Recent publications on AFM Agenda, remuneration of financial enterprises, MiFID II disclosure  and DORA

News Update Financial Regulatory

EIOPA's Supervisory Convergence Plan, Fine for Travelex and EBA Q&As on SCA
1 March 2023

In this News Update we discuss EIOPA's Supervisory Convergence Plan (2023), DNB's fine on Travelex for late reporting of unusual transactions, and EBA Q&As on strong customer authentication.

EIOPA | Supervisory Convergence Plan 2023

On 1 February 2023, the European Insurance and Occupational Pensions Authority (EIOPA) published its Supervisory Convergence Plan for 2023. The priorities for 2023 remain mainly the same as in the last year's, in view of the need to further develop some of the areas. New areas also have been identified, such as supervision of Environmental, Social and Governance (ESG) risks in the insurance and pensions sector and continuous work on supervisory convergence in light of digital transformation. The plan will continue to address the following three main priorities to enhance supervisory conversion:

1. Practical implementation of the key characteristics of the common supervisory culture and further development of supervisory tools

This priority includes topics such as the supervisory assessment of conduct risks, whereby EIOPA, for example, will launch a conduct risk assessment through a multi-country mystery shopping exercise, continue developing a conduct risks dashboard, and follow up other matters from the 2022 thematic review. Another topic is the supervisory approach to ESG risks. This covers aspects such as the monitoring of greenwashing and the use of EIOPA's Opinion on ESG risk scenarios in the Own Risk and Solvency Assessment (ORSA). It also addresses the analysis of consumers’ understanding of natural catastrophe insurance coverage, and the improvement of clarity on contractual terms and conditions.

A last example of a topic related to the first priority is the supervision of captives (i.e. wholly owned subsidiaries created to provide insurance to their parent companies). EIOPA will publish recommendations to National Competent Authorities (NCAs) on how to supervise some specificities of captives insurance and reinsurance undertakings such as governance-related aspects for the outsourcing of key function, treatment of inter-company loans and cash pooling, and the prudent person principle.

2. Risks to the internal market and to the level playing field which may lead to supervisory arbitrage

This area contains mainly prudential topics such as the calculation of technical provision and studies and analyses on internal model outcomes and modelling methodologies. EIOPA and the other European Supervisory Authorities (ESAs) will set up a cross-sectoral system for information exchange in respect of 'fit and proper assessments', including the development of Joint Guidelines. See also the ESAs' 31 January 2023 consultation paper on this subject.

3. Supervision of emerging risks

This area consists of IT security and governance-related risks, including cyber risks, digital transformation, cyber underwriting a digital business model analysis.

DNB | Administrative fine for Travelex for late reporting of unusual transactions

In a Dutch language press release, DNB has announced the imposition of an administrative fine of EUR 100,000 on Travelex N.V. (formerly known as Grenswisselkantoor, (Travelex)) for failing to report unusual transactions in time. Travelex is a payment service provider and, as result, an institution as referred to in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft). Article 16 of the Wwft provides that once an institution becomes aware of an unusual transaction, carried out or intended, the institution must report it to the Financial Intelligence Unit (FIU) without delay. 

Article 16 Wwft
In practice, reporting without delay means in any event within 14 days, and so much earlier as actually possible after sufficiently careful internal consideration as to whether a transaction must be considered unusual. Establishing whether a transaction must be considered unusual is done using two categories of indicators: objective and subjective. These indicators are laid down in Annex 1 of the Implementation Decree of the Wwft (Uitvoeringsbesluit Wwft).

Objective indicators describe situations in which reporting is always required. One of the objective indicators is that payment service providers must report a money transfer for an amount of EUR 2,000 or more (or the equivalent in foreign currency) to the FIU, unless it is a money transfer by an institution that leaves the settlement of the money transfer in question to another institution that is also subject to the duty to report referred to in Article 16(1) Wwft.

DNB's assessment
Travelex did not report unusual transactions on the basis of an objective indicator in the period 2019-2022 to the FIU until 2022. DNB observed that the notification in 2022 had not been made 'without delay' as the unusual nature of the transactions should have been known on the transaction dates. Travelex had therefore acted in conflict with Article 16 of the Wwft. During the period that Travelex acted in breach of the Wwft, Travelex ran an increased risk of becoming involved in laundering the proceeds of crime and in terrorist financing. Consequently, Travelex compromised the objectives of the Wwft for an extended period of time. DNB therefore considers this offence to be serious. Furthermore, according to DNB, the fact that Travelex took the initiative to report that it had not complied with the statutory obligation for a three-year period supports the view that Travelex knew of this obligation. DNB’s opinion is therefore that Travelex is fully responsible for the infringement.
In principle, acting in breach of Article 16 Wwft results in a fine in penalty category 3 (EUR 2,500,000 – EUR 5,000,000). However, when establishing the actual amount of the fine, DNB takes a step-by-step plan into account. In the situation of Travelex, DNB reduced the fine taking into account the size of the business and the following facts: Travelex had ended the infringement as soon as possible on its own initiative, had taken adequate measures to avoid repetition of the infringement, and had reported the infringement of its own accord, without having a statutory obligation to do so.

EBA | Q&As on clarification strong customer authentication

On 31 January 2023 the European Banking Authority (EBA) published three new Q&As (Q&A 5622, Q&A 6145 and Q&A 6464) to clarify the application of strong customer authentication to digital wallets under the revised Payment Services Directive (PSD2). Strong customer authentication (SCA) is the process of verifying the customer's authentication based on two of the three following criteria: something the customer knows, something the customer owns, and something customer is. 

Q&A 5622 refers to the enrolment of a payment card to a digital wallet, which, as EBA explains, results in the creation of a tokenised/digitised version of the payment card. That requires SCA pursuant to Article 97(1)(c) PSD2, as these processes may imply the risk of payment fraud or other abuses.

When it comes to the initiation of electronic payment transactions, this Q&A clarifies that the initiation of transactions with the digitised version of the payment card also requires the application of SCA under Article 97(1)(b) PSD2, unless one of the specific exemptions from the application of SCA set out in the Regulatory Technical Standards on strong customer authentication and common and secure open standards of communication (RTS on SCA&CSC) applies.

Q&A 6145 explains that unlocking a mobile phone with biometrics (e.g. a fingerprint) or with a PIN/password cannot be considered a valid SCA element for the purpose of adding a payment card to a digital wallet if the screen locking mechanism of the mobile device is not a process under the control of the issuer. 

Lastly, Q&A 6464 clarifies that the issuance of a new token, replacing a previously existing one, and binding it to a device/user is also subject to SCA.

The Q&As, overall, clarify that issuers may outsource the provision and verification of the elements of SCA to a third party such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA Guidelines on outsourcing arrangements. However, the responsibility for compliance with the SCA requirements cannot be outsourced and issuers remain fully responsible for compliance with the requirements in PSD2 and the RTS on SCA&CSC.

Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our January 2023 News Update.  


  • Start of Market monitor 2023 (only in Dutch) to be completed by advisers and intermediaries. Mandatory completion applies
  • Order subject to a penalty (last onder dwangsom) (only in Dutch) imposed in 2020 for Monumentum Capital to provide essential information to investors or prospective investors in certain bonds (MC Bond 11 and Bond Brazil) following incorrect information in the 2017 annual accounts of its shareholder Monumentum Estate Fund
  • DNB

  • DNB's inventory on credit risk control (only in Dutch) was sent to investment firms and managers of investment funds on 17 February 2023
  • European Supervisory Authorities – ESAs

  • Draft joint guidelines on the ESA system for the exchange of information on fit and proper assessments of holders of qualifying holdings, directors and key function holders of financial institutions and financial market participants JC 2022 76). The consultation period ends 2 May 2023
  • EBA

  • EBA seeks input from credit institutions on green loans and mortgages via an industry survey
  • ESMA

  • Updated Q&As on the DLT Pilot Regime, the application of the UCITS Directive and the Prospectus Regulation
  • Consultation paper on the review of the methodology on stress test scenarios for Money Market Funds. The consultation period ends 28 April 2023
  • SMSG advice to ESMA on potential practical challenges regarding the implementation of the Digital Operational Resilience Act
  • ECB

  • Economic Bulletin Issue 1 2023, published on 16 February 2023
  • The results of the ECB Consumer Expectations survey
  • New climate-related statistical indicators to narrow climate data gap
  • ECB boosts cooperation with the six EU Member States not part of European banking supervision
  • ECB to stress test 99 euro area banks in 2023
  • The results of its Supervisory Review and Evaluation Process (SREP) for 2022
  • ECB sanctions Landesbank Hessen-Thüringen Girozentrale for misreporting capital needs

  • Supervisory statement to strengthen the supervision and monitoring of insurance undertakings’ and intermediaries’ activities when using governance arrangements in third countries
  • Report on insurers’ inclusion of adaptation measures to climate change in their non-life underwriting practices
  • Consultation paper on changes to the minimum amount of professional indemnity insurance cover and financial capacity intermediaries need under IDD. The consultation period ends 6 May 2023

    If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk, Juan Vervuurt, Gijs Hamelijnck and Lisanne Haarman. For questions related to Investment Management, you can also contact our colleagues Oscar van Angeren and Marthe Bollen.
  • Written by:
    Berry van Wijk

    Key Contact

    Advocaat | Partner

    Key Contact

    Advocaat | Counsel

    Key Contact

    Advocaat | Senior Associate
    Gijs Hamelijnck

    Key Contact

    Advocaat | Senior Associate