to the point: financial regulation | 02/2025

·       The European Banking Authority ("EBA") has revised its Guidelines on ICT and security risk management (the "Guidelines", available here) to align with the Digital Operational Resilience Act ("DORA"), effective from 17 January 2025. These changes aim to avoid duplication of the requirements and provide legal clarity. The Guidelines initially set out requirements for credit institutions, investment firms and payment services providers on the mitigation and management of their ICT and security risks. The EBA has narrowed down (i) the applicability of the Guidelines to only those covered by DORA (i.e. credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions) and (ii) the scope of the Guidelines to the requirements on relationship management of payment service users. The security and operational risk management requirements under the Payment Services Directive (PSD2) remain applicable to other payment service providers not covered by DORA. The amended Guidelines will take effect two months after the publication of their translated versions.

·       The new AI-system Assessment Tool (you can request the AI-system Assessment Tool here) launched by the EFAMA helps asset managers integrate AI into their business models while ensuring compliance with the EU AI Act and related regulations like the GDPR,  MiFIR and DORA. This tool provides firms with a structured and standardised approach to documenting and assessing AI use cases, helping them navigate the evolving regulatory landscape free of charge. With the AI Act set to introduce new obligations, particularly for high-risk AI system providers, the tool supports asset managers in responsibly adopting AI while fostering innovation in the sector. By offering clear guidance on regulatory requirements, the initiative ensures that firms can leverage AI effectively without breaching compliance obligations.

·         The ESMA has published or updated the following Questions and Answers:

o    European Market Infrastructure Regulation (EMIR)

§   Assessment of significance for the purpose of the Error and Omission Notifications (2441), and

§   Reporting of Settlement Rate Options (2442)

o    European crowdfunding service providers for business (ECSPR)

§   Calculation of threshold in point (c) of Article 1(2) of ECSPR (2437), and

§  Crowdfunding multiple offers (2438)

o    Markets in Financial Instruments Directive II (MiFID II) – Secondary Markets

§   Open interest thresholds in energy derivatives (2439)

·       The ESMA has issued three new Final Reports containing technical standards on various aspects of the Central Securities Depositories Regulation (CSDR) Refit. The first addresses the review and evaluation process of EU CSDs, the second sets out the criteria under which the activities of an EU CSD in a host Member State could be considered of substantial importance for the functioning of the securities markets and the protection of investors, and the third covers notifications from third-country CSDs. The new rules under the CSDR Refit introduce important obligations for obliged entities, particularly European and third-country CSDs. The updated framework clarifies the information that CSDs must provide to their national competent authorities (NCAs) for review and evaluation, ensuring a standardised and harmonised approach across the EU. This means European CSDs will need to adapt their IT processes to meet the new reporting requirements within a one-year implementation period. Additionally, the rules define criteria for assessing whether a CSD's activities in a host Member State are of substantial importance, which will determine when supervisory colleges must be established. This requires CSDs operating across borders to contribute to data collection processes that assess their impact on local markets. For third-country CSDs, the rules streamline notification requirements, ensuring clarity on the provision of notary, central maintenance and settlement services in the EU.

·       The European Commission (EC) has published an article about its proposal to shorten the EU securities settlement cycle from two business days (T+2) to one (T+1), bringing significant changes for obliged entities in financial markets. The shift, set for 11 October 2027, aligns the EU with global markets like the US and Canada, reducing inefficiencies and eliminating costs linked to misalignment with major financial hubs. For market participants, this transition demands significant operational and technological adjustments, as greater automation in post-trade processes will be required to ensure efficiency and risk mitigation. Faster settlement enhances market liquidity, allowing investors to reinvest funds more quickly, which benefits fund managers, retail investors and companies seeking capital. Obliged entities must prepare for a highly coordinated transition, as the move will apply uniformly across all securities under the CSDR without phasing-in. The legislative change provides legal certainty to avoid fragmentation in EU capital markets and ensure a smooth transition, preventing market disruptions. The European Securities and Markets Authority (ESMA) and the European Central Bank (ECB) will oversee governance structures, guiding financial institutions through the necessary technological, operational and regulatory adaptations. While initial costs are expected for market participants, the long-term benefits — reduced risks, lower margin requirements, improved settlement efficiency and enhanced competitiveness — are projected to outweigh the challenges, making T+1 a crucial step in strengthening the European capital market.

·       The EBA has issued its new final draft Implementing Technical Standards (ITS), which centralised the Pillar 3 data hub, meaning that large and other institutions must now submit their prudential disclosures through a single electronic access point on the EBA website, ensuring greater transparency and accessibility. These institutions must follow specific IT solutions, data formats and validation procedures outlined in the ITS, with a transition period from June to December 2025 to adapt to the new system. The EBA has refined the requirements based on a pilot exercise and public feedback, ensuring a smoother implementation. The centralisation of Pillar 3 disclosures under the CRR3/CRD6 framework will streamline regulatory reporting and provide stakeholders with a comprehensive view of financial institutions' prudential data. Further guidelines for small and non-complex institutions, as well as resubmission policies, will be consulted separately later in 2025.

·       The EBA created its final draft Implementing Technical Standards (ITS) containing standardised reporting obligations on banks, payment institutions and e-money institutions (Payment Service Providers - PSPs) regarding charges for credit transfers, payment accounts and shares of rejected transactions. This ensures that instant credit transfers are not more expensive than regular credit transfers, in line with the Instant Payment Regulation (IPR). PSPs must adhere to uniform reporting templates, instructions and methodologies to facilitate consistent and comparable data submission to their National Competent Authorities (NCAs), which will then report to the EBA and the European Commission. To ease the transition, the first mandatory harmonised reporting is postponed by 12 months to April 2026, giving the European Commission time to adopt the ITS and allowing the EBA to finalise the taxonomy, datapoint model and validation rules that PSPs will implement. Until then, NCAs are advised not to enforce data collection from PSPs in 2025 or encourage unharmonised reporting before the official framework is in place.

·       The new rules, coming into force on 15 February 2025 with the Act on Financial Market Digitisation (Czech language only), impose significant obligations on individuals and entities involved in the crypto-asset sector. As an adaptation act to the MiCA, it establishes uniform requirements for public offerings of crypto-assets, their admission to trading, and the provision of related services. This means that entities engaged in these activities must comply with strict authorisation, operational, governance and transparency requirements, ensuring the protection of crypto-asset holders and customers. The Czech National Bank will serve as the supervisory authority, handling notifications and applications, as well as overseeing compliance. Additionally, the Amendment Act (Czech language only), effective the same day, introduces necessary legal adjustments to align with MiCA and DORA while implementing further EU financial regulations, including those related to sustainability financing and digital market supervision. Obliged persons and entities must be prepared to adhere to these enhanced regulatory frameworks, ensuring full compliance with evolving financial and technological standards.

·       The Financial Analytical Office (FAO) issued a new general interpretative opinion (Czech language only), which clarifies the rules on sharing customer identification and control information within financial groups under the Czech AML Act (Czech language only). Obliged persons within these groups must ensure compliance with groupwide internal control policies to mitigate money laundering and terrorism financing risks. The opinion confirms that the transfer of client data obtained through routine or ad hoc checks is permissible not only at the start of a business relationship but throughout its duration. This sharing is crucial for effective risk management, allowing financial institutions to detect and prevent suspicious activities across the group. However, any doubts regarding the accuracy or completeness of transferred information should lead to its rejection. Additionally, institutions supervised by the Czech National Bank must align their information-sharing strategies with the AML Decree (Czech language only), ensuring transparency regarding suspicious transactions, business refusals or risk-related client terminations. The overarching goal of these rules is to prevent financial system abuse while streamlining processes for common clients within financial groups.

·       With the adoption of the new Act on Financial Market Digitisation (Czech language only) and Amendment Act (Czech language only), the FAO is now the entity granting permission to provide services related to virtual assets in the residual category (primarily NFTs). The Czech National Bank is the licensing entity under the MiCA Regulation. More information is available here.

·        The FAO published a new contact person notification form available here.

·         On 3 February 2024, a draft law aimed at implementing the NPL Credit Servicers and Credit Purchasers Directive (Directive (EU) 2021/2167) was published and submitted to the Austrian Parliament. The draft law was under public review until 21 February 2024. As of today, there is no official indication when the implementing law will finally be adopted. Given that the EU Commission has already initiated infringement proceedings against, inter alia, Austria for late implementation of the Directive (the transposition deadline was 29 December 2023), the Austrian Parliament is expected to adopt the implementing law rather soon. In terms of substance, the draft law largely copies the text of the Directive, and does not apparently provide for any gold-plating of the Directive.

For further information on the implementing status and details of the local implementation of the Directive across the CEE region, please visit the dedicated info corner on our website.

·       This ruling emphasises the obligations of lenders regarding the transparency of fees and commissions in credit agreements. The CJEU strengthens consumer protection by the possibility of imposing sanctions exempting the consumer from credit costs if it is proportionate and effective. The ruling points to the role of national courts, which decide whether there has been an infringement and whether the application of sanctions is justified. The sanction must not be imposed automatically.

·       Decisions on further annual extensions will be based on an indicator system. From January 31 of this year, the range of exposures eligible for the green loan program (the basis for the relief) will also be expanded. All of this could broaden the range of green products offered to customers, reduce the banking risks associated with climate change, and decrease domestic carbon emissions. The volume of green loans and bonds affected by the program amounts to HUF 1,236 billion.