What recent results from the European Banking

Authority and ESMA reports show

The European Banking Authority (EBA) has recently published an analysis looking into the RegTech landscape in the EU. The report assesses the many benefits, challenges and risks of the use of RegTech in the EU and lays out the steps to be taken to support the sound adoption and scale-up of solutions in this sector. The study also proposes actions designed to enhance the knowledge and skills of the competent authorities (CAs).

ESMA has also published a report on Trends, Risks and Vulnerabilities of the Financial sector dedicating a part on RegTech and SupTech and the change for Markets and authorities. This report highlights that market participants are increasingly using new automated tools in a variety of areas, while potential applications of new tools for regulators include greater surveillance capacity and improved data collection and management.

When technology is used for compliance, it is called Regulatory Technology or ‘RegTech’. Regtech is defined as any range of applications of technology‐enabled innovation for regulatory, compliance and reporting requirements implemented by a regulated institution – with or without the assistance of RegTech provider.

RegTech solutions in Financial Institutions (FIs) and Investment Firms (FI’s) are currently evident in:

• Anti-Money-Laundering and Countering the Financing of Terrorism (AML/CFT) – for example, providing solutions for sanction screening or remote onboarding of customers.
• Fraud prevention – through automated behaviour and transaction monitoring.
• Prudential reporting – supporting institutions in their regulatory submissions.
• ICT security – providing detection mechanisms for an institution’s operations security.
• Creditworthiness assessments – providing new capabilities for assessing the creditworthiness of clients.
• Regulatory Reporting – supporting institutions in their trade reporting.
• Risk Management

Benefits

According to financial organisations using RegTech solutions, their key benefits are improved risk management, better monitoring and sample capabilities, and a reduction in human error. At the same time, RegTech providers place heavy emphasis on their ability to increase efficiency and effectiveness and quell the impact of ongoing regulatory change.

Some of the increasing disparities in perspective between financial institutions (FIs) and RegTech providers suggest that further research of the benefits afforded by RegTech solutions is required.

ESMA also believes that the move towards a more data-driven and pro-active approach will enhance monitoring of the financial sector and help ensure better outcomes for market participants and consumers. The continual push for efficiencies and cost savings, particularly for back-end and legacy systems as well as for labour-intensive processes will increase the use of RegTech in the foreseeable future.

Risks

EBA highlighted that when not implemented correctly, RegTech solutions may also generate risks for FIs that would need to be identified, monitored and managed. These risks may relate to, for example, compliance, concentration, business continuity, ICT and security, reputational issues, internal governance, conduct and consumer protection, and/or technology.

RegTech may also create new risks for CAs supervising FIs. These include potential difficulties in assessing the effectiveness and reliability of the technological solutions used by FIs, and a potential lack of skills and tools needed to supervise the use of technology enabled RegTech solutions and, say, audit the underlying algorithms.

ESMA focused on the risks and challenges for regulators and market participants in the areas of data collection and management, digital transition and failure on the part of market participants to adapt to the new digitalised infrastructure and the need from regulators to invest in the technological tools and human skills that will allow them to effectively analyse the results, operational risks and the risks from strategic incentives such as developing expertise in RegTech.

Challenges

The EBA report suggests that the majority of challenges to RegTech market development involve internal factors within the FIs and providers. Likewise, ESMA considers most of those challenges to apply for FIs. However, a lack of common regulatory standards across the EU could also constitute a barrier to the wider market adoption of RegTech solutions.

The main challenges from the FI perspective are summarısed as follows:

• Data-related challenges and cybersecurity threats: FIs often indicate data quality, data privacy and protection, lack of data integration, data availability, and lack of data standardisation and harmonisation as issues.
• Interoperability and integration with the existing legacy systems: FI legacy systems and processes have too many silos, making RegTech adoption difficult, and this is further compounded by doubts about the ICT capacity of FIs to support FinTech, RegTech, and InsurTech solutions.
• Changes to regulation: changes with national or international regulations and other regulatory challenges can be another key barrier to RegTech adoption.
• Costs and procurement process: RegTech solutions seen as part of compliance and usually treated as a back‐office function may be at risk of underinvestment.
• Lack of necessary skills and training: when working with either in‐house or external RegTech solutions, FIs need specialists, e.g. data scientists and engineers, to be able, where relevant, to scout, assess, operate, and maintain updated RegTech solutions.
• Perceived immaturity of RegTech providers’ solutions: FIs that see RegTech as a potential competitive advantage often cite the lack of available and mature RegTech solutions as a challenge.

Challenges from the RegTech provider perspective include:

• Lack of technological capabilities – the lack of some clients API capabilities and lack of standardisation are perceived as obstacles for technical integration.
• Security, data privacy and protection issues – privacy regulation may be one of the key constrains for FIs from sharing datasets with RegTech providers.
• Changes of national and international regulation – complex and continuously evolving regulatory landscape is perceived as a challenge, in particular on prudential reporting, fraud prevention and AML/CFT.
• Cost of user acquisition – a challenge, especially for recently established and smaller RegTech providers.
• Lack of FI understanding of RegTech solutions –it appears to RegTech providers that FIs may not be fully aware of all advantages that RegTech solutions may bring.
• Lack of harmonised legal and regulatory requirements – RegTech providers perceive the lack of harmonisation of regulatory requirements across the EU and the lack of regulatory data standards to be obstacles for wider market adoption of RegTech solutions.
• Clarity of regulatory/supervisory guidance – RegTech providers consider the lack of regulatory/supervisory guidance and support can be an obstacle preventing the roll‐out of their solutions across different countries.
• Competition with other solutions – a high level of industry competition with other solutions, detailed in segments where RegTech providers offer comparable solutions.

What’s needed to better adopt & scale up RegTech solutions

The EBA proposes several steps to support the adoption and scaling up of RegTech solutions. These include boosting RegTech knowledge, addressing the skill gaps among regulators and supervisors, supporting the convergence of supervisory practices, providing clarity on market expectations, and harmonising the legal and regulatory requirements.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!

On 1 March 2021, the EBA published its final report setting out revised guidelines on customer due diligence (CDD) and the factors credit and financial institutions should consider when assessing money laundering (ML) and terrorist financing (TF) risk associated with business relationships and occasional transactions under Articles 17 and 18(4) of Fourth Money Laundering Directive (EU 2015/849) (MLD4).

MLD4 and a risk-based approach

The anti-money laundering directives are the key pieces of legislation which make up the current European Union anti-money laundering (AML) and counter-terrorist financing (CTF) regime. MLD4 placed a risk-based approach at the center of the regime. As the risk of ML and TF can vary, a risk-based approach helps to manage that risk effectively. MLD4 was required to be transposed into national law by 26 June 2017.

Guidelines

The greater emphasis in MLD4 on a risk-based approach meant that there was a greater need for guidance for National Competent Authorities (NCAs) and firms. Under MLD4, the European Supervisory Authorities (ESAs) were required to issue guidelines by 26 June 2017, addressed to NCAs and firms, on the risk factors firms should take into consideration and the measures they should take in situations where simplified or enhanced customer due diligence (CDD) would be appropriate. The aim was to promote a common understanding, by firms and competent authorities, of what the risk-based approach to AML/CFT entails and how it should be applied.

The Final Guidelines (JC/2017/37) were published on 26 June 2017. The guidelines have applied since 26 June 2018. Guidelines are addressed to NCAs and firms and their purpose is to clarify the supervisory expectations and to enhance the convergence of supervisory practices. Although they are non-binding, NCAs and firms to whom guidelines are addressed are expected to comply with them (on a “comply or explain” basis).

MLD5 and ESA ongoing work

On 19 June 2018, the Fifth Money Laundering Directive (EU 2018/843) (MLD5) entered into force. MLD5 was required to transpose into national law by 10 January 2020. MLD5 amended MLD4 to strengthen the fight against terrorist finance and ensure the increased transparency of financial transactions. As a result, the Guidelines needed to be updated to take account of the new legal framework. At the same time, the ESAs’ ongoing work on ML/TF risk highlighted several areas where significant differences continued to exist in firms’ approaches to AML/CFT.

The EBA’s new role

Since 1 January 2020, the responsibility to produce these guidelines (and to update them) has been passed to the European Banking Authority (EBA), by virtue of Article 3(3) of the Omnibus Directive amending Article 17 of MLD4, giving the EBA powers to lead, co-ordinate and monitor efforts to strengthen AML and CTF measures across the EU in respect of financial institutions.

The EBA launched a consultation on a revised version of the guidelines on 5 February 2020 proposing changes to reflect MLD5, as well as concerns identified by the ESAs.

The revised guidelines

On 1 March 2021, the EBA published its final revised guidelines.

General Guidelines

The EBA has provided more details to existing central parts of the guidelines, as well as adding new guidance on emerging risks:

• business-wide and individual ML/TF risk assessments;
• customer due to diligence measures including the identification of the beneficial owner and
• enhanced due diligence in relation to high risk third countries;
• TF risk factors; and
• emerging risks, such as the use of innovative solutions for CDD purposes.

High risk third countries

The revised Guidelines require firms to carefully assess the risks associated with business relationships and transactions where the customer is known to maintain close personal or professional links with a high-risk third country, or beneficial owner(s) is/are known to maintain close personal or professional links with a high-risk third country.

Beneficial ownership

Under the revised guidelines, when discharging their obligations set out in Article 13(1)(b) of MLD4 to understand the customer’s ownership and control structure, firms should:

• ask the customer who their beneficial owners are;
• document the information obtained; and
• then take all necessary and reasonable measures to verify the information: to achieve this, firms should consider using beneficial ownership registers where available.

Beneficial ownership registers – Firms should be mindful that using information contained in beneficial ownership registers does not, in itself, fulfil their duty to take adequate and risk-sensitive measures to identify the beneficial owner and verify their identity. Firms may have to take additional steps to identify and verify the beneficial owner, specifically where the risk associated with the business relationship is increased or where the firm has doubts that the person listed in the register is the ultimate beneficial owner.

Control through other means – Firms should also take reasonable measures to understand the customer’s ownership and control structure. The measures firms take to understand the customer’s ownership and control structure should be sufficient so that the firm can be reasonably satisfied that it understands the risk associated with different layers of ownership and control. In particular, firms should be satisfied that, the customer’s ownership and control structure are not unduly complex or opaque; or complex or opaque ownership and control structures have a legitimate legal or economic reason.

Firms should pay particular attention to persons who may exercise ‘control through other means. Examples of ‘control through other means’ firms should consider include:

• control without direct ownership, for example through close family relationships, or historical or contractual associations;
• using, enjoying or benefiting from the assets owned by the customer;
• responsibility for strategic decisions that fundamentally affect the business practices or general direction of a legal person.

Identifying the customer’s senior managing officials – Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:

• They have exhausted all possible means of identifying the natural person who ultimately owns or controls the customer;
• Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and
• They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.

De-risking

EBA also reiterates that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, firms should balance the need for financial inclusion with the need to mitigate and manage ML/TF risk.

The EBA had launched a separate Call for Input in 2020, to understand why financial institutions choose to de-risk and therefore exacerbate financial exclusion, instead of managing the risks associated with certain sectors or categories of customers. The Call for Input received more than 300 responses by the deadline in September 2020 and the EBA is assessing the implications for its policy development in this area. The feedback gathered from this Call will potentially feed into other EBA outputs.

Electronic identification

Where a business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms should take adequate measures to be satisfied that the customer is who he claims to be and assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk. The use of electronic means of identification does not of itself give rise to increased ML/TF risk, especially where these electronic means provide a high level of assurance.

Moreover, MLD4 is technology neutral and firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity. Firms that use or intend to use innovative technological means for identification and verification purposes should assess the extent to which the use of innovative technological solutions can address, or might exacerbate, the ML/TF risks, particularly in non-face to face situations. Firms that use an external provider, rather than develop their own innovative solution in-house, remain ultimately responsible for meeting their CDD obligations.

Monitoring

Firms should put in place systems and controls to keep their assessments of the ML/TF risk associated with their business, and with their individual business relationships under review to ensure that their assessment of ML/TF risk remains up to date and relevant. The level, frequency and intensity of monitoring may be adjusted in a way that is commensurate to the ML/TF risk associated with the customer or the transactions. In high-risk situations, firms should consider whether enhanced ongoing monitoring of the relationship would be appropriate, including increasing the frequency of reviews to be satisfied that the firm continues to be able to manage the risk associated with the individual business. The guidelines list additional enhanced due diligence measures that may be of particular relevance in different sectors.

Sector-specific Guidelines

In addition, since the first publication of these Guidelines in 2017, the financial sector has evolved and existing and emerging risks have been identified. Therefore, new sectoral guidelines need to be included so as to tackle the specific AML/CFT risks of those sectors and to promote convergence in relation to the following sectors:

• crowdfunding platforms
• corporate finance
• account information service providers (AISPs)
• payment initiation services providers (PISPs), and
• firms providing activities of currency exchanges offices.

Next steps and Timing of application of revised guidelines

The guidelines will be translated into the official EU languages and published on the EBA website and will apply three months after publication in all EU official languages. Upon the date of application, the original guidelines will be repealed and replaced with the revised guidelines.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!

While Europe’s financial institutions are struggling to absorb the shock caused by the COVID-19 pandemic, security risks and the frequency of Information and Communications Technology (ICT) and security-related incidents (including cyber incidents) are rising, which, in turn, has the potential to adversely impact financial institutions’ operational functioning.

The financial sector’s increasing digitalisation and the growing interconnectedness between financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that could potentially compromise their viability. As a result, sound ICT and security risk management are key for a financial institution to achieve its strategic, corporate, operational and reputational objectives.

For this reason, the European Banking Authority (EBA) issued its Guidelines on ICT and security risk management which entered into force on 30 June 2020. These guidelines set out EBA’s expectations on how financial institutions should manage the internal and external ICT and security risks.

Do you meet the requirements?

• Financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management and mitigation of ICT and security risks through an independent and objective control function, appropriately segregated from ICT operations processes and not responsible for any internal audit, and an independent internal audit function.
• Maintain up-to-date inventories of business functions and assess the operational risks related to ICT and the security risks and determine what measures are required to mitigate the identified risks.
• Requirements to implement effective information security measures, including having an information security policy in place; establishing, implementing and testing information security measures; and establishing a training programme for all staff and contractors.
• Requirements for ICT operations management including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery
• Requirements for ICT project and change management, including the acquisition, development and maintenance of ICT systems and services.
• Business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results. Ensure effective crisis communication measures in place so that all relevant internal and external stakeholders can be informed in a timely manner.

If you don’t know where to start and are uncertain as to the security risks that exist in your organisation and how they should be identified and controlled, we are here to help you.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!