1. Central Bank of Ireland's pre-legislative scrutiny submission on the Access to Cash Bill 2024
On 8 March 2024, the Deputy Governor of the Central Bank of Ireland ("Central Bank"), Vasileios Madouros, responded to a request for a submission from the Central Bank as part of pre-legislative scrutiny of the General Scheme of the Access to Cash Bill 2024 ("Bill").
In the response, the Deputy Governor highlighted how the Central Bank, overall, welcomed the Bill, and expressed the Central Bank's views on five specific elements of the proposed legislation:
- Stakeholder responsibilities – the Central Bank welcomed the obligations placed directly on stakeholders within the cash system, noting the collective responsibility on all cash cycle participants to ensure that reasonable access for consumers in Ireland is maintained. The Central Bank also noted that while the access to cash criteria may temporarily not be met in certain areas, and operational disturbances may occur, it expects all parties within the sector to have the right processes in place to respond to such instances;
- Registration and oversight of Independent ATM Deployers – the Central Bank supports the requirement for independent ATM Deployers ("IADs") to be registered and subject to oversight by the Central Bank, noting the need for new requirements to be proportionate and risk-based. The main role of the Central Bank in overseeing IADs will be "to produce regulations to set minimum standards and oversee compliance with these standards". Registration of IADs will be less onerous than other regulated sectors, which the Central Bank noted is more appropriate for the sector. The oversight of IADs is not a full supervisory regime and will seek to ensure IAD compliance with service standards and ensure sufficient notice is given regarding withdrawal of services;
- Registration and oversight of Cash in Transit ("CIT") companies – the Central Bank welcomed the implementation of a registration and oversight regime for this sector, similar to the one set out for IADs, and which will involve the collection of data to monitor early warning signs of stress in such entities. The Public Service Authority will regulate all other aspects of their activity. CIT companies will be required to notify the Central Bank in advance of material changes to their business, and to have business continuity plans and exit strategies in place. The Central Bank will also be able to petition the High Court to appoint an examiner to a CIT company;
- Ensuring Reasonable Access to Cash ("RAC") – the Central Bank welcomed the distance metric of 10km and the per capita metric of a minimum number of ATMs per 100,000 people. The Central Bank will be responsible for advising the Minister on the operation of the RAC criteria following its initial calibration, and will monitor the criteria quarterly. It will also inform Designated Entities of the details of any breaches and request details on how they intend to resolve such breaches; and
- Balancing societal costs and benefits of a given level of cash infrastructure – the Central Bank welcomed the provisions set out in the Heads of Bill for Ministerial powers to vary the criteria for access to cash to ensure the "key trade-offs" from a societal point of view are balanced.
For more information on the General Scheme of the Access to Cash Bill, please see FIG Top 5 at 5 dated 25 January 2024.
2. European Parliament adopts directive criminalising the violation and circumvention of EU sanctions.
On 12 March 2024, the European Parliament issued a press release stating that it had adopted a Directive on the definition of criminal offences and penalties for the violation of Union restriction measures and amending Directive 2018/1673 ("Directive").
The Directive aims to harmonise the enforcement of EU sanctions across Member States and
- sets consistent definitions for violations;
- providing financial services or legal advisory services in violation of sanctions will become a punishable offence;
- defines "circumvention of sanctions" which will become a punishable offence;
- humanitarian assistance and supporting basic human needs will not count as a sanctions violation;
- the violation or circumvention of sanctions will become a criminal offence punishable by up to 5 years imprisonment in all Member States;
- judges will be able to impose dissuasive fines on companies who violate or circumvent sanctions; and
- trade in arms or dual-use items will also be criminalised in cases of serious negligence.
Next Steps
The Council of the European Union must now formally approve the Directive. If they do, the Directive will enter into force 20 days after its publication in the Official Journal of the European Union and Member States will have one year to transpose it into national law.
For more information on the background to the Directive and the Council's general position on the Directive, please see the FIG Top 5 at 5 dated 16 June 2023.
3. Official Journal Updates – Instant Payments Regulation and Delegated Regulation relating to IDD
Instant Payments Regulation is published in the Official Journal
On 19 March 2024, the Regulation on instant credit transfers, also known as the Instant Payments Regulation, was published in the Official Journal of the European Union ("Regulation"). The Regulation will amend the Single Euro Payments Area Regulation to make instant payments in euro available to all citizens and businesses holding a bank account in the European Union and the European Economic Area countries. It also contains amendments to the Cross-Border Payments Regulation, the Settlement Finality Directive and the Second Payments Service Directive ("PSD2").
For more information on the Regulation, please see FIG Top 5 at 5 dated 8 February 2024.
Next Steps
The Regulation will enter into force 20 days after its publication in the Official Journal, on the 8 April 2024. The reforms introduced by the Regulation will apply to payment service providers ("PSPs") from various dates, with longer transition periods applying to PSPs located in member states that are not in the euro area. Member States must adopt and publish laws and regulations necessary to comply with the amendments to the Settlement Finality Directive and PSD2 by 9 April 2025.
Commission Delegated Regulation on adapting base euro amounts for PII and financial capacity of intermediaries under the IDD is published in the Official Journal
On 20 March 2024, the Commission Delegated Regulation amending The Insurance Distribution Directive ("IDD") with regard to regulatory technical standards adapting the base euro amounts for professional indemnity insurance ("PII") and for financial capacity of (re)insurance intermediaries, was published in the Official Journal of the European Union.
Reflecting the increase of 20.32% in the Index from 1 January 2018 to 31 December 2023, the Regulation will amend Articles 10(4) and (6) of the IDD to the following:
- Article 10(4): intermediaries must hold PII cover or equivalent guarantee of at least €1,564,610 per claim or in aggregate €2,315,610 per year for all claims, unless such insurance or comparable guarantee is already provided by an insurance undertaking, reinsurance undertaking or other undertaking on whose behalf the insurance or reinsurance intermediary is acting or for which the insurance or reinsurance intermediary is empowered to act or such undertaking has taken on full responsibility for the intermediary’s actions. Previously the amounts have been €1,300,380 and €1,924,560 respectively; and
- Article 10(6): intermediaries must have financial capacity amounting, on a permanent basis to 4% of the sum of annual premiums received, subject to a minimum of €23,480. Previously this amount had been €19,510.
For more information on the Delegated Regulation, please see FIG Top 5 at 5 dated 7 December 2023.
Next Steps
The Delegated Regulation will enter into force 20 days after its publication in the Official Journal, on 9 April 2024, and will apply from 9 October 2024.
4. Joint Stakeholder Groups responds to ESA's Consultation paper on DORA RTS and ITS
Joint Stakeholder Groups responds to ESA's Consultation paper on DORA RTS and ITS
On 10 March 2024, the Joint Stakeholder Groups (Banking Stakeholder Group (EBA), Insurance and Reinsurance Stakeholder Group (EIOPA) and Securities and Markets Shareholder Group (ESMA)) ("SG") responded to three of the Joint European Supervisory Authority ("ESAs") Consultation Papers on the Draft Regulatory Technical Standards ("RTS") and Draft Implementing Technical Standards ("ITS") under the Digital Operational Resilience Act ("DORA").
1. Consultation paper on Draft RTS and Draft ITS on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents
The SG made a number of observations:
- it welcomed the ESAs' approach to the alignment of the RTS and ITS with existing sectoral legal instruments, and agreed that there was a need for cross-sectoral harmonisation as ICT incidents and cyber-threats are not sector specific;
- some of the proposed timelines may not be feasible to sectors such as insurance, as financial entities will be focused on resolving the incident and not have sufficient time to gather the necessary data. The SG proposes a timeline of 24 hours for an initial notification to be submitted, with the intermediate report to be submitted within 10 working days, and the final report within 30 days from the permanent resolution;
- additional information on the circumstances of the detection of a major incident may be useful for supervisory authorities to evaluate the effectiveness of outsourcing arrangements, and the attendant sharing of monitoring and incident reporting responsibilities;
- given the difficulties in providing accurate information at the time the intermediate report is due, the draft RTS should be amended to clarify that the reporting entity would only be expected to provide a preliminary assessment on this stage, based on available information and reasonable assumptions;
- more clarification on when “regular activities” are deemed to “have been recovered and business is back to normal” is needed; and
- if an incident affects several financial entities within a consolidated group, it should be possible for them to file one consolidated report, by the parent company, provided that all affected entities are supervised by the same competent authority.
2. Consultation paper on Draft RTS specifying elements related to threat led penetration tests
The SG made a number of observations:
- the RTS makes reference to threat led penetration tests ("TLPT") with individual financial entities and ICT third party providers, as per the DORA Level 1 text, but does not provide further guidance concerning their operationalisation;
- the RTS should allow for more flexibility in certain areas given the diverse set of financial entities covered by DORA and the fact that their existing capabilities and experience with TLPT may widely differ;
- the threshold for payment institutions set at €120 billion of total value payment transactions appears low;
- the mandatory nature of the requirements in Article 5 may present an undue burden on financial institutions and may be counterproductive and detrimental to the successful completion of TLPT;
- the term "critical systems in scope of testing" needs clarification;
- some scenarios for ‘red team’ testing may not need a large team and suggest that a minimum number of two members should be deemed sufficient; and
- the RTS does not include information concerning the scope of a TLPT should it entail multiple TLPT authorities.
3. Consultation paper on Draft RTS to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions
The SG made a number of observations:
- it is unclear to what extent the application of proportionality is applied as the ESAs continue to broadly consider that: (i) all ICT services supporting critical or important functions carry the same level of risk (or importance) to a financial entity; and (ii) any subcontractor linked to an ICT service supporting material parts of, a critical or important function is equal regardless of their role and potential impact to the delivery of services;
- the application of a materiality threshold in accordance with a proportionate and risk-based approach would be advisable to ensure that financial entities are able to identify and monitor the material risks along the subcontracting chain, and those subcontractors whose disruption or failure could lead to a material impact to service provision; and
- a holistic approach is needed in assessing in advance whether any individual part of the supply chain can be singled out as posing a ‘material risk’.
5. Joint Bank Reporting Committee established by ECB and EBA
On 18 March 2024, the European Central Bank ("ECB") and the European Banking Authority ("EBA") published a press release announcing that they had established the Joint Banking Reporting Committee ("Committee") to make data reporting by the banking industry more efficient. It also published the supporting Memorandum of Understanding on the establishment of the Committee ("Memorandum"), with an annex setting out the Committee's charter.
The Committee will involve the ECB, the EBA, the European Commission and the Single Resolution Board, alongside relevant authorities with the power to issue supervisory, resolution and statistical reporting requirements in European Economic Area Member States.
Both authorities have described the initiative as seeking to harmonise reporting standards and definitions for the data that banks are required to report for statistical, supervisory, and resolution purposes. The Committee aims to ensure "a smooth and sound governance underpinning an integrated and efficient reporting process to the benefit of all stakeholders" with the overall effect of improving efficiency and reducing associated costs. It also aligns with the European Commission's supervisory data strategy and aims to modernise and rationalise reporting for European Union banks.