EBA report on its mystery shopping exercise into personal loans and payment accounts

News Update Financial Regulatory

EBA report on its mystery shopping exercise into personal loans and payment accounts
2 oktober 2023

In this News Update we discuss a European Banking Authority (EBA) report on its large pan-EU mystery shopping exercise, focusing on consumer credit and payment accounts; a consultation by the European Insurance and Occupational Pensions Authority (EIOPA) on open insurance, focusing on the benefits of an insurance dashboard use case; and the responses of the ESAs' Joint Stakeholder Group to draft technical standards under the Digital Operational Resilience Act.

We further highlight some other financial regulatory publications issued since our last News Update.

Subscribe to the News Update Financial Regulatory.


On 24 July 2023, the EBA published a report on its mystery shopping exercise into personal loans and payment accounts. The exercise confirms that mystery shopping allows national competent authorities to obtain greater insight into the conduct of financial institutions. This in turn allows them to take corrective actions to better comply with applicable requirements, thus eventually enhancing consumer protection.


'Mystery shopping' as defined in the report is a fact-finding approach used by supervisory authorities to better understand the conduct of financial institutions towards consumers. It involves using specially trained individuals ('mystery shoppers') to interact with financial institutions and report back on their experiences. It is a useful tool for supervisory authorities to fulfil their supervisory and/or subsequent enforcement objectives. Five national competent authorities took part in the mystery shopping exercise as direct participants or observers. The exercise included 37 financial institutions across the participating Member States and 340 mystery visits.


The mystery shopping exercise revealed that the conduct of some financial institutions is inadequate and needs to improve. A few financial institutions fell short in their obligation to provide pre-contractual information such as the Standardised European Consumer Credit Information (SECCI) that is foreseen by the EU Consumer Credit Directive. Some financial institutions provided noticeably less information than others, and product-specific information was rarely made available via online chat. Some financial institutions also demonstrated poor handling of their information facilities when information on opening a payment account was requested, with electric money institutions failing to provide mystery shoppers with mandatory information on the requisite personal data in more than half of the online visits made. Furthermore, although required, the majority of the mystery shoppers did not receive the fee information document (FID) either during onsite visits or online. Pursuant to the Payment Accounts Directive (Directive (EU) 2014/92), electric money institutions need to provide customers with a FID as precontractual information, informing them of the services offered and the corresponding fees.


The report highlights the shortcomings of several financial institutions in complying with their obligations to provide pre-contractual information. Based on these findings, the national competent authorities can consider taking a number of actions. An important first step is to communicate with financial institutions about the lack of information provided to consumers when using digital channels in specific jurisdictions and to highlight the importance of adopting a consistent approach to the provision of pre-contractual information. Other actions could include proposing guidance to financial institutions, if needed, to encourage them to provide pre-contractual information.


On 24 July, as a follow-up to its 2021 initial discussion paper on open insurance, EIOPA published a Discussion Paper on a specific open insurance use case. EIOPA expects the focus on a use case to aid its ongoing exploration of open insurance by generating new insights into the possible consumer and industry benefits, as well as into the risks involved.
Open insurance is a regulatory concept that enables the standardised exchange of customer data between different financial product and services providers, including insurers and intermediaries. The use case selected – examining the key features of an insurance dashboard – is intended as a theoretical but concrete example of open insurance, giving the supervisory community and market participants a better understanding of open insurance and related issues. The aim is to facilitate discussions by providing technical input and a forum to promote discussion. The insights gathered during this consultation will help shape supervisory views on open insurance in order to enhance consumer protection and promote sound innovation in the insurance sector. 

The Discussion Paper describes an insurance dashboard which could provide consumers with a single overview of all their insurance policies and could serve as a basis to compare products from other insurers or identify gaps or overlaps in coverage. The use case is limited to motor insurance and household insurance and is restricted to the national level. Alongside identifying the risks and benefits, the Discussion Paper explores how such a dashboard could work and identifies and describes the technological and supervisory challenges involved in structuring it, including data flows, data storage, data standardisation/interoperability, data protection and ethical considerations.

Stakeholders are encouraged to participate in the consultation and provide their feedback by 24 October 2023 by responding to the questions presented in the Discussion Paper via the EU Survey Platform.


Under the EU Digital Operational Resilience Act (DORA) the European Supervisory Authorities, EBA, EIOPA and ESMA, (the ESAs) are jointly mandated to develop 13 policy instruments in 2 batches. These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.

On 19 June 2023, the ESAs launched a public consultation on the first batch of policy products under DORA (Original ESAs Consultation Documents). The consultation ran until 11 September 2023. The ESAs aim to submit the final drafts of these delegated regulations to the European Commission by 24 January 2024.

As part of the consultation process the ESAs' Joint Stakeholder Group recently published its targeted responses to the four ESAs consultation documents. The Joint Stakeholder Group is composed of members of the individual stakeholder groups of EBA, EIOPA and ESMA, and consists of experts from academia, financial institutions and consumer organisations. The Joint Stakeholder Group advised the ESAs on the following draft technical standards:

  • Joint consultation response on draft Regulatory Technical Standards (RTS) on ICT risk management framework and simplified ICT risk management under DORA;
  • Joint consultation response on RTS to specify the policy on ICT services performed by ICT third-party service providers under DORA;
  • Joint consultation response on RTS to specify the criteria for the classification of ICT-related incidents, materiality thresholds for major incidents and significant cyber threats under DORA; and
  • Joint consultation response on Implementing Technical Standards (ITS) to establish the templates for the register of information regarding the use of ICT services under DORA.

These consultation responses contain valuable guidance on the possible impact and scope of the technical standards being developed by the ESAs, and therefore on the scope of DORA. Given the short timelines for compliance with DORA, financial institutions in the scope of DORA will need all the guidance available to prepare and implement DORA, while bearing in mind that final delegated legislation will only become available shortly before the final compliance date.

DORA entered into force on 16 January 2023 and will apply from 17 January 2025. It aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk.


The number of ESA documents leading up to the enactment of DORA is increasing.  A Special News Update highlighting the latest developments will follow shortly. 

  • On 19 September, the ESAs published a report on the landscape of ICT third-party providers in the EU as part of their preparations for the Digital Operational Resilience Act. The analysis based on a sample of 1600 EU financial parties was conducted in 2022. The analysis aims to map the provision of ICT services by ICT third-party providers to financial entities in the European Union and to support the ESAs’ policy making process in light of the European Commission’s call for advice to further specify the criteria for critical ICT third-party providers. The ESA's identified around 15,000 ICT third party providers directly serving financial sector entities across the EU. The most used ICT third party providers directly support many critical or important functions of financial institutions. Frequently, the IT services provided by them are non-substitutable.
  • ESAs Technical Advice specifying quantitative and qualitative indicators to determine criticality of critical ICT third party service providers, and criteria for oversight fees, which will be calculated on the basis of specific elements of the turnover of these ICT third party service providers, was published on 29 September 2023.


Other financial regulatory publications

We have highlighted a selection of other publications by legislatures and regulators for the financial markets and financial supervision since our July 2023 News Update. 


  • The Dutch Central Bank's (DNB) consultation on Good Practice managing inflation risks ran from the end of July through mid-September 2023 (in Dutch only).
  • DNB imposed an instruction on de Volksbank for failing to comply with its obligation to identify, analyse and assess its money laundering and terrorist financing risks pursuant to the Dutch Act on the Prevention of Money Laundering and Terrorism Financing (Wet ter voorkoming van witwassen en financieren van terrorisme, (Wwft).
  • Following an instruction imposed on CCV Group BV in 2019 for non-compliance with certain provisions of the Wwft, DNB announced on 6 September 2023 that CCV had complied with the instruction.
  • DNB is to launch a new application for Solvency II insurers in MY DNB: Dataloop.
  • DNB fined trust office CIS Management BV for not meeting the customer due diligence legal requirements pursuant to the Wwft; the amount of the fine was EUR 156,25.
  • DNB fined Hanzevast capital N.V. (news item in Dutch only) for failing to submit the legally required report on time; the filing deadline was exceeded by 6 days. Hanzevast appealed to the Court of Rotterdam, which upheld the appeal for exceeding the reasonable time limit and reduced the fine from EUR 13,750 to EUR 11,000.
  • DNB expects electronic money and payment institutions to understand and adequately manage all intra-group relationships. Good practices have been developed to provide insight into the requirements arising from laws and regulations on this subject and DNB's expectations in this regard. A consultation on these good practices started on 18 September 2023 and will end on 17 November 2023 (in Dutch only).
  • DNB fined trust office Athos Business Services for carrying out trust services without sufficient customer due diligence pursuant to the Act on the Supervision of Trust Offices 2018 (Wet toezicht trustkantoren 2018 – Wtt 2018); the amount of the fine was EUR 10,000. 


  • The European Central Bank (ECB) recently imposed an administrative fine of EUR 4.47 million on de Volksbank after the bank miscalculated its risk-weighted assets for exposures to regional governments outside the EU. For 29 consecutive quarters from 2014 to 2021, the bank calculated lower risk-weighted assets for these exposures than it should have done.


  • The Joint Committee of the ESAs published a report on risks and vulnerabilities in the EU financial system. The report underlines the continued high economic uncertainty faced by national competent authorities, financial institutions and market participants, and urges them to take some policy actions, including closely monitoring asset quality, loan loss provisioning, the impact of inflation risk and the impact of strong increases in policy interest rates. 


Ministry of Finance

  • The Ministry of Finance published answers to questions relating to a loss of EUR 5 million by investors investing on a platform after promotion by finfluencers (in Dutch only)
  • Consultation on Financial Markets (Amendment) Decree 2024 (in Dutch only). The amendments include an obligation for non-life insurers with registered offices in the Netherlands to have procedures and measures in place to ensure compliance with deadlines when handling personal injury claims as well as further regulations for financial firms to take measures to protect the legitimate interests of customers in the event of blocking or suspending payment transactions.

European Commission

  • Commission Delegated Regulation (EU) 2023/1651 containing regulatory technical standards (RTS) for the specific liquidity measurement of investment firms was published in the Official Journal of the European Union on 23 August 2023. The RTS entered into force on 12 September 2023.

If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk, Juan Vervuurt, Gijs Hamelijnck or Lisanne Haarman.

Written by:
Berry van Wijk

Key Contact

Advocaat | Partner

Key Contact

Advocaat | Counsel

Key Contact

Advocaat | Senior Associate
Gijs Hamelijnck

Key Contact

Advocaat | Senior Associate