Home
Resources
CUBE RegNews: 2...

CUBE RegNews: 23rd May

Greg Kilminster

Greg Kilminster

Head of Product - Content
Copy link Copy linkCopy to clipboard
Share on X Share on Facebook Share on Linkedin

Posted: 2024-05-23

EBA speech on expanding the boundaries of supervision

In a speech at the BCBS-FSI high-level meeting for European Supervisors, Jose Manuel Campa, Chairperson of the European Banking Authority (EBA) discussed supervisory practices and priorities in Europe and how to ensure they remain fit for purpose. 


Campa began by noting that the growth of non-bank financial institutions since the 2008 financial crisis has significantly altered the financial landscape. These entities, which include insurance companies, investment firms, and fintechs, have expanded their role in lending and asset management. In the EU, non-bank lending volumes remain modest compared to other major jurisdictions but are growing rapidly. 


The partnerships between banks and non-banks combine their respective strengths in infrastructure, experience, and regulatory compliance with innovative approaches to customer acquisition and product development. However, Campa raised questions about whether current regulatory frameworks adequately cover these non-bank entities. Ensuring a level playing field through the principle of "same risks, same regulation" is crucial. This would protect consumers, ensure fair access to finance, and maintain financial stability. 


Risks and challenges 

The entrance of new players into the lending market is a positive development from a competition standpoint but introduces several risks. Campa noted these as follows. 

  • Prudent lending standards: Non-bank lenders might not adhere to the same rigorous standards as traditional banks, potentially extending credit to less creditworthy borrowers or imposing higher fees on creditworthy ones. 
  • Market stability: A significant market share by non-banks in areas like consumer credit or SME lending could lead to financial stability risks if they withdraw from the market during economic downturns. 
  • Cybersecurity and data protection: Non-banks need to demonstrate resilience to cyberattacks and compliance with data protection regulations. 
  • Regulatory disparities: Non-bank lenders may not have the same provisioning capabilities as banks, exposing them to higher risks during economic downturns. 


Campa also commented on the interconnectedness between banks and non-banks, including ownership of debt securities and provision of loans, and how this can create contagion risks during financial stress. Transparency and monitoring of these connections are essential to mitigate potential systemic risks. 


Digitalisation and ICT risk 

Campa commented on the digital transformation of financial services, noting how this has increased operational risks. Financial entities are now more interconnected with ICT third-party providers, and the reliance on digital channels has heightened the potential for cyber incidents and service disruptions. 


The Digital Operational Resilience Act (DORA), which came into force in January 2023, establishes a comprehensive framework to address these risks. DORA's implementation, effective from January 2025, will require significant cooperation between financial supervisors and the ESAs. Key focus areas for the regulators to develop include: 

  • Identification of critical providers: Ensuring that critical ICT service providers do not expose financial entities to unmanageable risks. 
  • Oversight and supervision: Coordination between the ESAs and national authorities to avoid duplication of efforts and ensure effective oversight. 
  • Operational resilience: Assessing financial entities’ ICT risk management, incident reporting, and preparedness for threat-led penetration tests. 


Crypto-assets and MiCAR 

Campa said the rise of the crypto industry presents unique regulatory challenges. The Markets in Crypto-Assets Regulation (MiCAR) therefore aims to create a safe and innovative crypto-asset market in the EU. MiCAR assigns specific supervisory roles to national authorities, the EBA, and ESMA to address risks related to different products and services. 


Once again, effective collaboration is essential to ensure a consistent supervisory approach across the EU. Campa stated that supervisory priorities should focus on: 

  • Governance and risk management: Establishing strong internal governance and risk management frameworks. 
  • Financial resilience: Ensuring adequate capitalisation and prudent management of reserves. 
  • Technology risk management: Enhancing scrutiny of technological risks. 
  • Financial crime prevention: Addressing risks related to money laundering, terrorism financing, and sanctions evasion. 


Campa concluded his speech by commenting that the rapid evolution of the financial sector in the EU requires adaptive and coordinated supervisory actions.

The challenges of non-bank financial intermediation, digitalisation, and the emergence of crypto-assets necessitate a comprehensive and unified regulatory approach. The EBA and other supervisory bodies are committed to addressing these cross-border challenges through global dialogue and cooperation, ensuring the stability and resilience of the EU financial system. 


Click here to read the full RegInsight




FSCS confirms annual levy for 2024/25

The UK’s Financial Services Compensation Scheme (FSCS), the body responsible for paying compensation to customers of financial services firms that have failed, has announced its 2024/25 levy which will be payable for UK registered firms. 


The amount payable is £265m, lower than the indicative levy announced in the November 2023 Outlook, and a small decrease from the final 2023/24 levy of £270m. The decrease is because more than £54m was recovered from the estates of failed firms and other third parties during 2023/24 and this money has been added to surpluses to reduce the levy for 2024/25. 


The FSCS was set up in 2001 under the Financial Services and Markets Act 2000 (FSMA) and in 2022/23 paid out £403m in compensation to 67,908 customers of failed firms. 


Click here to read the full RegInsight




AFME publishes DORA guide

The Association for Financial Markets in Europe (AFME) Europe’s wholesale financial markets trade association has published a useful guide which considers the remaining challenges faced by firms to implement the Digital Operational Resilience Act (DORA), which, took effect on 16 January 2023, and which requires final industry compliance by 17 January 2025. 


The guide notes five ongoing challenges for firms as follows. 

  • Constraints with obtaining data points and conducting analysis may lead to excessive reporting, detracting from the effective management of information and communication technology (ICT) related incidents. 
  • The large volume of potentially in-scope ICT third-party providers, lack of automation and extensive amount of information pose challenges. 
  • The potentially broad scope of threat-led penetration testing (TLPT) and the involvement of third-party providers in the scope of a firm’s TLPT could place pressure on firms’ ability to manage the TLPT exercise. 
  • The broad nature of DORA definitions and questions concerning the notion of proportionality result in an overly expansive scope. 
  • The January 2025 compliance date may be impractical for some firms without a proportionate approach to supervision and enforcement. 


The guide considers each of these points, looking at each in detail and noting that unless firms and regulatory bodies cooperate on these hurdles “an operationally resilient and unified digital landscape becomes even more difficult to achieve”.  


Click here to read the full RegInsight





SEC fines ICE $10 million for failing to report cyber incident

The Securities and Exchange Commission (SEC) has imposed a $10 million fine on Intercontinental Exchange, Inc (ICE) for failing to promptly report a cyber intrusion. The fine affects nine of ICE's subsidiaries, including the New York Stock Exchange. 


In April 2021, ICE discovered that malicious code had been inserted into a virtual private network (VPN) device used to access its corporate network. Despite identifying the intrusion, ICE failed to inform its subsidiaries' legal and compliance teams for several days. This delay meant the subsidiaries did not meet their regulatory obligations to report the incident to the SEC as required under Regulation Systems Compliance and Integrity (Regulation SCI). 


However, the regulator was not as one with the imposition of the fine. SEC commissioners Hester Peirce and Mark Uyeda in a joint statement commented on the fine noting it to be a “disproportionately large penalty” adding that “imposing a $10 million civil penalty on ICE for its subsidiaries’ failure to notify the Commission of a single, de minimis incident is an overreaction. Unfortunately, this type of response is increasingly common in Commission enforcement actions. Imposing outsized penalties for minor violations risks creating a counter-productive dynamic between the Commission and regulated entities.”   


ICE and its subsidiaries, without admitting or denying the SEC's findings, have agreed to a cease-and-desist order alongside the monetary penalty. The affected subsidiaries include Archipelago Trading Services, NYSE, NYSE American, NYSE Arca, ICE Clear Credit, ICE Clear Europe, NYSE Chicago, NYSE National, and the Securities Industry Automation Corporation. 


Click here to read the full RegInsight