Posts by: Amy Roper

New FCA Web Page on Cyber Resilience

 

On May 18, 2017, the FCA published a new Web page on cyber resilience.

The FCA notes that cyber risks pose a threat to all financial services firms. Firms should be aware of the threat, able to defend themselves effectively, and respond proportionately to cyber events.

The FCA’s goal is to help firms become more resilient to cyberattacks while ensuring that consumers are protected and market integrity is upheld. To achieve this, firms of all sizes should:

  • Develop a “security culture” from the board down to every employee.
  • Be able to identify, prioritize and protect their information assets (that is, hardware, software and people).
  • Detect breaches.
  • Respond to and recover from incidents.
  • Constantly evolve to meet new threats.

Under Principle 11 of the FCA’s Principles for Businesses, firms must report material cyber incidents. A firm may consider an incident to be material if it:

  • Results in significant loss of data or the availability or control of the firm’s IT systems.
  • Impacts a large number of victims.
  • Results in unauthorized access to, or malicious software present on, the firm’s information and communication systems.

These requirements will be updated in line with any future regulations.

Where a firm considers an incident to be material for Principle 11 purposes, it should report this to the FCA and other relevant authorities, including the PRA if the firm is dual-regulated, and to the Information Commissioner’s Office (ICO) if the incident is a data breach.

The FCA states that cybersecurity is a shared responsibility. It takes a cooperative approach to address the threat, working with government and other regulators, nationally and internationally. The Web page contains a link to the National Cyber Security Centre (NCSC) website, together with links to relevant FCA publications.

European Commission to Publish CMU Midterm Review on June 7, 2017

 

On May 18, 2017, Ugo Bassi, Director of Financial Markets, European Commission DG FISMA, confirmed that the Commission will publish its midterm review of the capital markets union (“CMU“) on June 7, 2017.

Mr. Bassi stated that the review would contain an action plan for “CMU 2.0” and would announce a number of additional initiatives. These initiatives include measures to make it easier to sell funds cross-border using passporting mechanisms and to strengthen supervisory powers at the EU level, potentially through increased supervisory powers for ESMA. The Commission will adapt the initiatives envisaged under the CMU to reflect the UK’s decision to leave the EU.

European Parliament Adopts Resolution on FinTech

 

On May 17, 2017, the European Parliament voted in plenary to adopt a resolution on FinTech and the influence of technology on the future of the financial sector. The provisional text (P8_TA-PROV(2017)0211) of the resolution has been published.

The Parliament’s Committee on Economic and Monetary Affairs (ECON) published a report on FinTech, which included the resolution, on May 3, 2017.

The Parliament has instructed its president to forward the resolution to the Council of the EU and the European Commission.

EBA Publishes Final Guidelines on Credit Insitutions’ Credit Risk Management Practices and Accounting for Expected Credit Losses

 

On May 12, 2017, the EBA published its final guidelines on credit institutions’ credit risk management practices and accounting for expected credit losses. The aim of the guidelines is to ensure sound credit risk management practices associated with the implementation and ongoing application of the accounting for expected credit losses. They are part of the EBA’s work on the implementation of IFRS 9 and its interaction with prudential requirements, and they build on the guidance published by the Basel Committee on the same matter.

Several credit institutions in the EU apply the IFRS standards, which require the measurement of impairment loss provisions to be based on an expected credit loss accounting model (IFRS 9) rather than on an incurred loss accounting model (IAS 39). The EBA welcomes this approach on credit loss provisioning, as it should also contribute to addressing the G20’s concerns about the issue of the ‘too little, too late’ recognition of credit losses, and improve the accounting recognition of credit losses by incorporating a broader range of credit information.

The guidelines set out strong credit risk management practices for credit institutions associated with the implementation and on-going application of the accounting for expected credit losses. They note that high-quality and consistent application of the accounting standards is the foundation for the effective and consistent application of the regulatory capital standards.

EBA Final Guidelines on ICT Risk Assessment Under Supervisory Review and Evaluation Process

 

On May 11, 2017, the EBA published a report (EBA/GL/2017/05) containing its final guidelines on information and communication technology (“ICT“) risk assessment under the supervisory review and evaluation process (“SREP“) required under the CRD IV Directive (2013/36/EU).

The guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk. They should be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.

The guidelines are contained in section 3 of the report and are structured around three main parts:

  1. the general provisions for applying the guidelines (Title 1);
  2. the assessment of the institution’s ICT governance and strategy (Title II); and
  3. the assessment of ICT risk and the controls in place in the context of risks to capital (Title III), which reflects the same structure as the EBA SREP Guidelines on the assessment of operational risk.

Competent authorities should consider the principle of proportionality when applying the guidelines. The depth and detail of the ICT risk assessment should be proportionate to the size, structure and operational environment of the institution, together with the nature, scale and complexity of its activities.

The guidelines are to be translated into the official EU languages and published on the EBA website. They will be in effect on January 1, 2018.

BBA Brexit Quick Brief on UK WTO Profile and FTAS

 

On May 10, 2017, the British Bankers’ Association (BBA) published a Brexit quick brief: “External trade policy and a UK exit from the EU – the UK’s WTO profile and beyond”.

The UK’s decision to leave the EU means that the UK will cease to make trade policy collectively with the EU and will need to reestablish a trade policy within the context of the World Trade Organization (“WTO“). The quick brief considers issues relating to the UK’s profile at the WTO and free trade agreements (“FTAs“) arising from Brexit and, as applicable, the potential impact on financial services.

It considers issues such as the confirmation of content in the UK’s schedule of commitments under the General Agreement on Trade in Services (GATS). It also notes that the UK will need to consider the implications of losing the preferential access granted to UK-based exporters through the FTAs agreed on its behalf by the EU; it is uncertain whether these agreements can simply be translated to the UK. Further, the UK currently has framework arrangements in place with non-EEA countries that are embedded in EU legislation, including arrangements relating to financial market infrastructures and data protection. The quick brief comments on the fact that the UK will need to reestablish those arrangements in order to reflect its status outside the EU. It also notes that the UK will be able to enter into new FTAs with non-EU markets.

European Commission Adopts Delegated Regulation on RTS for the Application of Position Limits to Commodity Derivatives

 

On December 1, 2016, the European Commission adopted a Delegated Regulation supplementing the MiFID II Directive (2014/65/EU) in relation to regulatory standards (“RTS“) for the application of position limits to commodity derivatives (2016) 4362 final).

The MiFID II Directive requires that competent authorities, in line with ESMA’s methodology, establish and apply position limits on the size of a net position a person can hold in certain commodity derivatives and economically equivalent OTC (EEOTC) contracts. Article 57(3) and (12) of the MiFID II Directive empowers ESMA to develop RTS providing the basis of the methodology for the calculation and application of the position limits.

In September 2015, ESMA submitted the draft RTS to the Commission. The Commission then notified ESMA in April 2016 that it intended to endorse the RTS, provided that a number of changes were made. ESMA submitted revised draft RTS to the Commission in May 2016. The Commission explains that the amended provisions create a more stringent regime for liquid contracts whose underlying product is food for human consumption. Further, it caps the upper position for new and illiquid contracts to 40%, but stipulates that upper position limits of up to 50% can be imposed on a temporary basis. The proposed methodology also highlights how competent authorities are to consider volatility when setting position limits.

The Council of the EU and the European Parliament are now to consider the Delegated Regulation. Should neither of them object, it will enter into force 20 days after its publication in the Official Journal of the EU (OJ).

European Parliament Votes to Delay PRIIPS Regulation Application Date

 

On December 1, 2016, the European Parliament published a press release announcing that it has voted to delay the Regulation on key information documents (“KIDs“) for packaged retail and insurance-based investment products (“PRIIPs“) (Regulation 1286/2014) (PRIIPs Regulation).

The press release highlights that MEPs had criticized previous proposed standards requiring providers of PRIIPs to produce a KID as “flawed and misleading.” The Parliament has also published the text of the legislative resolution delaying the application date of the PRIIPs Regulation to January 1, 2018. This additional time is to enable those concerned to comply with the new requirements.

In September 2016, the Parliament announced that it had rejected the Delegated Regulation that the European Commission had adopted supplementing the PRIIPS Regulation with regard to regulatory technical standards (RTS) on the presentation, content, review and revision of KIDs. The Commission also proposed to extend the application of the PRIIPS Regulation by one year earlier in November 2016.

European Commission Adopts Delegated Regulation on RTS on Criteria for Establishing When an Activity Is Considered to Be Ancillary to the Main Business

 

The European Commission adopted, on December 1, 2016, a Delegated Regulation supplementing the MiFID II Directive (2014/65/EU) in relation to regulatory technical standards (“RTS“) on the criteria for establishing when an activity is considered to be ancillary to a firm’s main business (C(2016) 7643 final).

The MiFID II Directive exempts persons dealing on their own account, or providing investment services to clients, in commodity derivatives and emission allowances, provided that activity is ancillary to their main business and their main business is not the provision of investment services or banking activities. Article 2(4) of the MiFID II Directive gives the Commission power to adopt RTS specifying the criteria for establishing when an activity is to be considered ancillary to the main business of a group.

ESMA submitted draft RTS to the Commission in September 2015. The Commission notified ESMA in April 2016 that it intended to endorse the draft RTS, subject to several amendments being made. In May 2016, ESMA submitted a formal opinion and a revised draft of the RTS to the Commission.

It is now for the Council of the EU and the European Parliament to consider the Delegated Regulation. Should neither of them object, it will enter into force 20 days after its publication in the Official Journal of the EU (OJ) and will apply from January 3, 2018.

Delegated Regulation on RTS Specifying Criteria for Setting MREL under BRRD published in OJ

 

On September 3, 2016, the Commission Delegated Regulation ((EU) 2016/1450) supplementing the Bank Recovery and Resolution Directive (2014/59/EU) (BRRD) with regulatory technical standards (RTS) highlighting the criteria relating to the methodology for setting the minimum requirement for own funds and eligible liabilities (MREL) has been published in the Official Journal of the EU (OJ).

Article 45(6) of the BRRD specifies certain criteria that a resolution authority must consider when determining the level of MREL for a BRRD institution. Article 45(2) of the BRRD gave the European Commission the power to adopt a Delegated Regulation containing RTS further specifying the Article 45(6) assessment criteria.

The RTS contain provisions relating to the interpretation of the six assessment criteria set out in Article 45(6). They also permit resolution authorities to provide a transitional period for reaching the final MREL for firms or entities to which resolution tools have been applied.

The Delegated Regulation was adopted by the Commission on May 23, 2016. It shall enter into force 20 days after its publication in the OJ (i.e. September 23, 2016).