report on the RTS in April 2025 – for more information, see FIG Top 5 at 5 dated 17 April 2025.

Some of the areas covered by the RTS include the following:

• the content of the data requests and the information to be reported;
• the format of the data requests;
• the type of data that must be stored and the period of time trading venues, approved publication arrangements (“APAs”) and consolidated tape providers (“CTPs”) must store data;
• reporting requirements for trading venues, APAs and CTPs to ESMA for the trading obligation for derivatives; and
• publication requirements for ESMA for the volume cap.

Next Steps

The Delegated Regulation will enter into force on 21 June 2026, being 20 days following its publication in the OJEU.

 

2. Delegated directive on third party execution and research services under MiFID II published in OJEU

 

On 2 June 2026, commission delegated directive (EU) 2026/374 (“Delegated Directive”), amending delegated directive (EU) 2017/593  (“MiFID II Delegated Directive”), regarding the conditions for the provision of third party execution and research services to investment firms that provide portfolio management or other investment or ancillary services, was published in the official journal of the EU (“OJEU”).

Directive (EU) 2024/2811, which is park of the Listing Act package (which amended MiFID II), amended the way investment firms may pay for third party execution and research services by giving those firms the option to choose between paying separately or jointly for those services. By providing this flexibility, the potential administrative burden that would come with organising separate payments for execution and research services, is addressed.

Accordingly, article 13 of the MiFID II Delegated Act is amended, with some of the amendments addressing the following matters:

• member states must ensure that investment firms that operate a separate research payment account meet certain conditions, for example that the research payment account is funded by a specific research charge to the client;
• firms are required to provide information to clients about how they pay for research and execution services, for example, annual information on the total costs that the investment firm has incurred for third party research; and
• requirements as to transparency that firms must adhere to if they decide to pay separately for research and execution services.

Next Steps

The Delegated Directive states that member states are required to adopt and publish national implementing legislation by 5 June 2026 and to apply such legislation from 6 June 2026.

The Delegated Directive will enter into force 20 days following its publication in the OJEU.

1. AMLA holds public hearing on draft guidelines on business-wide risk assessment

 

On 29 May 2026, the Anti-Money Laundering Authority (“AMLA”) published a press release (“Press Release”) regarding the planned public hearing (“Hearing”) on draft guidelines (“Guidelines”) on business-wide risk assessment (“BWRA”) under article 10(4) of regulation (EU) 2024/1624 (“AMLR”). The Hearing took place on 28 May 2026.

The ALMA launched a consultation on the Guidelines on 16 April 2026, which runs until 15 July 2026 – for more information, see FIG Top 5 at 5 dated 23 April 2026.

During the Hearing, the AMLA highlighted its focus on simplification in the drafting of the Guidelines in that duplication was avoided where AML rules were already clear. Additionally, the AMLA emphasised its focus on proportionality.

The Press Release notes the varying questions that came up at the meeting, which it stated, highlighted “the varied operational realities of the sectors covered by the guidelines.”

The Press Release contains a link to slides from the Hearing, some of the matters highlighted in those slides include:

• the BWRA is the foundation of an obliged entity’s (“OE”) AML risk based approach and is aimed at risk awareness / gap identification / effective resource allocation;
• the BWRA is not an individual risk assessment or a supervisory one;
• the policy options considered by the AMLA, for example, whether to use a standardised / prescriptive methodology or to allow OEs some flexibility as to the method used;
• the key elements of the Guidelines; and
• the detailed structure of the Guidelines.

Next Steps

The AMLA expects to publish the Guidelines in Q4 2026.

 

2. Commission adopts delegated regulation on RTS on operational risk loss framework under CRR III

 

On 28 May 2026, the European Commission (“Commission”) adopted a delegated regulation (“Delegated Regulation”), supplementing the Capital Requirements Regulation (“CRR”) as amended by CRR III, regarding regulatory technical standards (“RTS”) specifying operational risk requirements.

The RTS set out the key aspects of the operational risk framework.  Some of the areas addressed by the RTS are as follows:

• the components of the business indicator are specified by detailing a list of items and the elements to be excluded from the business indicator;
• how institutions are to determine the adjustments to the business indicator following mergers, acquisitions and disposals, the conditions according to which competent authorities may grant the permission to adjust the business indicator following disposals and the timing of the adjustments post-disposals;
• the RTS establish a risk taxonomy on operational risk and a methodology to classify the loss events included in the loss data set by developing a list of operational risk loss events, and providing guidance on the classification of rapidly recovered losses and losses from legal proceedings;
• the RTS set out the conditions under which the calculation of the annual operational risk loss should be deemed unduly burdensome for institutions, the business indicator of which is equal to or exceeding €750 million and not exceeding €1 billion; and
• how institutions are to determine the adjustments to their loss data set following the inclusion of losses from merged or acquired entities or activities.

Next Steps

The Delegated Regulation will now be scrutinised by the European Parliament and the European Council and if neither institution has any objections, then it will be published in the official journal of the EU and will enter into force 20 days after such publication.