News Update Financial Regulatory

In this news update, we discuss: B.V. Suri-Change's licence irrevocably withdrawn by DNB; is your organisation DORA-ready? DNB's findings on DORA's implementation status; AFM outlook on the credit sector in 2035. We also highlight a few other financial regulatory publications issued since our last news update.

B.V. Suri-Change's licence irrevocably withdrawn by DNB

The Dutch Central Bank ("DNB") decided (in Dutch) on October 2023 to withdraw the two licences of B.V. Suri-Change ("SC"). DNB published this decision, together with the decision on objection (in Dutch) of 23 May 2024, on its website on 30 May 2025. As SC has withdrawn its appeal against the decision on objection, DNB's withdrawal decision from 2023 has become irrevocable. SC had held a licence as a money exchange institution within the meaning of the current Article 2:54j of the Financial Supervision Act (Wet op het financieel toezicht, or "FSA") since 2004 and a licence as a payment service provider within the meaning of Article 2:3b FSA since 2011. SC was authorised to perform the payment service 'money remittance' (service 6 in Annex 1 of the current Payment Services Directive 2 (Directive (EU) 2015/2366) ("PSD2")).

Bases for withdrawal

DNB based its decision on two independent bases for withdrawal: SC's non-compliance with its FSA obligations, as set out in Article 1:104(1)(d) FSA (basis 1) and the failure to fully inform DNB in good time about important developments regarding the licence conditions, as set out in Article 1:104(1)(n) FSA (basis 2).

Basis 1: Non-compliance with FSA obligations

At the end of March 2023, the police carried out a raid at SC's offices in Rotterdam due to criminal suspicions involving SC and the natural persons associated with SC. Shortly thereafter, both policymakers of SC resigned, and according to DNB, SC failed to appoint new directors in a timely manner (in breach of Article 3:15 FSA). As a result (among other factors), SC's business operations were seriously failing, and DNB found that SC was no longer able to ensure controlled business operations (in breach of Article 3:17 FSA). DNB did, among other things, not gain adequate insight into SC’s financial records, IT systems or capital position. Despite DNB's insistent requests, no relevant information was provided, including necessary capital planning. An audit report from July 2023, which was ultimately provided, stated that SC would likely be unable to meet its financial obligations within two months. In addition; the police raid, criminal suspicions, SC's office closures and negative media attention posed serious reputational risks. According to DNB, this has made it impossible for SC to ensure ethical business operations as referred to in Article 3:10(1)(b) and (d) FSA.

Basis 2: Failure to report important developments

In addition to the substantive operational shortcomings, DNB observed that SC failed to timely inform DNB of important developments directly related to maintaining the licence. This ground for withdrawal was specifically added to the FSA when PSD2 was implemented to reinforce the supervision of payment institutions (and electronic money institutions). Under this provision, DNB can withdraw a licence when relevant information affecting the assessment of the licence conditions is not provided. In the case of SC, this involved its failure to report – or its reporting only at DNB's request – the following matters:

• the objection filed against the closures of SC offices in various municipalities, about which correspondence had been exchanged with the police;
• additional criminal suspicions;
• the aforementioned audit report showing that the company was not financially viable; and
• information about the role of the arrested policymaker, who in fact remained operationally active.
  
  

The licence withdrawal on this basis underscores that transparency and active disclosure towards DNB are no inconsequential obligations, particularly for payment institutions (and electronic money institutions), but key conditions for maintaining access to the financial markets. For example, voluntarily reporting incidents in good time and providing an adequate explanation with those reports can prevent licence withdrawal on this basis.

Is your organisation DORA-ready? DNB's findings on DORA's implementation status

DNB published a news item (in Dutch) on 28 May 2025, with the results of its sector-wide survey about the progress made with the implementation of the Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA").

Key findings 

DNB lists the following key findings:

• As much as 65% of the institutions in the insurance and pension sectors has made more than 70% of the efforts necessary to achieve full DORA implementation. Around 5% of this group estimates that their efforts have reached 50%. The ICT processes or systems supporting critical functions are particularly closely examined to ensure DORA implementation on those functions as much as possible.
• Just over half (around 55%) of the reporting institutions expect that they will need another 6 to 12 months to achieve full DORA compliance, and around 15% anticipate that it will take more than 12 months.
• Strikingly, as much as 20% of the institutions indicated that their management board had not yet formerly weighed the risks ensuing from non-compliance with the DORA implementation. In that context, DNB emphasises the management board's explicit responsibility as set out in Article 5(2) DORA to oversee and assume responsibility for the performance of ICT risk management.
• Almost all institutions (close to 95%) told DNB that they had updated their outsourcing policies. However, only 34% had aligned their ICT contracts supporting critical or important functions with the DORA requirements.
  
  

DNB observes that much progress has been made since its last implementation measurement (in Dutch), but that implementation still requires constant attention and urgency.

AFM reports opportunities and risks of digitalisation of the lending market

The use of technology in the credit sector continues to grow, partly driven by rapid technological developments. In its report 'Technology towards 2035 – the future of lending and supervision', the Dutch Authority for the Financial Markets ("AFM") looks ahead at future developments in the credit sector (mortgage loans and consumer loans) through the lens of emerging technologies. The AFM presents a future scenario of what the credit sector may look like in 2035. This exercise aims to identify trends, opportunities, risks and dilemmas that the credit sector and the AFM may face. The AFM has published the report to draw attention to these developments and initiate discussions with the sector and other stakeholders, such as the legislature.

The AFM bases this outlook on three technology trends: continuous increase in available data, the development and use of data analysis, and AI. The AFM foresees that credit application processes will become increasingly digitalised and interactive, with lenders moving towards 'one click away' lending. Digital identification wallets and source data from providers such as employee insurance agency UWV and the tax authorities can play a role here. New regulations such as PSD3 and FIDA will increase the availability of financial client data.

The use of current account information to perform model-based creditworthiness analyses based on payment transaction data can play a role in automating credit checks. Credit products can also be further personalised or priced in the future based on available information about the borrower's situation. AI can start to play a more prominent role in credit advice. Finally, the use of embedded lending – credit that is integrated into non-financial products or services – will increase as a result of technological developments.

Increasing digitalisation and 'one click away' lending or 'instant credit', in which consumer credit can be provided almost real-time and mortgage loans within a few days, can lower the threshold for consumers to apply for credit. On the one hand, this increases ease of use. On the other, it can cause consumers to become accustomed to debt, encourage them to make impulse purchases and cause them to accumulate debt. Additionally, further digitalisation can increase the risk of fraud. Data-driven credit assessments can also lead to the exclusion of customers with a different risk profile. Another risk is that people who are less digitally savvy will be excluded, or that users of non-digital application channels will receive less favourable rates. Fragmentation of value chains, new types of providers and international providers hinder adequate supervision, which can create behavioural and operational risks.

Other financial regulatory publications

We have highlighted a selection of other publications that are relevant for the financial markets and financial supervision.

AFM

• On 16 May 2025, the AFM published an article (in Dutch) about its pension sector analysis, Sector in focus – Pensions 2025 (Sector in beeld Pensioenen 2025, publication in Dutch), with recommendations for pension providers, also in light of changes due to the new pension system.
• On 20 May 2025, the AFM published a press release about its annual Financial Stability Report. The report concludes that the current geopolitical environment poses a risk to financial stability. The AFM sees further risks to financial stability in the areas of cybersecurity, AI, liquidity and the housing market.
• On 3 June 2025, the AFM published its report (in Dutch) 'Gen Z financial choices in a changing world ('Gen Z financiële keuzes in een veranderende wereld'). This publication aims to initiate discussions between financial companies, policymakers and supervisory authorities about how Gen Z (the generation born between 1997 and 2010) can be better supported in making sensible financial choices and discusses the specific challenges facing this generation.
  
  

DNB

• On 6 May 2025, DNB published a press release (in Dutch) about the geopolitical tensions observed by the Financial Stability Committee (FSC) and the growing uncertainty and financial-economic fragmentation these entail. These developments increase financial stability risks. The report of the FSC's consultations is available here (in Dutch).
• On 16 May 2025, DNB published a news item (in Dutch) reporting that third-party payments in which the transaction's true origin and beneficiary remain concealed continue to be a key element of DNB's integrity supervision. In this context, a knowledge event took place between the Financial Intelligence Unit – the Netherlands (FIU), the Fiscal Intelligence and Investigation Service (FIOD), the AFM and the Financial Supervision Office (BFT).
• On 20 May 2025, DNB issued an instruction to trust office IQ EQ Netherlands NV for failing to carry out sufficient customer due diligence and keeping sufficient records in that regard (as included in Chapters 4 and 5 of the Trust Offices (Supervision) Act 2018 (Wet toezicht trustkantoren 2018)).
  
  

ESMA

• On 2 May 2025, the European Securities and Markets Authority ("ESMA") published a consultation paper on the draft Regulatory Technical Standards (RTS) under the ESG Rating Regulation (Regulation (EU) 2024/3005). The draft RTS cover various aspects that apply to ESG rating providers. The consultation will be open until 20 June 2025, and ESMA expects to publish the final report and submit the proposal to the European Commission in October 2025.
• On 7 May 2025, ESMA published its advice to the European Commission about the goals stated in the Listing Act (Regulation (EU) 2024/2809). ESMA advises on the delegated acts to be adopted and amended in relation to the Market Abuse Regulation (Regulation (EU) 596/2014) and the Markets in Financial Instruments Directive 2 (Directive 2014/65) ("MiFID II"). The European Commission will adopt the delegated acts for which the advice was requested by July 2026.
• On 21 May 2025, ESMA launched a Call for Evidence under MiFID II to better understand how retail investors engage with investment services, and whether certain barriers may be discouraging their participation in capital markets. Input can be submitted until 21 July 2025.
• On 28 May 2025, ESMA stated in an article that it had written to ten social media platforms, including X, Meta (parent company of inter alia Instagram and Facebook), TikTok and Google (parent company of inter alia YouTube) encouraging them to take proactive steps to prevent the promotion of unauthorised financial services. This approach by ESMA complements an initiative launched by the International Organization of Securities Commissions, which dealt with financial losses resulting from online harm. To illustrate, the letter sent to Google is available here.
  
  

EIOPA

• On 15 May 2025, the European Insurance and Occupational Pensions Authority ("EIOPA") published a news item about its launch of a survey to assess the adoption of generative AI solutions across the EU's insurance sector. Input can be submitted until 15 July 2025.
  
  

EBA

• On 22 May 2025, the European Banking Authority ("EBA") published an onboarding plan for large and other institutions, as part of the new Banking Package (Credit Requirements Regulation 3 (Regulation (EU) 2024/1623) ("CRR3") and the Credit Requirements Directive 6 (Directive (EU) 2024/1619)). The plan sets out the steps required for accessing and submitting information to the new Pillar 3 Data Hub ("P3DH") – the EBA's centralised platform for public disclosures under CRR3.
• On 28 May 2025, the EBA published a news item about its release of the final technical package for version 4.1 of its reporting framework. This package will support the assessment and identification of significant crypto asset providers. It will also support the centralisation of institutions' prudential disclosures (Pillar 3 information) in the EBA P3DH. This new reporting framework will apply as of the second half of 2025.
  
  

Council of the European Union

• On 7 May 2025, the Council of the European Union issued a press release about the agreement on a shorter settlement period for securities in European Union Member States. The goal is to shorten the settlement cycle on securities trades, such as transactions in shares or bonds, executed on EU trading platforms from two business days (the so-called "T+2") to one business day after the trade date ("T+1"). The new settlement period will improve alignment between EU and global financial markets and maintain the competitiveness of EU capital markets.