News Update Financial Regulatory
1 March 2023
In this News Update we discuss EIOPA's Supervisory Convergence Plan (2023), DNB's fine on Travelex for late reporting of unusual transactions, and EBA Q&As on strong customer authentication.
EIOPA | Supervisory Convergence Plan 2023
On 1 February 2023, the European Insurance and Occupational Pensions Authority (EIOPA) published its Supervisory Convergence Plan for 2023. The priorities for 2023 remain mainly the same as in the last year's, in view of the need to further develop some of the areas. New areas also have been identified, such as supervision of Environmental, Social and Governance (ESG) risks in the insurance and pensions sector and continuous work on supervisory convergence in light of digital transformation. The plan will continue to address the following three main priorities to enhance supervisory conversion:
1. Practical implementation of the key characteristics of the common supervisory culture and further development of supervisory tools
This priority includes topics such as the supervisory assessment of conduct risks, whereby EIOPA, for example, will launch a conduct risk assessment through a multi-country mystery shopping exercise, continue developing a conduct risks dashboard, and follow up other matters from the 2022 thematic review. Another topic is the supervisory approach to ESG risks. This covers aspects such as the monitoring of greenwashing and the use of EIOPA's Opinion on ESG risk scenarios in the Own Risk and Solvency Assessment (ORSA). It also addresses the analysis of consumers’ understanding of natural catastrophe insurance coverage, and the improvement of clarity on contractual terms and conditions.
A last example of a topic related to the first priority is the supervision of captives (i.e. wholly owned subsidiaries created to provide insurance to their parent companies). EIOPA will publish recommendations to National Competent Authorities (NCAs) on how to supervise some specificities of captives insurance and reinsurance undertakings such as governance-related aspects for the outsourcing of key function, treatment of inter-company loans and cash pooling, and the prudent person principle.
2. Risks to the internal market and to the level playing field which may lead to supervisory arbitrage
This area contains mainly prudential topics such as the calculation of technical provision and studies and analyses on internal model outcomes and modelling methodologies. EIOPA and the other European Supervisory Authorities (ESAs) will set up a cross-sectoral system for information exchange in respect of 'fit and proper assessments', including the development of Joint Guidelines. See also the ESAs' 31 January 2023 consultation paper on this subject.
3. Supervision of emerging risks
This area consists of IT security and governance-related risks, including cyber risks, digital transformation, cyber underwriting a digital business model analysis.
DNB | Administrative fine for Travelex for late reporting of unusual transactions
In a Dutch language press release, DNB has announced the imposition of an administrative fine of EUR 100,000 on Travelex N.V. (formerly known as Grenswisselkantoor, (Travelex)) for failing to report unusual transactions in time. Travelex is a payment service provider and, as result, an institution as referred to in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft). Article 16 of the Wwft provides that once an institution becomes aware of an unusual transaction, carried out or intended, the institution must report it to the Financial Intelligence Unit (FIU) without delay.
Article 16 Wwft
In practice, reporting without delay means in any event within 14 days, and so much earlier as actually possible after sufficiently careful internal consideration as to whether a transaction must be considered unusual. Establishing whether a transaction must be considered unusual is done using two categories of indicators: objective and subjective. These indicators are laid down in Annex 1 of the Implementation Decree of the Wwft (Uitvoeringsbesluit Wwft).
Objective indicators describe situations in which reporting is always required. One of the objective indicators is that payment service providers must report a money transfer for an amount of EUR 2,000 or more (or the equivalent in foreign currency) to the FIU, unless it is a money transfer by an institution that leaves the settlement of the money transfer in question to another institution that is also subject to the duty to report referred to in Article 16(1) Wwft.
EBA | Q&As on clarification strong customer authentication
On 31 January 2023 the European Banking Authority (EBA) published three new Q&As (Q&A 5622, Q&A 6145 and Q&A 6464) to clarify the application of strong customer authentication to digital wallets under the revised Payment Services Directive (PSD2). Strong customer authentication (SCA) is the process of verifying the customer's authentication based on two of the three following criteria: something the customer knows, something the customer owns, and something customer is.
Q&A 5622 refers to the enrolment of a payment card to a digital wallet, which, as EBA explains, results in the creation of a tokenised/digitised version of the payment card. That requires SCA pursuant to Article 97(1)(c) PSD2, as these processes may imply the risk of payment fraud or other abuses.
When it comes to the initiation of electronic payment transactions, this Q&A clarifies that the initiation of transactions with the digitised version of the payment card also requires the application of SCA under Article 97(1)(b) PSD2, unless one of the specific exemptions from the application of SCA set out in the Regulatory Technical Standards on strong customer authentication and common and secure open standards of communication (RTS on SCA&CSC) applies.
Q&A 6145 explains that unlocking a mobile phone with biometrics (e.g. a fingerprint) or with a PIN/password cannot be considered a valid SCA element for the purpose of adding a payment card to a digital wallet if the screen locking mechanism of the mobile device is not a process under the control of the issuer.
Lastly, Q&A 6464 clarifies that the issuance of a new token, replacing a previously existing one, and binding it to a device/user is also subject to SCA.
The Q&As, overall, clarify that issuers may outsource the provision and verification of the elements of SCA to a third party such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA Guidelines on outsourcing arrangements. However, the responsibility for compliance with the SCA requirements cannot be outsourced and issuers remain fully responsible for compliance with the requirements in PSD2 and the RTS on SCA&CSC.
Other financial regulatory publications
We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our January 2023 News Update.
European Supervisory Authorities – ESAs
If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk, Juan Vervuurt, Gijs Hamelijnck and Lisanne Haarman. For questions related to Investment Management, you can also contact our colleagues Oscar van Angeren and Marthe Bollen.