FIG Top 5 At 5 - 04/07/2024

1. Central Bank of Ireland publishes Questions from Stakeholders on the Individual Accountability Framework

On 1 July 2024, being the commencement date of the Senior Executive Accountability Regime ("SEAR") for certain regulated financial entities, the Financial Risks and Governance Policy Division of the Central Bank of Ireland ("Central Bank") published the Questions from Stakeholders to address some of the queries raised by stakeholders on the application of the Individual Accountability Framework ("IAF"), components of which include the Common and Additional Conduct Standards ("Conduct Standards"), SEAR, the Administrative Sanctions Procedure and the enhancements to the Fitness and Probity regime.

The Central Bank released its final IAF Guidance in April 2024 ("IAF Guidance") and they confirmed this document will form part of that guidance when it is updated from time to time.

The questions are set out under two sections namely Conduct Standards and SEAR.

1. Conduct Standards

There are three questions relating to the topic of the application and scope of the Conduct Standards:

• the Central Bank confirmed that Controlled Function ("CF") role holders who provide incoming services on a freedom of services basis are subject to the Conduct Standards (Question 1.1 refers);
• the Central Bank noted that, ordinarily, it does not expect individuals within group entities to exercise significant influence on the conduct of the affairs of the subsidiary or related regulated financial services provider ("RFSP"), and therefore are unlikely to hold a CF-1 role. However, in circumstances where individuals can effectively direct / exercise a significant influence on key aspects of the business of the RFSP, this will constitute a CF-1 role, and the individual will be subject to Common and Additional Conduct Standards (Question 1.2 refers); and
• the Central Bank confirmed that the firm in scope of IAF is responsible for providing the training, but that the training may be delivered by a third party (Question 1.3 refers).

2. SEAR

There are also three questions relating to scope and the allocation of prescribed responsibilities ("PR") under SEAR:

• the Central Bank confirmed that it will not adopt a prescriptive approach to the allocation of PR to specific Pre-Approved Control Functions ("PCF") role holders. However, in circumstances where there is relevant sectoral guidance, in-scope firms should take this into consideration in allocating the PRs appropriately. This approach will ensure that firms have the flexibility to allocate responsibilities in a way that is appropriate to their business model and organisational structure (Question 2.1 refers);
• the Central Bank confirmed that it is not necessary for firms to allocate a PCF-52 (Head of AML/CFT Legislation Compliance) role in order to allocate PR20 (see below) -
  • "PR20 relates to managing the anti-money laundering and countering the financing of terrorism ('AML/CFT') compliance function (Responsibility for managing the anti-money laundering and countering the financing of terrorism ('AML/CFT') compliance function in order to address the firm's money laundering and terrorist financing risks including:
    • the development and oversight of a robust AML/CFT framework; and
    • overseeing the implementation and effective application of AML/CFT systems and controls). What are the Central Bank's expectations with regard to the allocation of PR20 where a firm does not have a PCF-52 (Head of Anti-Money Laundering and Counter Terrorist Financing Compliance) and/or where a firm is not deemed a designated person under the Criminal Justice Act 2010?"
• However, the Central Bank expects that PR20 should be allocated to the most senior individual, with appropriate authority and responsible for such matters within the governance structures of the firm. The Central Bank also noted that it would be prudent for firms that are not obligated under the Criminal Justice Act 2010 to have an AML / CFT control function, to assess the applicable risk exposure and assign PR20 to the most appropriate person. The assigned person should consider the PR20 responsibilities and record whether an AML / CFT framework is required and the reasoning for this decision (Question 2.2 refers); and
• the Central Bank envisages that PR34 (Where the firm has established a specific steering committee to address regulatory matters, responsibility for managing the operation of the committee and for providing comprehensive and timely reporting to senior management and to the board) applies in relation to specific, non-standard regulatory events (such as implementation projects or specific regulatory engagement initiatives) and should be allocated to the most senior individual, with the appropriate authority, responsible for such matters. It also confirmed that, other than the limited circumstances specified in the Guidance, PRs cannot be shared (Question 2.3 refers).

This document should be read in conjunction with pre-existing legislation, regulations and guidance, including, but limited to, the Central Bank Acts, the IAF Guidance, the Fitness and Probity Standards 2023 and the Guidance on Fitness and Probity Standards 2023.

2. Central Bank of Ireland Updates: (1) Addendum to the Minimum Comptency Code (2) Authorisations and Gatekeeping Report 2024

Central Bank of Ireland publishes Addendum to the Minimum Competency Code

On 19 June 2024 the Central Bank of Ireland ("Central Bank") published an Addendum to the Minimum Competency Code ("MCC") ("Addendum"). The Central Bank states that the aim of the Addendum is to recognise sustainability knowledge & competence in the MCC.

In November 2023, the Central Bank published a Notice of Intention to recognise sustainability knowledge and competence in the MCC with effect from 1 January 2025. Interested parties were provided with an opportunity to submit any queries on this Notice of Intention until 5 January 2024.The Central Bank has noted that no queries were received. For more information on what was proposed in the Notice of Intention please see FIG Top 5 at 5 dated 30 November 2023.

Against the background set out above, and pursuant to section 50 of the Central Bank Reform Act 2010 the Central Bank is amending the competencies for retail financial products in Appendix 3 of the MCC to include competencies relating to sustainability for all retail financial products. There are also additional amendments to incorporate the suitability requirements under the Markets in Financial Instruments Directive II and the Insurance Distribution Directive.

Next Steps

Impacted firms must insure compliance with the updated MCC by 1 January 2025.

Central Bank of Ireland publishes its Authorisations and Gatekeeping Report 2024

On 24 June 2024, the Central Bank of Ireland ("Central Bank") published its inaugural Authorisations and Gatekeeping Report ("Report"). The Report addresses in particular, authorisations and the Fitness and Probity ("F&P") Regime.

On the publication of the Report, Deputy Governor of the Central Bank, Sharon Donnery commented that the Central Bank will continue to focus on "enhancing how we regulate and supervise across all sectors, including continuing to enhance our authorisation processes, in terms of clarity, predictability and transparency for those seeking to be authorised and to improve our own process as well as our engagement and communication with the sector".

Authorisations

The Report sets out the Central Banks's aim of providing further transparency to firms as to how the Central Bank discharges and continues to refine its authorisation mandate. To this end, the Report sets out the following:

• information on the Central Bank's authorisation framework and risk appetite;
• explanation of the Central Bank's priorities and expectations of applicant firms;
• insights into the operation of the Fitness and Probity ("F&P") regime; and
• an outline of the key challenges for firms seeking authorisation.

Additionally, sector-levels activity for 2023 and the performance of the Central Bank as against those activities are specifically detailed including:

• the authorisation activity rates by volume;
• average authorisation times; and
• an explanatory narrative for each sector.

The Report states that the Central Bank will continue to enhance its authorisation processes, in terms of clarity, predictability and transparency for those seeking to be authorised as well as continuing to improve its own process, engagement and communication.

Fitness and Probity

Chapter 4 of the Report addresses the F&P regime, as with Authorisations, the Report summarises the F&P applications made in 2023 in the following terms:

• status of an application; and
• timelines to approve applications in 2023;

It was noted that the quality of submitted PCF applications has improved since the introduction of a new portal in April 2023, with the result that processing timelines have reduced. Out of a total of 3359 applications received, 2603 were approved, 361 were returned as incomplete and 279 were withdrawn by the applicant. As regards incomplete applications, these related to errors in the initial submission.

The Report notes that in 2023, all service standards for pre-approval controlled function ("PCF") applications assessed were met.

In H2 2023, new metrics were introduced in relation to the processing of PCF applications, in order to increase the transparency of timelines for industry and to manage application timelines, as follows:

• average processing time in calendar days; and
• percentage of PCF applications approved within 90 days.

The average processing time for PCF applications in H2 2023 was 24 calendar days and 98% of PCF applications were processed within 90 days. In cases where an application went beyond 90 days, further scrutiny was required due to factors specific to the application.

The Report references the independent review of the F&P Approval Process carried out in March 2024 with the stated aim of ensuring that it remains effective into the future. It is expected that the findings of the review will be published in Summer 2024.

As part of its insights into the F&P regime, the Report discusses the Individual Accountability Framework which was partially commenced on 19 April 2023, and reiterates the Central Bank's expectations in this regard.

3. Implementing DORA - Achieving enhanced digital operational resilience in European financial services - Remarks by Director Gerry Cross

On 28 June 2024, the Director of the Central Bank of Ireland ("Central Bank"), Gerry Cross, delivered a speech on the implementation of Digital Operational Resilience Framework ("DORA"). Mr. Cross uses the five key working principles, which he previously detailed in his speech on the challenges and opportunities of DORA 15 months ago, to discuss the work that has been done and the challenges that are still to come. The key principles are as follows:

Momentum

The tight deadline set in place, 17 January 2025, emphasises the need for urgency in the implementation of DORA and the importance of maintaining momentum. Mr. Cross explains that this has been achieved by implementing a two phase delivery of the DORA regulatory implementation work with a 12 month and 18 month deadline. As part of phase 1, regulatory technical standards ("RTS") were adopted by the European Commission ("Commission") in March 2024 and published in the Official Journal of the EU in late June 2024, implementing technical standard ("ITS") for the registers of information on ICT outsourcing have also been implemented. In addition, the European Supervisory Authorities ("ESAs") and competent authorities have operated a dry run exercise to allow financial entities to become more familiar with the operation of the new templates to allow momentum. In relation to phase 2, following a public consultation earlier in the year, the draft technical standards are expected to be submitted to the Commission by 17 July 2024.

Pragmatism

Director Cross explained that the ESAs are taking a pragmatic approach to the delivery of DORA. They have adopted the view that "we need to find the best solutions possible in the limited time available before implementation", while recognising that the DORA is "not a once-and-done exercise and that is optimal to adopt a multi-year, multifaceted perspective". Given this, he explained that the decision has been made to maintain the Joint Committee Sub – Committee on DORA to provide any further guidance such as a level 3 regulation development.

Another important aspect is the need for pragmatism as we move into the period of coming into effect of the new regime. He acknowledged that the time period between finalising the regulatory requirements and their coming into effect is short. However, he also reminded firms that DORA and the overall regulatory framework has been under development for quite a while and that the expectation is that firms would have "already been laying much of the groundwork for implementation over the recent years". He also added that DORA represents in many respects what any well managed firm should be doing. Notwithstanding this, Mr. Cross explained that there is often merit in taking a "Day 1/Day 2" perspective in the context of a supervisor's expectation regarding implementation. In other words - seeing the value in a committed journey by firms and supervisors from initial implementation and compliance to a richer, more fully achieved implementation over time.

Mr. Cross encouraged firms to utilise the ongoing resources provided by competent authorities across the Europe Union to ensure convergence and coordination in the implementation of DORA.

Quality

Mr. Cross highlighted the significance of ensuring momentum and pragmatism while also maintaining a level of quality in delivering DORA, something which he maintains has been achieved to date. He describes the DORA framework as being of "high quality, well judged, appropriately demanding, but balanced and proportionate".

Proportionality

Due to DORA applying to almost all regulated financial firms of any scale or business model, Mr. Cross reiterates that proportionality is key to its success. He went on to stress that without a proportionate approach, DORA would hamper Europe in achieving continued economic growth. He explains that proportionality is embedded in the foundational architecture of DORA and in the regulatory rules and highlights a number of examples as follows:

• the RTS on Risk Management Framework was designed with regard to the wide variety of financial entities differing in size, structure, internal organisation, and in the nature and complexity of their activities;
• the quantitative values set out in RTS on the classification of ICT related incidents expected from firms has been set purposely low in order to reduce the burden imposed on smaller firms;
• the selection criteria detailed in the RTS on Threat-Led Penetration Testing ("TLPT") have been tested to ensure only the biggest and most appropriate financial entities will become subject to TLPT requirements.
• DORA should not and must not impose requirements that are not aligned with sound but reasonable business practices. When firms carry on activities themselves, they are responsible for them. This remains the case when they are outsourced. Director Cross provided further guidance on firm's responsibilities when it comes to outsourced functions.

Engagement

Director Cross explained that underpinning the ESAs approach to the development of the framework has been continued stakeholder engagement. This engagement, he stressed has influenced the development and finalisation of various proposals including:

• the RTS on the classification of incidents related to ICT was amended to simplify and clarify the classification of major ICT incidents under DORA at a time when the financial entity is dealing with an incident;
• in relation to incident reporting, the ESAs have received feedback on the timelines and content and intend to amend this to provide a little more flexibility;
• the quantity of information required for the register of information on third party arrangements is expected to be reduced and rationalised; and
• in response to feedback on the proposals on Thread Led Penetration Testing, efforts have been made to clarify the selection criteria for insurance and reinsurance undertakings, on the provisions for TLPTs involving several financial entities and/or ICT providers, and revisions providing more flexibility in the requirements applicable to testers and threat intelligence providers in conjunction with appropriate risk management measures.

Oversight of Critical Third Party Providers

One aspect which Director Cross focused on was the importance of the designation of critical third party service providers ("CTPPs") in accordance with the Delegated Act adopted in February 2024. The designation he explained, is dependent upon the collection and analysis of the registers of information on ICT outsourced services. Work has commenced regarding the new Joint Examination Teams ("JETs") which will be the collaborative teams initiated under the coordination of the Lead Overseer to carry out the oversight of individual CTPPs. The Lead Overseer will operate through JETs which will include ESAs staff and staff from relevant competent authorities. There is currently good progress being made in this collaborative approach.

4. EIOPA Updates: (1) EIOPA's Financial Stability Report (2) EIOPA's Opinion on the supervision of captives

EIOPA publishes its Financial Stability Report

On 27 June 2024, the European Insurance and Occupational Pensions Authority ("EIOPA") published its June 2024 Financial Stability Report ("Report"), which offers an insight into key developments and risks in Europe's insurance and occupational pensions sectors.

The Report notes that insurers and occupational pension funds are operating in a challenging macroeconomic environment, highlighting the following:

• elections in large economies;
• high geopolitical tensions;
• uncertainties about the economic outlook;
• waning support for globalisation and international cooperation;
• in the final months of 2023, economic activity stalled due to tight financial conditions and cautious consumer spending;
• economic growth is expected to remain subdued in 2024; and
• interest rates in the euro area retreated as inflation has fallen close to the European Central Bank's 2% medium-term target, however, volatility in that respect is a recurrent theme.

As regards financial positions, the Report goes on to note the following:

• Europe's insurance and occupational pensions sectors have remained robust on aggregate, even taking account of widespread challenges;
• the insurance sector is solidly capitalised and that median SCR ratios for life insurers and composite undertakings have improved throughout the shift from low to higher interest rates. So too have profitability levels;
• gross written premiums in the non-life sector continued to grow while the life business saw a more moderate increase;
• insurers' liquid assets ratio has remained stable over the past years, however, there is considerable variation across countries; and
• lapse rates in the life business are mostly stable, but there are some signs of vulnerability.

The Report also addressed the need to be on guard for emerging risks and some of the points made included:

• sizeable allocations to alternative assets that are often illiquid, difficult to valuate and whose valuation is highly sensitive to interest rates have raised supervisory and financial stability concerns. Consequently, supervisors are closely monitoring the risks associated with these investments;
• insurers and pension funds are also having to contend with climate-change related risks as well as those linked to digitalisation and cybersecurity; and
• 2023 brought another year of high natural disaster losses.

EIOPA publishes Opinion on the supervision of captive re(insurance) undertakings

On 2 July 2024 EIOPA published its Opinion on the supervision of captive re(insurance) undertakings ("Opinion") which it states seeks to ensure a high-quality and convergent supervision of captive (re)insurance undertakings.

The Opinion recognises that appropriate approaches should be provided in line with the principle of proportionality to reflect the nature, scale, and complexity of the business of captive insurance and captive reinsurance undertakings. Importantly, the Opinion states that national competent authorities ("NCAs") may take into account national specificities of the captive (re)insurance sector when implementing the principles included in the Opinion.

The Opinion sets out its aim of supporting the implementation of the regulatory framework with a focus on

• intragroup transactions (especially cash pooling);
• the consistent application of the Prudent Person Principle; and
• governance-related aspects in connection with key functions and outsourcing requirements.

Intragroup Transactions

The Opinion recognises that deposits and withdrawals in and out of a cash pooling arrangement with the aim of exploiting synergies and pooling liquidity within the group are common intra-group transactions used by captive (re)insurance undertakings. NCAs should ensure that captive (re)insurance undertakings are able, at any time, to provide information regarding cash pool arrangements in sufficient detail. Accordingly the Opinion sets out the following:

• The information should clearly identify the related asset classification (e.g. cash pooling giving rise to deposits or cash or to intercompany loans);
• the legal basis of the arrangement should be readily ascertainable;
• NCAs should also ensure that material amendments to existing material cash pooling arrangements are submitted to NCAs by the captive (re)insurance undertakings without delay; and
• NCAs should also ensure that captive (re)insurance undertakings are able to provide, on request, evidence supporting the arm's length price of cash pooling transactions (in collaboration with the statutory auditor, if needed), in particular if amendments to cash pooling arrangements impact the asset classification.

Prudent Person Principle in the context of cash pooling arrangements

NCAs should ensure captive (re)insurance undertakings' compliance with the prudent person principle considering the portfolio as a whole. In assessing such compliance, NCAs should ensure that the following is considered:

• security and quality;
• liquidity and availability;
• profitability;
• asset-liability management;
• conflict of interest; and
• diversification.

Governance-related aspects in connection with key functions and outsourcing requirements

The Opinion also sets out guidance in relation to the following areas:

• administrative, management, supervisory Board ("AMSB") composition, specifically, NCAs should ensure that the AMSB as a whole possesses the necessary seniority, qualifications, competency, skills and professional experience; and
• outsourcing of key functions, particularly noting that NCAs should ensure the compliance of key functions' outsourcing arrangements based on Article 49 of the Solvency II Directive and Guideline 14 of the EIOPA System of Governance Guidelines (EIOPA-BoS-14/253).

5. EBA and ESMA publish guidelines on suitability of management body members and shareholders for entities under MiCA

On 27 June 2024, the European Banking Authority ("EBA") and the European Securities and Markets Authority ("ESMA") published a final report on the guidelines on suitability of members of the management body, and on the assessment of shareholders and members with qualifying holdings for issuers of asset reference tokens ("ARTs") and crypto – asset service providers ("CASPs") under the Markets in Crypto Assets Regulation ("MiCA") ("Guidelines"). The aim of the Guidelines is to implement a general EU framework for assessments by issuers of ARTs and by CASPs.

The first set of guidelines detail common criteria to assess the knowledge, skills, experience, reputation, honesty and integrity of members of the management body. They also address the question of whether an individual can commit sufficient time to perform their duties to ensure a sound management.

The second set of guidelines address the assessment of the suitability of shareholders or members with direct or indirect qualifying holdings in a supervised entity by providing a common methodology to assess the suitability for the purpose of granting authorisation as issuers of ARTs or as CASPs, and for carrying out the prudential assessment of proposed acquisitions.

Next Steps

The Guidelines will apply two months after they have been published in all EU official languages on the EBA and ESMA websites.