News Update Financial Regulatory

Developments in European AML/CFT supervision, cyber risk, 'finfluencers' and more
17 januari 2022
17 January 2022

In this News Update, we discuss developments in European anti-money laundering and countering the financing of terrorism supervision, information security and related cyber risks; and the pitfalls of 'finfluencing'. We further highlight some other financial regulatory publications issued last month.

EBA | Developments in European AML/CFT supervision

As part of its task of ensuring the integrity, transparency and orderly functioning of financial markets, the European Banking Authority ("EBA") focuses on preventing the use of the financial system for money laundering and terrorist financing purposes. Recently, EBA has been very active in this area, as evidenced by the following publications.

Draft Guidelines on the use of remote customer onboarding solutions
Financial institutions have seen a growing demand for remote customer onboarding solutions, partly due to movement restrictions prompted by the COVID-19 pandemic. As a result, EBA stresses the importance for supervisors and financial institutions to understand the capabilities of remote solutions to make the most of the opportunities they offer. To support their sound and responsible use, they also need to be attuned to money laundering and terrorist financing ("ML/TF") risks arising from the use of such tools and take steps to mitigate those risks effectively. The Guidelines set out the steps financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism ("AML/CFT") legislation and the EU’s data protection framework. The public consultation on these Guidelines is open until 10 March 2022.

Revised Guidelines on risk-based supervision of credit and financial institutions’ compliance with AML/CFT obligations
These revised Guidelines, published on 16 December 2021, build on the existing four-step approach to the risk-based AML/CFT supervision and provide additional guidance on ML/TF risk assessments, including the sectoral risk assessment. They also help supervisors choose the most effective tools to meet their supervisory objectives, especially in situations where they have identified breaches and weaknesses in institutions’ systems and controls framework. The revised Guidelines also emphasise the importance of cooperation between AML/CFT supervisors and other stakeholders, including prudential supervisors, Financial Intelligence Units ("FIUs") and tax authorities.

Final Guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors and financial intelligence units
These final Guidelines, published on 16 December 2021, set out how prudential supervisors, AML/CFT supervisors and FIUs should cooperate and exchange information in relation to AML/CFT, in line with provisions laid down in the Capital Requirements Directive.

Draft Regulatory Technical Standards on an AML/CFT central database in the EU
EBA is legally required to establish and keep up to date an AML/CFT central database. This database, the European Reporting system for material CFT/AML weaknesses ("EuReCA"), will contain information on material weaknesses in individual financial institutions that make them vulnerable to ML/TF. EU supervisors will have to report such weaknesses, as well as the measures they have taken to rectify them. The draft Regulatory Technical Standards ("RTS"), published on 20 December 2021, specify when weaknesses are material, the type of information supervisors will have to report, how information will be collected and how EBA will analyse and disseminate the information contained in EuReCA.

Opinion on de-risking
On 5 January 2022, EBA published its Opinion on the scale and impact of de-risking in the EU and the steps supervisors should take to tackle unwarranted de-risking. De-risking refers to decisions taken by financial institutions not to provide services to customers in certain risk categories. According to EBA, de-risking can be a legitimate risk management tool, but it can also be a sign of ineffective ML/TF risk management, with possible severe consequences. EBA considers that its regulatory guidance on how to manage ML/TF risks, if applied correctly, should help avert unwarranted de-risking. To further complement this guidance, EBA encourages supervisors to engage more actively with institutions that de-risk and with users of financial services that are particularly affected by de-risking, to raise mutual awareness of their respective rights and responsibilities. EBA also advises the European Commission to clarify, in the Payment Account Directive, the interaction between AML/CFT requirements and the right to open and use a payment account with basic features, and to take advantage of the forthcoming review of the Payment Services Directive to ensure more convergence in the way payment institutions access credit institutions’ payment accounts services.

DNB and EBA | Information security and related cyber risks

The Dutch Central Bank (De Nederlandsche Bank, "DNB") considers information security and related cyber risks to be one of the important operational risks in financial institutions. Because cyberattacks have the potential to severely damage the continuity of business operations, DNB shares examples for managing these risks in Q&As and Good Practices, conducts sector-wide and individual surveys at institutions, and cooperates with the financial sector in parts to further strengthen the institutions' resilience. The IB Monitor 2021, which was published (only in Dutch) on 22 December 2021, shares the most recent observations regarding IT and cyber risks, based on supervisory examinations and queries from pension funds and insurers. It also includes a threat analysis and an outlook on planned supervisory activities in 2022. Supervisory interviews and surveys of banking institutions have shown that the observations mentioned in the IB Monitor 2021 are also relevant for the entire Dutch financial sector. The three main observations, which are further elaborated in the IB Monitor 2021, are that:
  • the risk management cycle within institutions focusing on information security is insufficiently effective;
  • controlling information security throughout the entire outsourcing chain is crucial; and
  • the resilience against cyberattacks must be strengthened.

On the same subject, DNB published a Q&A Assessment Framework for DNB Information Security Examination on its website.

EBA also drew attention to cyber risk. In its Risk Dashboard Q3 2021, EBA established that cyber and information and communication technology related risks remain elevated and operational risk losses increased during the pandemic. EBA finds that relying on third-party providers further aggravate these risks.

AFM | The pitfalls of 'finfluencing'

On 20 December 2021, the Dutch Authority for the Financial Markets ("AFM") published an exploratory study, The pitfalls of 'finfluencing' ('De valkuilen bij ‘finfluencen’, only in Dutch), on approximately 150 financial influencers ("finfluencers") who comment in social media on investing. Although these finfluencers provide accessible information about investing and therefore meet a need, according to the AFM, the working methods of almost all finfluencers involve the following risks:
  • Investment advice without a licence;
  • Insufficient care with investment recommendations;
  • Recommending high risk products;
  • Working with unlicensed parties; and
  • Fees for introducing clients to finfluencers.

Rules apply with respect to these subjects and should also apply to finfluencers. The AFM has ascertained that not all finfluencers, nor the investment firms that pay them, comply with these rules. Industrial associations indicated they wanted stricter supervision, but the AFM saw no reason for this.

In this context, the AFM has also drawn attention (see this statement, only in Dutch) to the ban on commission for investment firms, which also applies on paying finfluencers. This is the case when finfluencers bring in customers through their channels. According to the ban on commissions, this is not allowed.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our December 2021 News Update was published.

If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk and Roel Theissen. For questions related to Investment Management, you can also contact our colleagues Oscar van Angeren and Marthe Bollen.

 

Written by:
Berry van Wijk

Key Contact

Rotterdam
Advocaat | Partner
+31 10 217 24 29
+31 6 5184 5344
Roel Theissen

Key Contact

Amsterdam
Advocaat | Counsel
+31 20 605 61 05
+31 6 8234 6438