On January 16 2024, the European Banking Authority (EBA) published the amended money laundering/terrorist financing (ML/TF) risk factors to crypto-asset service providers (CASPs).

These Guidelines amend the EBA’s revised ML/TF Risk-Factors Guidelines (EBA/GL/2021/02). They foster a common understanding of ML/TF risks associated with CASPs and the steps CASPs and other credit and financial institutions should take to manage these risks.

The amending Guidelines:

• Insert risk factors in Title I of the Guidelines that are specific to crypto-assets and CASPs.
• Provide guidance in Title II for credit and financial institutions on the ML/TF risks associated with customers that are providing crypto-assets services, but which are not authorised or regulated in accordance with Regulation (EU) 2023/1114 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.
• Provide sector-specific guidance for CASPs in Title II of the ML/TF Risk Factors Guidelines (Guideline 21) on the factors that CASPs should consider when assessing ML/TF risks associated with their business relationships. In addition to ML/TF risk factors set out in Title I of the Guidelines, CASPs should also consider risks associated with transactions, the nature of customers and their behaviour,  and the customers’ or beneficial owners’ links to high-risk jurisdictions or transactions to/from jurisdictions associated with a high risk of ML/TF.
• In Title II, provide guidance on mitigating measures CASPs should apply in situations where the ML/TF risk is increased, including the circumstances which may warrant the use of advanced analytics tools as part of monitoring of business relationships and in lower ML/TF risk situations, to the extent that this is permitted by national law.

The Guidelines will be translated into the official EU languages and published on the EBA’s website. The deadline for competent authorities to report whether they comply with the Guidelines will be 2 months after the publication of the translations. The Guidelines will apply from December 30 2024.

On January 18 2024, the Council of the European Union published a press release on reaching a provisional agreement with the European Parliament on parts of the anti-money laundering (AML) package.

The package aims to protect EU citizens and the EU's financial system against money laundering and terrorist financing.

With the new package, all rules applying to the private sector will be transferred to a new regulation, while the directive will deal with the organisation of institutional AML/CFT systems at national level in the member states.

The agreement on the directive will improve the organisation of national anti-money laundering systems.

The provisional agreement expands the list of obliged entities to new bodies. The new rules will cover most of the crypto sector, forcing all crypto-asset service providers (CASPs) to conduct due diligence on their customers. This means that they will have to verify facts and information about their customers, as well as report suspicious activity.

Other sectors concerned by customer due diligence and reporting obligations will be traders of luxury goods such as precious metals, precious stones, jewellers, horologists and goldsmiths. Traders of luxury cars, airplanes and yachts as well as cultural goods (like artworks) will also become obliged entities.

The provisional agreement recognises that the football sector represents a high risk and expands the list of obliged entities to professional football clubs and agents. However, as the sector and its risk is subject to wide variations, member states will have the flexibility to remove them from the list if they represent a low risk. The rules after a longer transition period, kicking in 5 years after entry into force, as opposed to 3 years for the other obliged entities.

The Council and Parliament also introduced specific enhanced due diligence measures for cross-border correspondent relationships for crypto-asset service providers. The Council and Parliament agreed that credit and financial institutions will undertake enhanced due diligence measures when business relationships with very wealthy (high net-worth) individuals involve the handling of a large amount of assets. The failure to do so will be considered an aggravating factor in the sanctioning regime.

The provisional agreement makes the rules on beneficial ownership more harmonised and transparent. The agreement clarifies that beneficial ownership is based on two components – ownership and control – which both need to be analysed to identify all the beneficial owners of that legal entity or across types of entities, including non-EU entities when they do business in the EU or purchase real estate in the EU. The agreement sets the beneficial ownership threshold at 25%.

Obliged entities will be required to apply enhanced due diligence measures to occasional transactions and business relationships involving high-risk third countries whose shortcomings in their national anti-money laundering and counter-terrorism regimes make them represent a threat to the integrity of the EU’s internal market.

According to the provisional agreement the information submitted to the central register will need to be verified. Entities or arrangements that are associated with persons or entities subject to targeted financial sanctions will need to be flagged.

Each member state has already established financial intelligence unit (FIU) to prevent, report and combat money laundering and terrorist financing. These FIUs are responsible for receiving and analysing information relevant to money laundering and terrorist financing, notably in the form of reports from obliged entities.

According to the agreement, FIUs will have immediate and direct access to financial, administrative and law enforcement information, including tax information, information on funds and other assets frozen pursuant to targeted financial sanctions, information on transfers of funds and crypto-transfers, national motor vehicles, aircraft and watercraft registers, customs data, and national weapons and arms registers, among others.

According to the agreement, each member state will ensure that all obliged entities established in its territory are subject to adequate and effective supervision by one or more supervisors. Supervisors will apply a risk-based approach.

Supervisors will report to the FIUs instances of suspicions. Similar to provisions in the AMLA regulation, new supervisory measures for the non-financial sector, so-called supervisory colleges, are introduced. AMLA will develop draft regulatory technical standards defining the general conditions that enable the proper functioning of AML/CFT supervisory colleges.

The texts will be finalised and presented to member states’ representatives in the Committee of permanent representatives and the European Parliament for approval. If approved, the Council and the Parliament will have to formally adopt the texts before they are published in the EU’s Official Journal and enter into force.

On January 15 2024, the European Money Markets Institute (EMMI) announced changes to the Efterm methodology.

The EMMI has concluded its first annual review of the Efterm Methodology. The changes only affect level 3 of Efterm waterfall methodology and intend to mitigate month-end effect of future prices, use European Central Bank (ECB) key policy announcements as a guide to interest rates trajectory, and align the level 3 calculation to the underlying market spot starting convention.

The existing Efterm methodology operates across three levels:

• Level 1 €STR-based OIS tradeable bid and offer prices.
• Level 2 involves €STR-based OIS dealer-to-client bid and offer prices.
• Level 3 utilizes a step function model with €STR-linked futures' settlement prices, €STR rates, and the ECB reserve maintenance periods calendar.

To ensure that Efterm rates are representative of the underlying market, EMMI, together with the Calculation Agent, conduct daily surveillance checks on Efterm rates. The checks detected small discrepancies in the Efterm level 3 rates when compared to the published rates calculated using level 2 of the waterfall methodology in shorter term tenors.

The intent behind the suggested changes to the methodology is to harmonize the Efterm rates computed with both levels of the methodology, thereby guaranteeing that the benchmark accurately reflects the underlying market independently of the level used for publication.

Consequently, the proposed changes solely focus on fortifying the robustness of level 3 of the methodology, with no changes to the first two levels.

Enhancements for level 3 of the methodology are as follows:

• Enhancement 1: Not using Futures at the end of the month.
• Enhancement 2: Using ECB rate changes in preference to Futures rates, once they have been announced.
• Enhancement 3: Spot Starting Convention.

EMMI's Benchmark Consultation Policy guides the evaluation of material changes. The Efterm oversight committee concluded that the proposed enhancements do not constitute a material change to the Efterm methodology.

The proposed enhancements are meant to improve Efterm’s robustness and reliability. This evaluation also ensures Efterm accurately represents the market's economic reality and avoids contributing to artificial volatility.

The methodology changes are effective from January 25 2024.

On January 31 2024, the European Commission published an Implementing Regulation on the adoption of a European Common Criteria-based cybersecurity certification scheme.

This Regulation specifies the roles, rules and obligations, as well as the structure of the European Common Criteria-based cybersecurity certification scheme in accordance with the European cybersecurity certification framework set out in Regulation (EU) 2019/881.

The European Common Criteria-based cybersecurity certification scheme (EUCC) builds on the Mutual Recognition Agreement (MRA) of Information Technology Security Certificates of the Senior Officials Group Information Systems Security (SOG-IS) using the Common Criteria, including the group’s procedures and documents. 

The European Cybersecurity Certification Group will play an important role in the maintenance of the scheme. It should, inter alia, be carried out through cooperation with the private sector, the creation of specialised subgroups and relevant preparatory work and assistance requested by the Commission. 

On January 15 2024, the European Commission published a report on the first review of the functioning of the adequacy decisions adopted pursuant to Data Protection Directive (DPD) allowing EU personal data flows to continue with 11 third countries and territories.

The report contains the findings of the Commission on the first review of the adequacy decisions that were adopted on the basis of Article 25(6) of Directive 95/46.

In these decisions, the Commission determined that eleven countries or territories ensure an adequate level of protection for personal data transferred from the European Union (EU): Andorra, Argentina, Canada (for commercial operators), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. As a result, data transfers from the EU to these countries or territories can take place without additional requirements.

With the entry into application of Regulation (EU) 2016/67914 (GDPR) on May 25 2018, the adequacy decisions adopted under the Data Protection Directive remained in force. At the same time, the GDPR has clarified that adequacy findings are ‘living instruments’, stipulating that the Commission must, on an ongoing basis, monitor developments in third countries that could affect the functioning of existing adequacy decisions. In addition, Article 97 of the GDPR requires the Commission to periodically review these decisions, every four years, in order to determine whether the countries and territories that received an adequacy finding continue to provide an adequate level of protection for personal data.

This first review of the adequacy decisions adopted under the former EU data protection framework was initiated as part of a broader evaluation of the application and functioning of the GDPR on which the Commission presented its findings in its “Communication on Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation”. However, the conclusion of this aspect of the review was postponed in order the take into account the judgment of the Court of Justice in the Schrems II case, in which the Court provided important clarifications on key elements of the adequacy standard, as well as other related developments. In turn, this led to detailed exchanges with the countries and territories concerned on relevant aspects of their legal framework, oversight mechanisms and enforcement system. The present report takes full account of all these developments, both in the EU and the third countries and territories concerned.

The adequacy decisions that are subject to this review have been adopted under the EU data protection framework that preceded the GDPR. While the most recent decisions date back about a decade (e.g., the decisions on New Zealand and Uruguay, both adopted in 2012), others have been in force for more than twenty years (e.g., Canada, adopted in 2001, and Switzerland, adopted in 2000). Since then, the data protection frameworks in all eleven countries and territories have evolved, for instance through legislative or regulatory reforms, developments in the enforcement practice of data protection authorities or case law.

In carrying out its evaluation, the Commission has focused on developments in the data protection frameworks of the relevant countries and territories that took place since the adoption of the adequacy decision. It has assessed how these developments have further shaped the data protection landscape of the relevant country or territory, and whether, considering these developments, the various regimes continue to ensure an adequate level of protection.

The first review has demonstrated that since the adoption of the adequacy decisions, the data protection frameworks in place in each of the eleven countries or territories have further converged with the framework of the EU. Moreover, in the area of government access to personal data, the first review has shown that the law of these countries or territories imposes appropriate safeguards and limitations and provides oversight and redress mechanisms in this area.

On January 29 2024, the European Data Protection Board (EDPB) launched a website auditing tool.

The tool was developed in the context of the EDPB Support Pool of Experts (SPE) and can be used by both legal and technical auditors at data protection authorities (DPAs), as well as by controllers and processors who wish to test their own websites.

The new tool allows preparing, carrying out and evaluating audits directly in the tool by a simple visit to the website in question. The tool is also compatible with other tools, such as the EDPS website evidence collector, and allows auditors to import and evaluate the results of audits carried out on those tools. Finally, the tool can generate reports.

On January 31 2024, the European Securities and Markets Authority (ESMA) published another report on trends, risks, and vulnerabilities.

Markets in ESMA’s remit have remained remarkably resilient in 2023, despite the confluence of risks that prevailed throughout the year. Overall, risks remain at high or very high levels. Going forward, markets are set to remain very sensitive, especially to the market impact of higher-for-longer interest rates, the macro-financial outlook, and geopolitical and peripheral risks. There is a high risk of corrections in a context of fragile market liquidity in equity, bond and crypto markets, with special concern relating to real estate exposures. Inflation has declined but continues to weigh on investors’ real returns.

The key risk drivers are as follows:

• Higher-for-longer interest rates: The sharp change in the interest-rate environment conditions financial stability and investor outcomes. Refinancing costs have risen sharply, and are set to weigh particularly on corporates with debt maturing in 2024 and 2025. Credit ratings have seen first downgrades. Deteriorating credit quality is ultimately set to affect the performance of investor portfolios.
• Geopolitical and peripheral risks: The confluence of external risks continues to dampen the economic and market environment. As uncertainty and fragile liquidity are limiting the resilience of the financial system, external shocks should be expected to translate into high price volatility.
• Real-estate valuations: Commercial and residential real estate have been hit particularly hard by recent interest-rate developments. The downturn is feeding into financial markets and investors through lower equity and debt pricing of real estate firms, rating downgrades, and declining real-estate fund valuations and liquidity risks. Derivatives and repo exposures are limited but concentrated.
• Greenwashing: Greenwashing and related malpractices risk undermining the credibility of green finance. With the first outflows from ESG funds in 2023, future incidences, unless prevented effectively, may undermine investor confidence.
• Social media driven investments: Investors, especially less sophisticated ones with limited knowledge or resources, are at risk of receiving false or misleading information through social media. As finance-related postings expand, investors not verifying the reliability and quality of information may incur losses.

On January 10 2024, the European Securities and Markets Authority (ESMA) published an analysis of exposures of EU securities and markets and asset management sector have to real estate.

The analysis suggests that: 

• Debt levels in the real estate sector are elevated with wider risk implications from non-bank financial market players. 
• Interlinkages with the banking system are important and arise through entity exposures and activities. Through these, sector shocks may get transmitted across the EU financial system.

Going forward, interest rate risk can be expected to continue to shape real estate market exposures. Credit risk indicators for real estate companies have started to show signs of deterioration and liquidity mismatches remain a key vulnerability for real estate investment funds. 

In the study, ESMA provides details of the evolution of this sector over the past five years. In particular: 

• There has been a broad-based valuation decline of the main equity and bond real estate indices. Valuation declines were also observed for listed real estate firms and real estate investment trusts along with increased trading activity and securities lending activity for these market participants. Real estate-related securities are also found to be used as collateral. 
• Leverage of real estate firms increased significantly over the past five years.
• Next to credit institutions, investment funds are important investors in the real estate sector. They also belong to the main counterparties of some real estate firms in derivatives and securities financing transactions.

On January 30 2024, the European Securities and Markets Authority (ESMA) published a market report on the European Union Alternative Investment Funds (AIFs) 2023.

The size of the EU AIF universe declined slightly to EUR 6.8trn in net asset value (NAV) in 2022 (-3% compared with 2021). Overall, AIFs accounted for around 36% of the NAV of the EU fund industry at the end of 2022. Among AIF types, Funds of Funds (FoFs) account for 17% of the NAV, followed by Real Estate (RE) funds (16%), Private Equity (PE) funds (11%) and Hedge Funds (HFs) (2%). At the aggregate level, adjusted leverage declined to 123% of the NAV (compared with 127% in 2021).

• Funds of funds: The NAV of FoFs remained stable at EUR 1.1trn (+0.6%). FoFs primarily invested in other funds (82% exposures), with limited exposures to derivatives. Leverage stayed low while liquidity mismatch remains significant: around 46% of the NAV can be redeemed within a week while only 35% of the portfolio can be liquidated within that time frame.
• Real estate funds: The NAV of RE funds increased by 12% to EUR 1.1tn. Regional concentration in the RE fund sector remains high, with the top-five countries of domicile accounting for 90% of the NAV. Commercial real estate (CRE) funds make up 58% of the NAV. Leverage remained stable at 133%. Liquidity mismatch remains a key risk: around 21% of open-ended RE funds (in terms of NAV) offer daily redemptions to investors. 
• Hedge funds: HF assets increased slightly to EUR 113bn (+4%), with most HFs domiciled in two EU Member States. Exposures relate mainly to derivatives (EUR 235bn). Leverage remains high, albeit declining, at 265% of the NAV, with some HF strategies such as relative value or macro exhibiting leverage above 600% of the NAV.
• Private equity funds: The NAV of PE funds surged by 25% to EUR 725bn, primarily exposed to unlisted equities (EUR 509bn, 67% of gross exposures). Liquidity risk remains low as PE funds are mainly closed-ended (96% of the NAV).
• Other AIFs: The NAV of other AIFs declined significantly by 13% to EUR 3.5tn. The fall reflects adverse bond and equity market developments. Adjusted leverage remained contained at aggregate level at 124% of the NAV, with moderate and varying liquidity risks.
• Non-EU AIFs: Non-EU funds marketed under the National Private Placement Regime (NPPR) remained stable at around EUR 1.9tn, mainly domiciled in the United States (US) (67% of the NAV) and off-shore domiciles (24%). The segment consists of other AIFs (68% of the NAV, mainly exchange-traded funds investing in equities), HFs (16%) with very large derivatives exposures (EUR 4.6tn) and high leverage (600% of the NAV), and PE funds (11%).

On January 30 2024, the European Securities and Markets Authority (ESMA) published an article on assessing risks posed by leveraged Alternative Investment Funds (AIFs) in the EU.

Article 25 of the EU’s alternative investment fund managers directive (AIFMD) states that national competent authorities (NCAs) will assess the risks that the use of leverage by an alternative investment funds manager (AIFM) could entail. Where necessary, NCAs can address the risks identified by imposing limits to the level of leverage that an AIFM is entitled to employ or other restrictions on the management of the AIF. ESMA’s Guidelines on Article 25 of the AIFMD issued in 2020 operationalise this framework by setting out a common approach to identify and assess funds posing leverage-related risks. As a macroprudential framework, the Guidelines put the emphasis on the risks posed by groups of AIFs of the same type and similar risk profiles that may collectively present a risk to financial stability.

This article contributes to ESMA’s financial stability objective by presenting the AIFMD Art. 25 framework and the results of the risk assessment performed by ESMA and NCAs in 2023, based on the end of 2022 AIFMD data. One focus of the 2023 risk assessment are the risks posed by real estate (RE) funds. It finds that RE funds pose low risks on an individual basis, due to their limited use of leverage or size in most jurisdictions, but could be more systemically relevant in jurisdictions where groups of funds own a large share of the RE market on aggregate. This is the case in Ireland where the Central Bank of Ireland (CBI) imposed leverage limits for those funds.

NCAs have also reported risks posed in one ancillary fund category, the “other” funds which is by far the largest category in the sample. This is especially the case for liability-driven investment (LDI) funds, which gain leveraged exposures to the UK government bond market. Following the severe stress experienced by LDI funds in September 2022, authorities in Luxembourg and Ireland communicated on the suitable levels of resilience (i.e. the increase in yields that a fund can withstand before its NAV turns negative) those funds should maintain. They also implemented additional data collection on LDI funds to monitor them on an enhanced basis. As potential risks have remained elevated, NCAs are consulting on maintaining such resilience requirements under Article 25 AIFMD.

Overall, the ESMA finds that the implementation of the ESMA Guidelines, as reflected by the risk assessment reported, is improving the monitoring of the EU AIF sector. At the national level, NCAs generally managed to overcome existing AIFMD data gaps by using additional data sources and other information from fund managers to have an accurate view of the risk in their jurisdiction. This article complements ESMA’s monitoring framework on AIFs, including the AIF market report that reports annually on market development and key risk metrics, such as leverage and liquidity.

On January 8 2024, the European Securities and Markets Authority (ESMA) updated its manual on post-trade transparency under Markets in Financial Instruments Directive/Markets in Financial Instruments Regulation (MiFID II/MiFIR).

ESMA publishes this manual as a convergence tool to promote common approaches and practices in the areas of post-trade transparency and the transparency calculations.

Section 3 provides the legal background and the purpose of this document. Section 4 deals with the different aspects of post-trade transparency for equity and non-equity instruments. Section 5 tackles the transparency calculations for equity and non-equity instruments.

The update of the manual relates to the following sections:

• Section 4.1.3.3 – Type of transactions subject to post-trade transparency
• Section 5.4.3.5 – Guidance on non-equity transparency calculations strictu sensu

On January 16 2024, the European Parliament adopted two Resolutions on Markets in Financial Instruments Directive (MiFID II) and Markets in Financial Instruments Regulation (MiFIR).

Legislative Resolution of January 16 2024 on the proposal for a directive of the European Parliament and of the Council amending Directive 2014/65/EU on markets in financial instruments

In parallel with the review of Directive 2014/65/EU, Regulation (EU) No 600/2014 is amended by Regulation (EU) …/… of the European Parliament and of the Council, which removes the main obstacles that have prevented the emergence of a consolidated tape. That Regulation introduces mandatory contributions of data to the consolidated tape provider and enhances data quality by, inter alia, harmonising the synchronisation of business clocks. Furthermore, it introduces enhancements to the trading obligations and the prohibition of the practice of receiving payment for executing orders from certain clients on a particular execution venue or for forwarding orders of those clients to any third party for their execution on a particular execution venue (payment for order flow). Since Directive 2014/65/EU also contains provisions related to the consolidated tape and transparency, the amendments to Regulation (EU) No 600/2014 should be reflected in Directive 2014/65/EU.

Article 2(1), point (d)(ii), of Directive 2014/65/EU exempts persons dealing on own account from the requirement to be authorised as an investment firm or credit institution, unless those persons are members of or participants in a regulated market or an MTF or have direct electronic access to a trading venue. Non-financial entities that are members of or participants in a regulated market or an MTF for the purpose of executing transactions with regard to liquidity management or for the purpose of reducing risks directly relating to the commercial activity or treasury financing activity should not be required to be authorised as an investment firm, as such a requirement would be disproportionate.

Directive 2014/65/EU provides that an investment firm is to be considered to be a systematic internaliser only where it is deemed to perform its activities on an organised, frequent, systematic and substantial basis or where it chooses to opt in under the systematic internaliser regime. A frequent, systematic and substantial basis is determined by quantitative criteria. This has led to an excessive burden for the investment firms that are required to perform the assessment, and for ESMA, which is required to publish data for the purposes of the assessment. The assessment on the basis of those criteria should therefore be replaced by a qualitative assessment. Taking into account that Regulation (EU) No 600/2014 is amended to exclude systematic internalisers from the scope of the pre-trade transparency requirements for non-equity instruments, the qualitative assessment of systematic internalisers should apply only to equity instruments. It should, however, be possible for an investment firm to opt in to become a systematic internaliser for non-equity instruments.

Following the energy crisis of 2022 and the resulting higher and more frequent margin calls and extreme volatility, a comprehensive assessment of the appropriateness of the overall framework for markets for commodity derivatives, for markets for emission allowances and for markets for derivatives of emission allowances is warranted. Such an assessment should have a strategic focus and consider the liquidity and proper functioning of markets for commodity derivatives, for emission allowances and for derivatives of emission allowances in the Union to ensure that the framework governing those markets is fit for purpose in order to facilitate the energy transition and to ensure food security and the ability of the markets to withstand external shocks.

Legislative Resolution of January 16 2024 on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 600/2014 as regards enhancing market data transparency, removing obstacles to the emergence of a consolidated tape, optimising the trading obligations and prohibiting receiving payments for forwarding client orders

Article 8 of Regulation (EU) No 600/2014 sets out pre-trade transparency requirements for market operators and investment firms operating a trading venue in respect of non-equity instruments, regardless of the trading system. The benefits of those requirements have been clear for such market operators and investment firms that operate a central limit order book or a periodic auction trading system, where bids and offers are anonymous, firm and truly multilateral. Other trading systems, in particular voice trading and request-for-quote systems, provide requestors with tailor-made quotes, which have marginal informational value to other market participants. To reduce the regulatory burden imposed on such market operators and investment firms and to simplify the applicable waivers, the requirement to publish firm or indicative quotes should apply only to central limit order books and periodic auction trading systems. In order to accommodate for limiting the pre-trade transparency to central limit order books and periodic auction trading systems, the requirements applicable to waivers as referred to in Article 9 of Regulation (EU) No 600/2014 should be amended. The waiver that is available above a size specific to the financial instrument for request-for-quote systems and for voice trading systems should be removed.

Currently, derivatives fall within the scope of the non-equity transparency regime, which combines different types of financial instruments with mostly securities (bonds) on the one hand and mostly contracts (derivatives) on the other. Transparency for non-equity instruments, as well as for equity instruments, relies on the concept of ‘traded on a trading venue’. For certain derivatives, that concept has proven to be problematic due to their lack of fungibility and the lack of appropriate identifying reference data. For that reason, the scope of derivatives transparency should rely not on the concept of ‘traded on a trading venue’, but, rather, on predefined characteristics of the derivatives. The derivatives should be subject to the transparency requirements regardless of whether they are traded on or off venue. The transparency requirements should apply to derivatives that are sufficiently standardised for the data published in relation to them to be meaningful for market participants beyond the contracting parties. This means that all exchange-traded derivatives should remain subject to the transparency requirements.

Post-trade risk reduction services are an essential tool of risk management with respect to OTC derivatives. Post-trade risk reduction services rely on technical transactions that are pre-arranged, non-price forming and market-risk neutral and that achieve a reduction in the risk in each of the portfolios. Portfolio compression services, which are currently exempt from the obligation to execute orders on terms most favourable to the client as laid down in Article 27 of Directive 2014/65/EU (‘best execution’) and transparency requirements, are a subset of post-trade risk reduction services.

BACKGROUND

On June 19 2023, the European Supervisory Authorities (ESAs) – EBA, EIOPA and ESMA – had released consultations on the first batch of draft technical standards under the Digital Operational Resilience Act (DORA).

DORA has mandated the ESAs to develop 13 policy instruments, organized in two batches.

WHAT'S NEW?

On January 17 2024, the European Banking Authority (EBA) published the European Supervisory Authorities’ (ESAs’) publish first set of final draft technical standards under Digital Operational Resilience Act (DORA) for Information and Communication Technology (ICT) and third-party risk management and incident classification.

The joint final draft technical standards include:

• Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework
  The draft RTS on ICT risk management framework identify further elements related to ICT risk management with a view to harmonise tools, methods, processes and policies. These elements are complementary to those identified in DORA. The RTS identify the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework. The RTS ensure the ICT risk management requirements are harmonised among the different financial sectors.
• RTS on criteria for the classification of ICT-related incidents
  These RTS specify the criteria for the classification of major ICT-related incidents, the approach for the classification of major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard. The RTS ensure a harmonised and simple process of classifying incident reports throughout the financial sector.
• RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs)
  These RTS specify parts of the governance arrangements, risk management and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers. They aim to ensure financial entities remain in control of their operational risks, information security and business continuity throughout the life cycle of contractual arrangements with such ICT third-party service providers.
• Implementing Technical Standards (ITS) to establish the templates for the register of information
  Finally, the ITS set out the templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The register of information will play a crucial role in the ICT third-party risk management framework of the financial entities and will be used by competent authorities and ESAs in the context of supervising financial entities’ compliance with DORA and to designate critical ICT third-party service providers that will be subject to the DORA oversight regime.

Comparing this set of final draft technical standards with the ones published for consultation on 19 June 2023, there are some important changes that the financial entities should consider and comply with.

WHAT'S NEXT?

The final draft technical standards have been submitted to the European Commission, who will now start working on their review with the objective to adopt these first standards in the coming months.

Financial institutions should start performing or updating their gap assessment based on this final draft set that has been released. The last versions will be published after the European Commission’s review. Financial entities should not delay the compliance journey toward these final draft RTS and ITS, knowing that on 17 January 2025 all these requirements should be met.

On January 12 2024, the European Securities and Markets Authority (ESMA) updated their consolidated questions and answers (Q&A) on Sustainable Finance Disclosure Regulation (Regulation (EU) 2019/2088 - SFDR).

This document combines responses given by the European Commission to questions requiring interpretation of Union Law according to Article 16b(5) of the ESA Regulations and responses generated by the ESAs relating to the practical application or implementation of SFDR under Article 16b(1) of the ESA Regulations.

On January 9 2024, the Financial Services and Markets Authority (FSMA) published a communication on the modification of prudential requirements and the implementation of a new reporting scheme relating to these requirements.

The purpose of this Communication is to inform the industry of (i) the entry into force on January 1 2024 of new provisions on prudential requirements applicable to management companies of (alternative) collective investment undertakings and (ii) the establishment of a new investigation to verify compliance with these new provisions. This Communication replaces Circular PPB-2007-16-CPB-CPA of December 18 2007 and Communication CBFA_2008_03 of February 4 2008.

On November 15 2023, the FSMA adopted two new regulations applicable to management companies of (alternative) collective investment undertakings, one concerning the prudential requirements to which they are now subject and the other concerning the periodic information relating to these prudential requirements to be communicated to the FSMA.

These two new regulations were approved by Royal Decree of December 12 2023 and published in the Belgian Official Gazette on December 27 2023.

In addition to the capital requirements set out in the UCITS and AIFM directives, the Regulation of 28 August 2007 made certain capital requirements applicable to investment firms applicable to all management companies insofar as their authorisation as a management company also allows them to provide investment services.

However, the prudential requirements applicable to investment firms were amended following the entry into force of Regulation 2019/2033. As a result, the FSMA has adopted a new regulation applicable to management companies taking into account these amended requirements. In concrete terms, the Prudential Requirements Regulation, on the one hand, applies the prudential requirements introduced by the above-mentioned European Regulation to the management companies concerned and, on the other hand, repeals other provisions thereby reducing the number of applicable capital requirements.

Finally, a new regulation on periodic information has been adopted to take account of the changes made to the prudential requirements applicable to management companies. The new reporting scheme adopted is largely based on the European reporting scheme for investment firms, supplemented to take into account the capital requirements set out in the UCITS and AIFMDs which were applicable and remain unchanged.

On January 9 2024, the Financial Services and Markets Authority (FSMA) updated its Circular on collaborative mission of approved commissioners.

This circular sets out the FSMA's instructions on the role of statutory auditors with:

• management companies of collective investment undertakings
• branches of management companies governed by foreign law that manage public alternative collective investment undertakings under Belgian law
• public regulated real estate companies
• regulated real estate companies with a social purpos

This circular describes the terms and conditions of the mission of the certified commissioners to collaborate in the following areas:

• activities and reporting on periodic statements and periodic reports, semi-annual and year-end
• assessment and reporting of internal control measures
• reporting to the FSMA, including the reporting scheme and the special report
• the exchange of information between authorised auditors and the FSMA, including the signal function

On January 19 2024, the Financial Services and Markets Authority (FSMA) published a communication on sustainability reporting by listed companies.

Since 2019, various new EU rules on sustainable finance have been adopted. They have entered into force or are gradually coming into force. The FSMA would like to draw the attention of listed companies to the sustainability rules that apply or will apply to them. This Communication deals with the transparency rules under the Taxonomy Regulation. So far, these have been aimed at certain listed companies. In addition, in the coming years, they will be aimed at a larger number of companies following the entry into force of the Corporate Sustainability Reporting Directive (CSRD).

The purpose of this Communication is to explain to the companies concerned the structure of their disclosure obligations and to guide them to the location of more detailed rules.

Sustainability reporting requirements, including the information required by the Taxonomy Regulation, stem from the European Commission's Sustainable Finance Action Plan. These rules are therefore harmonised throughout the European Union. These rules apply to European companies, but also to third-country companies listed in the EU. 

This plan has three objectives:

• Redirecting capital flows towards sustainable investments to achieve sustainable and inclusive growth;
• Manage the financial risks induced by climate change, resource depletion, environmental degradation and social issues; and
• Promote transparency and a long-term vision in economic and financial activities.

On January 26 2024, the Financial Services and Markets Authority (FSMA) updated its sustainable finance rules for investment firms.

The field of application relates to portfolio management and investment advisory companies on the activity of providing investment services and the articles of association and control of portfolio management and investment advisory companies and brokerage firms as referred to in Article 1, §3, paragraph 3 of the Law of April 25 2014 on the statutes and supervision of credit institutions and brokerage firms.

Transparency rules require companies to inform their stakeholders of the extent to which they integrate sustainability risks into different aspects of their policy. For certain transparency obligations, companies must take into account the Taxonomy Regulation. Some transparency obligations apply only to companies providing specific services or to companies of a certain size. Transparency rules also require companies to inform investors of the extent to which they take sustainability features into account for their products. In addition to complying with the above-mentioned transparency rules, companies subject to non-financial reporting obligations must publish certain quantitative indicators related to the Taxonomy Regulation.

Risk management rules require companies to manage the sustainability risks they face themselves.

The rules of conduct require firms providing investment services to take into account sustainability factors in their conflict of interest policy, product approval process and suitability assessment.

The product-specific rules shall apply to green bonds and sustainable benchmarks.

On January 1 2024, the Financial Services and Markets Authority (FSMA) updated its Q&A on the entry into force of the Delegated Regulation (EU) 2022/1288 supplementing the Sustainable Finance Disclosure Regulation (SFDR) with technical standards in the field of asset management.

This Regulation came into force on January 1 2023. In particular, these Q&As are intended to clarify the rules applicable to UCITS management companies, self-managed UCITS, and managers of public and non-public UCITS resulting from the Delegated Regulation, as well as the FSMA's expectations in this regard.

The FSMA is the competent authority for the supervision of the provisions of Regulation 2022/1288 and ensures that the sustainability-related information published by managers is complete, correct, clear, transparent and non-misleading. The proper functioning of the financial sector depends on the public's trust in financial institutions, and the fight against "greenwashing" is a priority in this sense.

On January 22 2024, the Comissão de Valores Mobiliários (CVM) published the circular letter 01/24 on the expiration of registrations in the SRE System. 

It presents new guidelines on procedures to be observed by coordinators in the requirements for automatic registration of public offerings of securities - CVM Resolution No. 160/2022.

Circular Letter contains guidelines for the lead coordinators regarding the expiration of public offering registrations, as provided for in article 47 of RCVM 160. In addition, it alerts and informs the existence of several public offerings registered in the SRE System for more than 90 days, without the disclosure of an Announcement of Commencement in said system, and therefore such registrations have already expired.

On January 24 2024, the Comissão de Valores Mobiliários (CVM) approved the technical cooperation agreement with B3 S.A. – Brasil, Bolsa e Balcão.

The partnership will promote mechanisms for cooperation and organization of the inspection activities carried out between the institutions, related to public offerings of securities regulated by CVM Resolution 160. This technical cooperation agreement will continue the work carried out under the agreement signed in 2020, making the necessary changes due to the revocation of CVM Instruction 476 and the publication of CVM Resolution 160.

Due to the issuance of CVM Resolution 160, it was necessary to implement adjustments in the new agreement, such as, for example, the exclusion of the items that were included in the previous agreement:

• Verification of the four-month interval between two offerings (article 9 of CVM Instruction 476);
• Prohibition on the trading of securities, except shares, subscription bonuses, certificates of deposit of shares and BDRs, issued under CVM Instruction 476 within a period of 90 days, counted from the date of subscription or acquisition by the investor (article 13 of CVM Instruction 476).

On January 24 2024, the Comissão de Valores Mobiliários (CVM) approved technical cooperation agreement with BSM Supervision of Markets (BSM).

The purpose is to exchange data and information for use in the securities market supervision process. To this end, it is foreseen the non-remunerated concession to the CVM of permission for remote, segregated and exclusive access for consultations, to the platforms used by BSM to monitor offerings, operations and indicators related to its supervision and inspection of the markets, as well as the sharing of data by the CVM for the processing of statistical filters for the detection of any suspicious transactions carried out in the securities market.

The agreement aims to improve the synergy between the actions of the regulator and self-regulator in the market supervision process, extracting from each institution data and technological resources available to both for use in the supervision and sanctioning processes of the two entities, since such resources will allow the search for irregular behavior in the sample space of the securities market.

Targets set by the agreement are the following:

• Improve the fight against irregular practices that compromise the integrity and regular functioning of the Capital Market;
• Improve the supervision and supervision of the markets by the CVM, considering access to technological platforms contracted and licensed by BSM, to monitor offers and operations otherwise inaccessible by the Agency.

On January 18 2023, the Brazilian Securities and Exchange Commission (CVM) proposed to eliminate the limit on participation in the capital stock of the stock exchange.

The central aspect of the reform is the proposal to exclude the limitation on participants in organized stock exchange markets from becoming relevant shareholders with voting rights of the entities that manage such markets.

The reform also includes additional adjustments to CVM Resolution 135 in relation to the dynamics of appeals against decisions rendered under the Loss Compensation Mechanism (MRP), as well as in the rites of approval, by the CVM, of certain changes in rules, procedures and commercial activities of entities managing organized markets.

Main proposals:

• Elimination of the limit of 10% of participation in the capital stock with voting rights of a stock exchange administrator entity that may be held by a participant in the organized market;
• Introduction of safeguards and mechanisms to identify, prevent and address conflicts of interest, notably in the case of a participant holding a relevant stake in the capital stock of an entity that manages an organized stock market;
• Reformulation of the appeals body of the MRP, so that the entity managing the organized market is now responsible for the assessment of appeals filed not only by participants, but also by investors; and
• Simplification of the CVM's approval procedure in the event of changes in the corporate structure, access rules and other procedures established by organized market management entities, as well as for the purpose of developing new commercial activities and acquiring equity interests, replacing the need for prior approval with prior notification dynamics in certain matters and low-risk activities.

On January 8 2024, the Comissão de Valores Mobiliários (CVM) published a new version of the Sustainable CVM Booklet.

In the new edition, the data and concepts provided have been updated in accordance with the current literature. To simplify the investor's understanding, examples of securities that can be structured by integrating environmental, social and governance objectives into their investment strategies have also been inserted.

In addition, a new chapter was created to specifically explore greenwashing, a subject addressed in CVM's Sustainable Finance Policy, in view of its effects on investor decision-making.

The official taxonomy, which is being developed by the federal government, was highlighted in the new edition, due to the importance of the subject for the expansion of sustainable finance.

The publications in the Sustainable CVM series seek to equip investors with knowledge, data and tools to develop critical thinking and the ability to make thoughtful and informed investment decisions. The objective is to mitigate the risks of greenwashing and, thus, preventively assist in the supervision activities of the Autarchy.

On January 17 2023, the Agence nationale de la sécurité des systèmes d'information (ANSSI) published 3 Guides dedicated to the remediation of cyber incidents.

The financial and material damage that a computer attack can cause is considerable. If a major incident is partially or poorly remedied, its effects can be long-lasting. This high potential for destabilization requires both target organizations and cybersecurity providers to have know-how in containing these cyber-attacks, regaining control of the compromised information system and restoring it to a sufficient state of operation. Remediation is the key step to achieving this. It is one of the major dimensions of cyber incident response, along with investigation and crisis management.

ANSSI is committed to working with the IT security ecosystem to develop and disseminate the doctrinal pillars for the implementation and management of remediation. It publishes a doctrinal corpus that is divided into three parts (strategic, operational, technical) and is intended to be progressively enriched. The documents describe, respectively:

• Strategic: The Challenges of Remediation for an Organization Affected by a Security Incident
• Operational: The principles of steering and implementing the remediation project
• Technical: The technical requirements for a specific operation in a remediation project

Version française

Le 17 janvier 2023, l'Agence nationale de la sécurité des systèmes d'information (ANSSI) a publié 3 Guides dédiés à la remédiation des cyberincidents.

Les dégâts financiers et matériels que peut occasionner une attaque informatique sont considérables. Si un incident majeur est partiellement ou mal résolu, ses effets peuvent être durables. Ce fort potentiel de déstabilisation nécessite tant les organisations cibles que les prestataires de cybersécurité de savoir-faire pour contenir ces cyberattaques, reprendre le contrôle du système d’information compromis et le restaurer dans un état de fonctionnement suffisant. La remédiation est l’étape clé pour y parvenir. Il s’agit de l’une des dimensions majeures de la réponse aux cyberincidents, au même titre que les enquêtes et la gestion des crises.

L’ANSSI s’engage à travailler avec l’écosystème de la sécurité informatique pour élaborer et diffuser les piliers doctrinaux pour la mise en œuvre et la gestion de la remédiation. Elle publie un corpus doctrinal divisé en trois parties (stratégique, opérationnelle, technique) et destiné à être progressivement enrichi. Les documents décrivent respectivement :

• Stratégique : Les enjeux de la remédiation pour une organisation affectée par un incident de sécurité
• Opérationnel : Les principes de pilotage et de mise en œuvre du projet de remédiation
• Technique : les exigences techniques pour une opération spécifique dans un projet d'assainissement

On January 18 2023, the Autorité des marchés financiers (AMF) published its action plan and supervisory thematic priorities for 2024.

Concerning asset management companies:

• Monitoring investment restrictions and related claims and compensations
• Qualifications and level of knowledge of employees
• Sustainable finance: voting and shareholder engagement policies, which are playing an increasingly important role in asset managers environmental, social and governance (ESG) strategies and communications and can represent a strong commercial focus of their ESG approach
• Governance and the role of senior management
• Valuation of non-listed assets and real estate assets

Concerning intermediaries and market infrastructures:

• Quality of MiFIR, EMIR, Securities Financing Transactions Regulation (SFTR), and Central Securities Depositories Regulation (CSDR) reporting data
• Involvement of the compliance function in cross-functional processes relating to employee conduct
• Market abuses prevention with traditional supervision of prevention and detection system
• Governance and control of outsourced activities

Concerning investment services providers and the marketing of financial instruments:

• Sustainability preferences of the client
• Innovative digital offers, cross-border offers, offers on complex instruments
• Investment advice delivered on an automated basis to retail clients
• Supervision activities within the “commercialisation ecosystem”: investment services providers (ISP) and their tied-agents
• Costs and charges in the discretionary portfolio management
• Supervision of financial investment advisers

Version française

Le 18 janvier 2023, l'Autorité des marchés financiers (AMF) a publié son plan d'action et ses priorités thématiques de surveillance pour 2024.

Concernant les sociétés de gestion de portefeuille :

• Suivi des restrictions d'investissement et des réclamations et compensations associées
• Qualifications et niveau de connaissance des salariés
• Finance durable : les politiques de vote et d'engagement actionnarial, qui jouent un rôle de plus en plus important dans les stratégies et communications environnementales, sociales et de gouvernance (ESG) des gestionnaires d'actifs et peuvent représenter un axe commercial fort de leur approche ESG
• Gouvernance et rôle de la haute direction
• Valorisation d'actifs non cotés et d'actifs immobiliers

Concernant les intermédiaires et les infrastructures de marché :

• Qualité des données de reporting MiFIR, EMIR, Securities Financing Transactions Regulatory (SFTR) et Central Securities Depositories Regulators (CSDR)
• Implication de la fonction conformité dans les processus transversaux relatifs au comportement des collaborateurs
• Prévention des abus de marché avec supervision traditionnelle du système de prévention et de détection
• Gouvernance et contrôle des activités externalisées

Concernant les prestataires de services d’investissement et la commercialisation d’instruments financiers :

• Préférences de durabilité du client
• Offres numériques innovantes, offres transfrontalières, offres sur instruments complexes
• Conseils en investissement fournis de manière automatisée aux clients particuliers
• Activités de supervision au sein de « l’écosystème de commercialisation » : prestataires de services d’investissement (FSI) et leurs agents liés
• Coûts et charges liés à la gestion discrétionnaire de portefeuille
• Supervision des conseillers en investissements financiers

On January 30 2023, the Autorité des marchés financiers (AMF) published the guide to fees and contributions due to it.

This guide presents the regime of fees and contributions due to the AMF by service providers, asset management players, as well as issuers and their shareholders.

It also sets out the practical arrangements for the payment of such fees and contributions.

Version française

Le 30 janvier 2023, l'Autorité des marchés financiers (AMF) a publié le guide des frais et contributions qui lui sont dus.

Ce guide présente le régime des commissions et contributions dues à l'AMF par les prestataires de services, les acteurs de la gestion d'actifs, ainsi que les émetteurs et leurs actionnaires.

Il précise également les modalités pratiques de paiement de ces taxes et contributions.

On January 10 2024, the Autorité des marchés financiers (AMF) published a communication on the conditions for the authorisation of funds given the entry into force of the revision of the Regulation on European Long-Term Investment Funds (ELTIF 2).

ELTIF 2 entered into force on January 10 2024. In this context, the AMF updated the authorisation form as an ELTIF for existing or newly created funds.It also specified the conditions for the use of the possibility opened up by the French legislator, in order to promote the development of ELTIFs, consisting of existing real estate collective investment undertakings (OPCIs) and risk mutual funds (FCPRs) being able to opt to be governed by the provisions of the Monetary and Financial Code relating to specialised professional funds (FPS) in order to facilitate their transformation into an ELTIF 2 approved fund. This choice must be notified to the AMF and investors must be informed individually.

A French AIF that complies with the conditions of the ELTIF, in particular the fact of investing at least 55% in long-term assets, can apply for authorisation from the AMF.

Once authorised and subject to notification, the ELTIF will be able to be marketed to retail investors in other EU countries. It will be able to lend directly to companies and will benefit from preferential prudential treatment for insurance companies. The terms and conditions for approving a fund, whether newly created or existing, remain similar to those already in effect under "ELTIF 1".

However, it is important to note that prior to the publication of the regulatory technical standards of the revised ELTIF, funds will have to add a statement to their prospectus to inform investors of the possibility of a subsequent amendment in order for the fund to comply with the new standards, if this was not already the case.

Version française

Le 10 janvier 2024, l'Autorité des marchés financiers (AMF) a publié une communication sur les conditions d'agrément des fonds compte tenu de l'entrée en vigueur de la révision du règlement sur les fonds européens d'investissement à long terme (ELTIF 2).

L'ELTIF 2 est entré en vigueur le 10 janvier 2024. Dans ce contexte, l'AMF a mis à jour le formulaire d'agrément en ELTIF pour les fonds existants ou nouvellement créés. Elle a également précisé les conditions d'utilisation de la possibilité ouverte par le législateur français, afin favoriser le développement des ELTIF, constitués d'organismes de placement collectif immobilier (OPCI) et de fonds communs de placement à risques (FCPR) existants pouvant choisir d'être régis par les dispositions du code monétaire et financier relatives aux fonds professionnels spécialisés (FPS) en afin de faciliter leur transformation en fonds agréé ELTIF 2. Ce choix doit être notifié à l'AMF et les investisseurs doivent en être informés individuellement.

Un FIA français qui respecte les conditions de l'ELTIF, notamment le fait d'investir au moins 55% dans des actifs à long terme, peut demander un agrément auprès de l'AMF.

Une fois autorisé et soumis à notification, l’ELTIF pourra être commercialisé auprès des investisseurs particuliers dans d’autres pays de l’UE. Elle pourra prêter directement aux entreprises et bénéficiera d’un traitement prudentiel préférentiel pour les compagnies d’assurance. Les modalités d'agrément d'un fonds, qu'il soit nouvellement créé ou existant, restent similaires à celles déjà en vigueur au titre de « ELTIF 1 ».

Il est toutefois important de noter qu'avant la publication des normes techniques de réglementation de l'ELTIF révisé, les fonds devront ajouter une déclaration à leur prospectus pour informer les investisseurs de la possibilité d'une modification ultérieure afin que le fonds se conforme aux les nouvelles normes, si ce n'était pas déjà le cas.

On January 12 2023, the Autorité des marchés financiers (AMF) published a warning to professionals against a wave of fraudulent and malicious use of AMF's name.

The AMF has been informed that several players, whether or not regulated by the AMF, have received emails and phone calls impersonating the AMF and one of its employees, inviting them to visit fraudulent sites. To date, two different spoofing scenarios have been observed, with no factual evidence to confirm or deny that they are the result of the same malicious actor.

The technical investigations are still ongoing, but the elements known to date for each scenario are:

For the first scenario:

• The email received indicates an alleged "series of important updates aimed at optimizing your user experience" and encourages people to visit a site that turns out to be malicious.
• The malicious site redirects to the download of a Java archive file (.jar), known to date to be a malicious computer program, whose precise purpose is not yet known, but which it is reasonable to think that it allows the takeover of the workstation of the person who opened it.

For the second scenario:

• The email received refers to an alleged "invoice", bearing a number beginning with "AMFKEY", which allegedly contains an "error". The recipient is therefore invited to "kindly review the invoice as soon as possible and confirm the corrected. 

The AMF invites professionals who receive such emails or telephone calls related to these scenarios to:

• be careful not to click on the fraudulent link offered in the message and not to execute the malicious computer program, in order to prevent any risk of infection;
• implement appropriate technical blocking measures;
• and contact the AMF Epargne Info Service team, indicating "AMFKEY" as the subject line: Priority, via the form on the website www.amf-france.org/fr/signaler-une-arnaque-ou-une-anomalie ; or by phone on 01 71 53 20 05, Monday to Friday from 9 a.m. to 12:30 p.m.

Version française

hLe 12 janvier 2023, l'Autorité des marchés financiers (AMF) a publié une mise en garde destinée aux professionnels contre une vague d'utilisations frauduleuses et malveillantes du nom de l'AMF.

L'AMF a été informée que plusieurs acteurs, réglementés ou non par l'AMF, ont reçu des courriels et des appels téléphoniques se faisant passer pour l'AMF et l'un de ses salariés, les invitant à visiter des sites frauduleux. À ce jour, deux scénarios d’usurpation d’identité différents ont été observés, sans aucune preuve factuelle permettant de confirmer ou d’infirmer qu’ils résultent du même acteur malveillant.

Les investigations techniques sont toujours en cours, mais les éléments connus à ce jour pour chaque scénario sont :

Pour le premier scénario :

• l'e-mail reçu indique une prétendue « série de mises à jour importantes visant à optimiser votre expérience utilisateur » et incite les gens à visiter un site qui s'avère malveillant.
• le site malveillant redirige vers le téléchargement d'un fichier d'archive Java (.jar), connu à ce jour pour être un programme informatique malveillant, dont la finalité précise n'est pas encore connue, mais dont on peut raisonnablement penser qu'il permet de s'emparer du poste de travail de la personne qui l'a ouvert.

Pour le deuxième scénario :

• le mail reçu fait référence à une prétendue « facture », portant un numéro commençant par « AMFKEY », qui contiendrait une « erreur ». Le destinataire est donc invité à « bien vouloir examiner la facture dans les plus brefs délais et confirmer la correction ».

L'AMF invite les professionnels qui reçoivent de tels courriels ou appels téléphoniques liés à ces scénarios à :

• veiller à ne pas cliquer sur le lien frauduleux proposé dans le message et à ne pas exécuter le programme informatique malveillant, afin de prévenir tout risque d'infection ;
• mettre en œuvre des mesures techniques de blocage appropriées ;
• et contacter l'équipe AMF Epargne Info Service en indiquant « AMFKEY » en objet : Priorité, via le formulaire du site www.amf-france.org/fr/signaler-une-arnaque-ou-une -anomalie ; ou par téléphone au 01 71 53 20 05, du lundi au vendredi de 9h à 12h30.

On January 23 2024, the Federal Financial Supervisory Authority (BaFin) published a report on risks in focus for 2024.

The report identifies seven central risks for the financial stability and integrity of the German financial system that BaFin intends to focus its supervisory activities on in 2024.

Seven main risks in BaFin's focus are as follows:

• Risks from significant interest rate rises
• Risks from corrections in the real estate markets
• Risks from significant corrections in the international financial markets
• Risks arising from the default of loans to German companies
• Risks from cyber attacks with serious consequences
• Risks from inadequate money laundering prevention
• Risks from concentrations in the outsourcing of IT services

Significant trends are:

• Digitalization
• Sustainability
• Geopolitical upheavals

On January 24 2024, the Federal Financial Supervisory Authority (BaFin) published a press release on applying the European Securities and Markets Authority (ESMA) guidelines on reporting under European Market Infrastructure Regulation (EMIR).

This specifically relates to the reporting obligation for derivatives under Article 9 EMIR and the obligations of trade repositories. They shall be applied by counterparties reporting under Article 9 EMIR and trade repositories from April 29 2024.

The guidelines harmonise and standardise EMIR notifications. This creates the basis for producing high-quality data and effectively monitoring systemic risks. Another advantage is that costs along the entire reporting chain are reduced. This applies to the counterparties that report the data, the trade repositories that check the data for completeness and accuracy, and the authorities that use the data for supervisory and regulatory purposes.

Specifically, the guidelines specify, among other things, the reporting logic, the reporting of different types of derivatives and access to data.

On January 15 2024, Germany published an Ordinance on Notifications pursuant to Section 24 of the Securities Institutions Act.

For the purposes of this Ordinance, the target company is the investment institution in which a significant holding is to be acquired, changed or relinquished or a significant holding has been unintentionally acquired, altered or relinquished.

The notifications pursuant to Section 24 (1) to (3) and (5) and Sections 7 and 9 to 11 of this Ordinance must be submitted in a single copy to the Federal Financial Supervisory Authority (BaFin) and the central administration of the Deutsche Bundesbank responsible for the investment institution concerned. This applies accordingly to documents and declarations that are subsequently requested.

At the request of the BaFin or the Deutsche Bundesbank, an electronic submission channel must be used for notifications and documents. The BaFin and the Deutsche Bundesbank provide information on the respective electronic submission channels on their respective websites.

This Ordinance is in force since January 16 2024.

On January 11 2024, Germany published an Ordinance on the Regulatory Requirements for Remuneration Systems of Medium-Sized Securities Institutions.

The key elements of the Ordinance refer to:

• 3 Identification of risk carriers
• 4 Responsibilities
• 5 Alignment with the strategy of the investment institution
• 6 Appropriateness of remuneration and remuneration systems
• 7 General Requirements for Variable Remuneration
• 8 Special Requirements for Variable Remuneration
• 10 Exceptions with regard to variable remuneration and additional pension benefits
• 11 Requirements for the determination of the total amount of variable remuneration and the offsetting of retained remuneration components
• 13 Principles on Remuneration Systems in the Organisational Guidelines; Documentation requirements
• 14 Review and Adjustment of Remuneration Systems
• 15 Information on remuneration systems
• 16 Adaptation of existing agreements
• 18 Group-wide regulations on remuneration

Subject to subsection (3), this Ordinance shall apply to all medium-sized investment institutions within the meaning of Section 2 (17) of the Securities Institutions Act. It concerns the remuneration of risk takers of an investment institution.

Section 18 shall also be applied by higher-level undertakings. This also applies if it is not a securities institution within the meaning of Section 2 (17) of the Securities Institutions Act.

Regulation shall not apply to:

1. Remuneration which:

a) are agreed by collective agreement;

b) within the scope of a collective agreement, by agreement between the parties to the employment contract on the application of the provisions of the collective agreement, or

c) are agreed in a works or service agreement on the basis of a collective agreement, and

2. Commercial agents within the meaning of Section 84(1) of the Commercial Code.

The Regulation entered into force on January 12 2024.

On January 10 2024, the German Investment Fund and Asset Managers Association (BVI) published an analysis of Guidelines for Annual General Meetings.

The BVI Analysis Guidelines for General Meetings 2024 (ALHV) serve as guidance for BVI member companies for the independent analysis of proposed resolutions for the general meeting of listed and unlisted companies. They are applicable from January 1 2024.

If critical factors are met, the capital management company should examine the rejection of the management's respective resolution proposal as part of the vote.

Responsible management and control of the company aimed at long-term value creation is in the interest of its shareholders. The composition, activities and remuneration of the bodies should reflect this. This should be visible to shareholders through appropriate transparency and open communication.

On January 17 2024, the Federal Financial Supervisory Authority (BaFin) consulted on the guidance note on minimum number of managing directors under German Investment Institutions Act (WpIG).

The document specifies criteria for which an investment institution must have at least two managing directors in order to meet the legal requirements for the professional suitability and availability of the management as well as the organisation of an investment institution pursuant to section 20 (1), (2) of the WpIG and section 41 of the WpIG.

This document applies to all undertakings submitting an application for authorisation or application for extension of authorisation from the date of publication of the leaflet. For investment institutions with an existing licence, this leaflet will be applied at the end of a transitional period of one year from the date of publication.

Under the European regulatory framework, investment institutions must, in principle, have two directors. Pursuant to section 18 (1) no. 8 of the WpIG, the license to provide investment services pursuant to section 15 (1) of the WpIG is to be refused in the following cases if an investment institution does not have at least two managing directors who do not only work for the investment institution on a voluntary basis:

• The investment institution has the power to acquire ownership or possession of funds or securities from clients in the course of providing investment services or ancillary investment services, or
• The investment institution is authorised to offer retirement provision contracts in accordance with a certificate issued by the BaFin in accordance with Section 4 (1) No. 2 of the Act on the Certification of Pension Contracts.

In accordance with Section 20 (1) and (2) of the WpIG, the managing directors must meet certain requirements with regard to their professional suitability and time availability. Section 41 of the WpIG lays down the requirements for the organisation of a securities institution.

The BaFin intends to define uniform criteria which, if met, meet the legal requirements for the professional suitability and availability of the management and the organisation of a securities institution pursuant to section 20 (1), (2) of the WpIG and section 41 of the WpIG are generally only fulfilled if the investment institution has at least two managing directors. In these cases, the appointment of a second managing director cannot be waived by remedial measures in accordance with Art. 8 Delegated Regulation (EU) 2017/1943.

With the document, BaFin is also implementing a recommendation of the European Securities Markets Authority (ESMA). In its report on the Brexit Peer Review of 8 December 2022 with regard to the corporate governance of small investment firms, the BaFin found that the BaFin had failed to comply with Article 9 (6) subparaph 1 of MiFID II.

Under this provision, a single managing director is permitted only in exceptional cases and requires, inter alia, certain alternative arrangements to ensure the sound and prudent management of such investment institutions and the appropriate consideration of client interests and market integrity. If these conditions are not met, investment institutions must be managed by two directors.

The consultation period runs until March 18 2024.

On January 25 2024, the Federal Financial Supervisory Authority (BaFin) published information on submission of the outsourcing notification in the MVP specialist procedure according to the German Investment Code (KAGB).

The key information is as follows:

• The outsourcing notices can be submitted by the asset management company directly or by a third party, provided that the latter has been activated for the notifiable company.
• It should be noted that not all fields have to be filled in or displayed for each type of report, as some types of reports are not relevant for the fund sector.
• Mandatory fields are highlighted in yellow in the MVP form and marked "Required". 

Recording errors can be found for some notifications of intent or a significant change in outsourcing submitted via BaFin's MVP portal. These oftenconcern the data fields " outsourcing contractor/name" and "subcontractors to whom essential functions or parts thereof are relocated/name". These recording errors can make the evaluation of the reporting data more difficult or even impossible and must therefore be observed or corrected by the supervised entities, also in order to avoid administrative offence proceedings that are subject to fines.

On January 19 2024, the Deutsche Bundesbank published a methodology for the climate transition stress test for the German financial system.

This document presents the methodology of the Deutsche Bundesbank's climate transition stress test for the German financial system, which was published as part of the Financial Stability Report 2023. The aim of the analysis is to assess potential vulnerabilities related to transition risks for German financial intermediaries and the financial system as a whole.

The analysis includes several steps. The starting point is given by transition scenarios which describe potential co-developments of climate policies (carbon taxes), the economy and climate change. In particular, the authors study one scenario in which the world as a whole gradually transitions to a net zero emission economy by 2050. A second scenario assumes a large carbon tax hike in the short-run. In the next step the authors translate the scenario paths of macroeconomic variables into valuation impacts for the assets held by German financial intermediaries. This includes impacts on corporate loans, bonds and equities. Where relevant data is available the authors consider firm-level information, such as carbon emissions, in order to calculate the scenario impacts on the asset level. Finally, the authors determine the impact of the scenarios on the balance sheets of German banks, funds and insurers. In doing so, the authors also investigate how these losses are distributed across different financial institutions.

The analysis is an update of the climate risk sensitivity analysis of the German financial system performed in Bundesbank’s Financial Stability Report 2021. The updated methodology allows for a more robust assessment of overall vulnerabilities. This follows in particular from the consideration of multiple, very distinct climate scenarios and the inclusion of firm-level data.

On January 19 2024, the Securities and Futures Commission (SFC) updated its Code of Conduct for persons licensed by or registered with the SFC.

The Commission will be guided by this Code of Conduct in considering whether a licensed or registered person satisfies the requirement that it is fit and proper to remain licensed or registered, and in that context, will have regard to the general principles, as well as the letter, of the Code. For the purposes of the Code, a registered person includes a “relevant individual” as defined in section 20(10) of the Banking Ordinance (Cap.155), and “registered” shall be construed accordingly.

The update relates to:

Instruments subject to the requirements

The margin requirements apply to all non-centrally cleared OTC derivatives except the following:

(a) OTC derivative transactions that are cleared by a clearing member on behalf of a non-member or a non-member's client where:

(i) the non-member and its client (as appropriate) are subject to the margin requirements of the central counterparty; or

(ii) the non-member and its client (as appropriate) provide margin consistent with the relevant corresponding central counterparty's margin requirements.

(b) physically settled FX forwards and FX swaps, and the "FX transactions" embedded in cross-currency swaps associated with the exchange of principal", subject to paragraph 8;

(c) excluded currency contracts within the meaning of section 2 of Securities and Futures (OTC Derivative Transactions - Reporting and Record Keeping Obligations) Rules;

(d) physically settled commodity forwards; and

(e)on or before January 3 2026, non-centrally cleared single-stock options, equity basket options and equity index options.

The instruments listed in paragraph 7(b) above are only subject to the variation margin requirements if:

(a) they are entered into by a licensed person with any of the following entities:

(i) an authorized institution as defined in section 2(1) of the Banking Ordinance (Cap 155);

(ii) a licensed corporation; or

(iii) an entity that carries on a business outside Hong Kong and is engaged predominantly in any one or more of the following activities:

• Banking
• Securities or derivatives business
• Asset management

(b) In relation to both counterparties referred in (a) above, with respect to a one-year period from September 1 each year to August 31 of the following year, the entity itself or the consolidated group to which it belongs has an average aggregate notional amount of non-centrally cleared OTC derivatives exceeding HK$60 billion.

On January 15 2024, the Securities and Futures Commission (SFC) published a circular to licensed corporations on deferral of margin requirements for non-centrally cleared equity options.

This circular informs licensed corporations that the SFC will defer the effective date of its margin requirements for non-centrally cleared single-stock options, equity basket options and equity index options (non-centrally cleared equity options) by two years to January 4 2026 to align with the latest global developments.

The SFC’s margin requirements for non-centrally cleared equity options were originally scheduled to take effect on January 4 2024 when such margin requirements were expected to become effective in the UK and European Union (EU). Nevertheless, on December 18 2023, the UK’s Prudential Regulation Authority and Financial Conduct Authority published a joint policy statement containing amendments to the Binding Technical Standards 2016/2251. The statement extended the temporary exemptions for single-stock equity options and index options from the UK bilateral margining requirements from January 4 2024 until January 4 2026. In addition, on December 20 2023, the European Supervisory Authorities (ESAs) published the joint draft regulatory technical standards (RTS) under the European Market Infrastructure Regulation, proposing an extension to the equity option exemption from bilateral margining by two years until January 4 2026.

To prevent regulatory arbitrage and considering that licensed corporations’ exposures to non-centrally cleared equity options are currently insignificant, the SFC has decided to align the effective date of its margin requirements with the UK and EU’s timelines.

Paragraph 7(e) of Part III of Schedule 10 to the Code of Conduct will be amended accordingly and gazetted in due course.

On January 24 2024, the Hong Kong Monetary Authority (HKMA) announced measures to deepen financial cooperation between Hong Kong and Mainland China with the People’s Bank of China (PBoC).

The measures include:

• Expanding the list of eligible collateral for the HKMA's RMB Liquidity Facility to include RMB bonds issued onshore by the Ministry of Finance of the People’s Republic of China and the policy banks of the People’s Republic of China;
• Further opening up the onshore repurchase agreement (repo) market to all foreign institutional investors (including Bond Connect investors) that already have access to the China Interbank Bond Market;
• Releasing the amendments to the Implementation Arrangements for the Cross-boundary Wealth Management Connect Pilot Scheme in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA);
• Implementing facilitative measures on the remittances for property purchase by Hong Kong and Macao residents in the Mainland cities in the GBA;
• Promoting the collaboration on cross-boundary credit referencing to facilitate corporates’ cross-boundary financing activities;
• Expanding the cross-boundary e-CNY pilots in Hong Kong.

On January 23 2024, the Securities and Futures Commission (SFC) published its strategic priorities for 2024-2026.

Recognising the shifts in capital market conditions and the challenges brought about by the evolving global landscape as well as technological advances, the SFC is committed to continuing to facilitate market development as well as safeguarding the integrity and quality of the Hong Kong markets.

In the coming three years, the SFC will strive to:   

• maintain market resilience and mitigating serious harm to our markets;
• enhance the global competitiveness and appeal of the Hong Kong capital markets;
• lead financial market transformation through technology and ESG; and
• enhance institutional resilience and operational efficiency.

On January 24 2024, the Securities and Futures Commission (SFC) published a circular setting out the eligibility criteria and guidance for licensed corporations (LCs) to participate in the Cross-boundary Wealth Management Connect Pilot Scheme (WMC Scheme) in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA).

Eligible brokers’ participation in the WMC Scheme was made possible by the revised Implementation Arrangements published by the People’s Bank of China for the Cross-boundary WMC Pilot Scheme in the GBA (Implementation Rules). The other revised arrangements cover increasing the individual investment quota to RMB 3 million; expanding the product scope to include, amongst others, funds with higher risk ratings; and enhancing the promotion and sales arrangements. The revised Implementation Rules will take effect on February 26 2024.

LCs interested in participating in the WMC Scheme should submit applications to the SFC. They should be licensed for Type 1 regulated activity, have paid-up capital and shareholders’ funds of not less than HK$100 million, have at least three years of experience in distributing funds and/or bonds and transaction volume of not less than HK$500 million during any 12-month period in the past three years and adequate systems of control. In addition, similar to the current arrangement for banks, LCs should partner with one or more eligible Mainland broker when providing services under the WMC Scheme.

On January 23 2024, the Securities and Futures Commission (SFC) published a circular to licensed corporations on circularisation exercise and internal control review.

The SFC will commence in February 2024 a circularisation exercise on clients’ accounts of selected securities brokers and an internal control review of these brokers’ safeguarding of client assets.

Client asset protection is always a top priority of the SFC in supervising licensed corporations (LCs). In this regard, the SFC issues circulars and management letters to LCs from time to time to share its observations on control issues identified in its supervision work and provides guidance to LCs on the regulatory standards expected of them. The SFC also conducts regular circularisation exercises such that both the SFC and brokers’ management could obtain direct confirmations from clients on their account positions and identify any potential misconduct such as unauthorised trading and misappropriation of client assets.

To facilitate the conduct of the circularisation exercise, brokers are reminded to ensure that their clients’ personal information is accurate and up to date.

The review will cover brokers’ internal control systems that are designed to protect client assets, such as their controls over client information maintenance, clients’ money and securities reconciliation, as well as the distribution of account statements and trade documents. In addition, the review will assess brokers’ compliance with the expected regulatory standards set out in the following SFC circulars in relation to safeguarding client assets and prevention of fraud.

On January 23 2024, the Central Bank of Ireland (CBI) published Regulations, that complement and are part of the Central Bank Consumer Protection Act 2007.

They can be cited as Consumer Protection Act 2007 (Competition and Consumer Protection Commission) Levy Regulations 2024.

The Consumer Protection Act 2007 (National Consumer Agency) Levy Regulations 2011 (S.I. No. 560 of 2011) are hereby amended by the substitution of the Schedule to these Regulations for the Schedules in S.I. No. 560 of 2011.

Levy period: A 12-month period, commencing on January 1 2024 and ending on December 31 2024 in respect of the below categories for regulated entities:

• Categories D2, D3, D4, D5: investment firms regulated under the European Union (Markets in Financial Instruments) Regulations 2017 

On January 9 2024, the Central Bank of Ireland (CBI) published Regulations, that complement and are part of the as part of the Central Bank Reform Act 2010.

They can be cited as Central Bank Reform Act 2010 (Section 21(6)) Regulations 2024.

These Regulations apply to all regulated financial service providers and holding companies to which Part 3 of the Act applies.

The Regulations define:

• The circumstances triggering a requirement to certify that a person is compliant with standards of fitness and probity, and the period of validity of such certification
• The procedures, systems and controls to be adopted and checks to be performed by regulated financial service providers and holding companies
• Record keeping related to the issuance of the certificate of compliance
• The reporting of information by regulated financial service providers or holding companies to the Bank in relation to their obligations

On 30 January 2024, the Irish Funds Industry (IF) issued an Advocacy Update on European Long Term Investment Fund (ELTIF) 2.0.

The ELTIF has recently undergone significant enhancements through the coming into force of Regulation 2023/606/EU. Irish Funds believe that these reforms will allow the ELTIF to play a key role in facilitating the raising and channelling of capital towards long-term investments across the EU for the benefit of businesses, investors and the wider economy.

Over the last 12 months, Irish Funds has sought to pro-actively engage with domestic policymakers to ensure the new Irish ELTIF 2.0 regime would meet both member and investor needs.

The key areas of focus for IF members included the need for a standalone ELTIF chapter of the AIF Rulebook facilitating the authorisation of ELTIFs in a manner which avoided gold plating, providing certainty around authorisation timeframes, enabling the use of the existing 24 hour authorisation processes for qualifying investor ELTIFs, allowing for the use of umbrella vehicles which could incorporate ELTIF and non-ELTIF sub-funds in the same umbrella and the extension of existing guidance and mechanisms to the ELTIF which are currently limited to qualifying investor closed-ended funds. 

The Central Bank outlined its proposed approach for a new Irish ELTIF regime. Irish Funds believes these updates will meet the needs of both investors and managers, making Ireland a very attractive jurisdiction for the establishment of ELTIFs.  

Some of the key elements of the proposed ELTIF chapter of the AIF Rulebook (as confirmed by the Central Bank) include:

• Subject to the conclusion of its internal review and approval of the new ELTIF chapter, it has been recommended to permit the use of umbrella structures to establish ELTIF sub-funds, with it being possible to establish ELTIF and non-ELTIF sub-funds in the same umbrella. In this regard, existing or new RIAIF and QIAIF umbrellas would be able to incorporate retail or professional only ELTIFs and non-ELTIF sub-funds subject to certain requirements
• The QIAIF 24-hour authorisation framework will be available for ELTIFs which are offered to only professional investors as defined in the EU Regulation or those offered to qualifying investors as defined in the AIF Rulebook
• Where an ELTIF is distributed to qualifying investors as defined in the AIF Rulebook, and that ELTIF is not restricted to professional investors only, the retail requirements as set out in the EU Regulation will be applied in the interests of ensuring appropriate investor protection
• Various other enhancements to the existing consultation proposals will provide greater flexibility around the adoption or disapplication of certain existing AIF Rulebook requirements
• The finalised AIF rulebook (with the update ELTIF chapter) is expected to be published early March (with updated ELTIF application forms being published in tandem)

Following the publication of the updated AIF rulebook and application forms, the Central Bank will be in a position to authorise ELTIFs.

Irish Funds will continue to engage on behalf of members with the Central Bank to ensure the successful operationalisation of the new Irish ELTIF regime and will keep members updated on progress made.

On January 23 2024, the Commissione Nazionale per le Società e la Borsa (CONSOB) updated its fee schedule for the 2024 financial year.

CONSOB issued their fee schedule for the financial year 2024, pursuant to Article 40 of Law no. 724/1994 as amended, which defines the fees to be paid by the entities subject to its supervision.

The supervisory fees applicable to foreign Undertakings for Collective Investment in Transferable Securities (UCITS) and Alternative Investment Funds (AIFs) that market their units or shares in Italy for the 2024 financial year can be found in the table in Article 3 of the Resolution.

The amounts due must be paid at the latest by 15 April 2024 by bank transfer. Failure or delay in the payment of such fees may trigger compulsory payment procedures to be initiated by the CONSOB, along with the application of additional interest charges. The CONSOB does not charge notification fees, neither for UCITS nor for AIFs.

On January 30 2024, the Borsa Italiana published the notice No.3896 on amendments to the market regulations and related instructions.

Commissione Nazionale per le Società e la Borsa (CONSOB), with the resolution No.22920 of December 6 2023, approved the amendments to the Regulation of the Markets organised and managed by Borsa Italiana and to related instructions, approved by the Board of Directors at its meeting on November 8 2023.

• Pro-Forma Financial Information and statement of the auditor
  
  It is no longer appropriate to expressly make reference to the content of the statement to be issued by auditors when they have to express an opinion on pro-forma accounting data. Instead, it is specified that the declaration be drawn up applying the best international reference standards.

• Shares
• Requirements for listing of units or shares of AIFs
• Requirements for companies on the Professional Segment of the Euronext MIV Milan market

The detailed amendments include conditions for the admission of shares, especially for issuers who have undergone extraordinary corporate actions or significant changes in assets and liabilities. Pro-Forma Financial Information, including a pro forma income statement and balance sheet, may be required. The changes will take effect on February 14, 2024.

On January 10 2024, the Jersey Financial Services Commission (JFSC) published a new financial crime and regulatory technology guide.

Regulatory technology (RegTech) presents a real opportunity for Jersey. It supports the fight against financial crime, helps to facilitate high standards of business integrity and increases the capacity of firms’ compliance functions, among other benefits.   

New financial crime and regulatory technology guide explores both how this technology can be used and some of the regulatory considerations when adopting it. 

The goal of the guide is to provide an introductory overview to this area, including:

• What RegTech is;
• How RegTech can be successfully applied; 
• Case studies of good practice, including RegTech procurement considerations;
• How firms can engage with our Innovation Hub.

Innovation Hub encourages the adoption of technology in the financial services industry. Ambition is for Jersey’s supervised persons to reach a prominent level of RegTech maturity by the end of 2024, evidenced by high adoption rates, cost efficiencies and improved compliance and management of regulatory complexity.

On January 31 2024, the Commission de Surveillance du secteur financier (CSSF) updated the Circular CSSF 24/852 updating Circular CSSF 19/717 on auditing standards.

This circular modifies the CSSF Circular 19/717 and more particularly its paragraph 8. Auditing and other standards (Article 36, paragraph 3, letters (d) and (e)) and its Appendices by incorporating the modifications made by CSSF Regulation No. 24-02 of January 26, 2024 relative, with the:

1. the adoption of auditing standards in the field of statutory auditing within the framework of the law of July 23, 2016 relating to the audit profession
2. the adoption of standards relating to ethics and internal quality control respectively to quality management within the framework of the law of July 23, 2016 relating to the auditing profession

This circular repeals and replaces CSSF circular 22/794 of January 26, 2022.

Version française

Le 31 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a mis à jour la Circulaire CSSF 24/852 actualisant la Circulaire CSSF 19/717 relative aux normes d'audit.

La présente circulaire modifie la Circulaire CSSF 19/717 et plus particulièrement son paragraphe 8. Normes d'audit et autres normes (Article 36, paragraphe 3, lettres (d) et (e)) et ses Annexes en intégrant les modifications apportées par le Règlement CSSF n° 24. -02 du 26 janvier 2024 relatif, avec :

1. l'adoption des normes de contrôle dans le domaine du contrôle légal des comptes dans le cadre de la loi du 23 juillet 2016 relative à la profession d'audit
2. l'adoption de normes relatives à la déontologie et au contrôle qualité interne respectivement au management de la qualité dans le cadre de la loi du 23 juillet 2016 relative à la profession d'audit

Cette circulaire abroge et remplace la circulaire CSSF 22/794 du 26 janvier 2022.

On January 31 2024, the Commission de Surveillance du secteur financier (CSSF) informed on the new communication means for fund managers.

Pursuant to Circular CSSF 19/721 – Dematerialisation of requests to the CSSF and to further improve the transmission of specific communications (such as surveys, data collection exercises, thematic requests) whilst ensuring the protection of confidential data, the CSSF informs the Investment Fund Managers (IFMs) that outbound emails from the UCI Departments (OPC) in this context will solely be sent to the email addresses of eDesk users defined as “Board Member” and/or “Conducting Officer” on the eDesk Portal.

For exchanges related to AML/CFT, the “Board Member” and/or “Conducting Officer” may be contacted in addition to the “AML/CFT responsible officer”. Please note that the role of “AML/CFT responsible officer” shall be reserved for the RR (responsable du respect des obligations professionnelles) and RC (responsable du contrôle du respect des obligations professionnelles), and their backups considering the eDesk rights attributed to these functions.

For other exchanges (i.e., directly between the CSSF and an IFM in relation to specific files, topics), the CSSF process remains unchanged and the responsible persons within the IFM will continue to be contacted directly.

In this context, the CSSF reminds Investment Fund Managers that they must keep the email addresses of eDesk users on the eDesk Portal up to date at all times.

From January 31 2024, an eDesk procedure will be available for alternative investment fund managers to transmit their AIFM reporting.

This new communication mean enriches the API solution available since November 2 2023 allowing professionals to exchange directly with the CSSF, without using the external transmission channels.

The user guide available by following the link www.cssf.lu/en/Document/aifm-reporting-technical-guidance/ provides information on this new transmission method.

As a reminder, please note that transmission of AIFM reporting through external transmission channels will remain possible until June 30 2024.

Version française

Le 31 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a informé les nouveaux moyens de communication à destination des gestionnaires de fonds.

En application de la Circulaire CSSF 19/721 – Dématérialisation des demandes adressées à la CSSF et afin d'améliorer encore la transmission de communications spécifiques (telles que des enquêtes, des exercices de collecte de données, des demandes thématiques) tout en garantissant la protection des données confidentielles, la CSSF informe les Gestionnaires de Fonds d'Investissement (IFM) qui, à partir d’aujourd’hui, les emails sortants des Départements de l’UCI (Métier OPC) dans ce cadre seront envoyés uniquement aux adresses email des utilisateurs d’eDesk définis comme « Board Member » et/ou « Conducting Officer » sur le Portail eDesk. .

Pour les échanges liés à la LBC/FT, le « Board Member » et/ou le « Conducting Officer » peuvent être contactés en complément du « Responsable LBC/FT ». Veuillez noter que le rôle de « responsable LBC/FT » sera réservé au RR (responsable du respect des obligations professionnelles) et au RC (responsable du contrôle du respect des obligations professionnelles), et à leurs suppléants compte tenu des droits eDesk attribués à ces derniers. les fonctions.

Pour les autres échanges (c'est-à-dire directement entre la CSSF et un GFI concernant des dossiers, sujets spécifiques), le processus CSSF reste inchangé et les responsables au sein du GFI continueront d'être contactés directement.

Dans ce contexte, la CSSF rappelle aux gestionnaires de fonds d'investissement qu'ils doivent tenir à jour à tout moment les adresses email des utilisateurs eDesk sur le portail eDesk.

A partir du 31 janvier 2024, une procédure eDesk sera mise à la disposition des gestionnaires de fonds d'investissement alternatifs pour transmettre leur reporting AIFM.

Ce nouveau moyen de communication enrichit la solution API disponible depuis le 2 novembre 2023 permettant aux professionnels d'échanger directement avec la CSSF, sans utiliser les canaux de transmission externes.

Le guide d'utilisation disponible en suivant le lien www.cssf.lu/en/Document/aifm-reporting-technical-guidance/ renseigne sur ce nouveau mode de transmission.

Pour rappel, la transmission du reporting AIFM par des canaux de transmission externes restera possible jusqu'au 30 juin 2024.

On January 4 2024, the Commission de Surveillance du secteur financier (CSSF) issued a Communiqué on its revised inbound email protocol security.

In order to increase email security at the CSSF, all inbound emails are now checked with an email authentication protocol using Domain-based Message Authentication, Reporting & Conformance policies (DMARC) at the Domain Name System level (DNS), verifying server origin and digital signature of the email using the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) protocols.

Any failure during these verification steps will result in the email not being delivered to its intended recipient(s).

The DNS records should be complete and correctly configured according to the SPF/DKIM/DMARC best practices to avoid any rejected mails towards the CSSF.

Version française

Le 4 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a publié un communiqué sur la sécurité révisée de son protocole de courrier électronique entrant.

Afin d'augmenter la sécurité du courrier électronique à la CSSF, tous les courriers électroniques entrants sont désormais vérifiés avec un protocole d'authentification de courrier électronique utilisant les politiques DMARC (Domain-based Message Authentication, Reporting & Conformance) au niveau du système de noms de domaine (DNS), vérifiant l'origine du serveur et les informations numériques. signature de l'e-mail à l'aide des protocoles Sender Policy Framework (SPF) et DomainKeys Identified Mail (DKIM).

Tout échec lors de ces étapes de vérification entraînera la non-livraison de l'e-mail à son(ses) destinataire(s) prévu(s).

Les enregistrements DNS doivent être complets et correctement configurés selon les bonnes pratiques SPF/DKIM/DMARC pour éviter tout mail rejeté vers la CSSF.

BACKGROUND

The Circular will repeal and replace Circular CSSF 11/504 regarding frauds and incidents due to external computer attacks.

The term “NIS Law” used throughout the Circular refers to the Law of 28 May 2019 on Network and Information Systems, which is also referred to as “NIS1 Law”. This is the NIS Law that is currently applicable and is therefore the law that is referred to in the Circular. NIS2 will become applicable when it will be transposed in Luxembourg by October 17 2024.

Chapter 3 of the Circular applies only to Supervised Entities that are either Operators of Essential Services “OES” or Digital Service Providers “DSP” under the NIS1 Law. These entities will have been notified of their identification as OES or informed of their consideration as DSP when the NIS Law entered into force. The CSSF will reconfirm the relevant Supervised Entities of their status as OES or DSP respectively at the latest by 1 March 2024. The Supervised Entities which will not receive this information at that date are therefore not designated as OES or considered as DSP respectively, without prejudice to potential future designation or information. Supervised Entities that are either OES or DSP are by default either credit institutions or financial market infrastructures, which are professionals of the financial sector.

It is specified that “essential service” means a service which is essential for the maintenance of critical societal and/or economic activities and which is listed as essential service in Article 2 of CSSF Regulation No 20-04 of July 15 2020.

The following entities are to be considered as Supervised Entities in the frame of this Circular: 

a) credit institutions and professionals of the financial sector within the meaning of the LFS

b) approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation within the meaning of the LFS

c) payment institutions and electronic money institutions within the meaning of the LPS

d) POST Luxembourg governed by the Law of 15 December 2000 on postal financial services

e) management companies incorporated under Luxembourg law and subject to Chapter 15 of the UCITS Law

f) management companies incorporated under Luxembourg law and subject to Articles 125-1 or 125-2 of Chapter 16 of the UCITS 2010 Law

g) Luxembourg branches of IFMs subject to Chapter 17 of the UCITS Law

h) investment companies which did not designate a management company within the meaning of Article 27 of the UCITS Law

i) alternative investment fund managers authorised under Chapter 2 of the AIFM Law

j) internally managed alternative investment funds within the meaning of point (b) of Article 4(1) of the AIFM Law

k) central counterparties (CCPs) within the meaning of Article 2(1) of EMIR, including Tier 2 third-country CCPs within the meaning of Article 25(2a) of EMIR, complying with the relevant requirements of EMIR in accordance with point (a) of Article 25(2b) of EMIR

l) central securities depositories within the meaning of the CSD Law

m) administrators of critical benchmarks within the meaning of point (b) of Article 20(1) of the Benchmark Regulation

n) crowdfunding Service Providers within the meaning of the Law of 16 July 2019 on the operationalisation of European regulations in the area of financial services

o) credit institutions and the financial market infrastructures for which according to Article 3 of the NIS Law the CSSF is the competent authority in terms of network and information security and that have been identified as OES

p) support PSF authorised in accordance with Article 29-3 of the LFS for which according to Article 3 of the NIS Law the CSSF is the competent authority in terms of network and information security and that have been informed by the CSSF of their consideration as DSP under the NIS Law

On January 30 2024, the Chambre des députés - Luxembourg published a Draft law amending the Criminal Code with a view to transposing Directive 2013/40/EU of the European Parliament and of the Council of August 12 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA.

It was recommended that Luxembourg develop a legal provision allowing for a compliant and more literal application of European law. As a result, this bill plans to include the aggravating circumstances provided for by the directive, while applying an effective, proportionate and dissuasive sanction. Ultimately, it is up to the judicial authorities to assess on a case-by-case basis whether or not this is an aggravating circumstance.

WHAT'S NEW?

On January 5 2023, the Commission de Surveillance du secteur financier (CSSF) published the Circular CSSF 24/847 on the ICT-related incident reporting framework, a realted FAQ and the Regulation No 24-01 of January 5 2024 relating to the notification of incidents according to the Law of May 28 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6 2016 concerning measures for a high common level of security of network and information systems across the European Union.

The circular brings the following changes to the current incident reporting mechanism:

1) Increases the incident coverage, currently limited to fraud and incidents due to external computer attacks as per Circular CSSF 11/504, by covering more broadly ICT operational and security incidents while avoiding double reporting for incidents to be notified under other incident notification frameworks.

2) Introduces reporting based on classification. Supervised Entities will be required to classify ICT-related incidents based on the criteria indicated in this Circular and to notify to the CSSF the cases where ICT-related incidents are classified as major or significant incidents.

3) Introduces a new incident reporting notification form. To obtain data in a structured form, Supervised Entities will be required to complete and submit an ICT-related incident notification form in case the ICT-related incident is classified as a major or significant incident.

4) Introduces a specific chapter to cover in the same Circular the incident notification requirements (previously communicated via bilateral communications to Supervised Entities that are under the scope of the NIS Law) in order to apply the new incident reporting notification forms and practical requirements to the notifications of incidents assessed as significant under the NIS Law.

Supervised Entities shall notify the following incidents:

a) Any successful malicious unauthorised access to the network and information systems. For the purpose of this circular these successful malicious unauthorised accesses are to be considered as major ICT-related incidents

b) Any other incident classified as major ICT-related incident

Supervised Entities shall classify ICT-related incidents and assess their impact on the basis of the following criteria:

a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact

b) the duration of the ICT-related incident, including the service downtime

c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States

d) the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality

e) the criticality of the services affected, including the Supervised Entity’s transactions and operations

f) the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms

The following examples shall clarify the classification and notification flow:

1. An ICT-related incident occurs at a Supervised Entity that is a credit institution and an OES.

The Supervised Entity needs to assess whether the ICT related incident impacts the continuity of the essential services: 

a) No (e.g. impact on other critical or important functions): only Chapter 2 of the Circular applies;

b) Yes, and only on essential services: only Chapter 3, Section 3.1. of the Circular applies. This Chapter describes the steps that need to be fulfilled to comply with the NIS Law. It refers to elements of Chapter 2 for classification criteria (2.2.) and notification requirements (2.3) as the NIS Law is silent on these points. In the notification form the Supervised Entity shall indicate that the ICT-related incident is notified under the NIS framework.

c) Yes, and it impacts both essential services and other critical or important functions: both Chapter 2 (in its entirety) and Chapter 3, Section 3.1. of the Circular apply, which refer to the same classification and notification requirements. In the notification form the entity shall indicate that the ICT-related incident is also notified under the NIS framework.

2. An ICT-related incident occurs at a Supervised Entity that is a support PFS and a DSP.

The Supervised Entity needs to assess whether the ICT related incident impacts the provision of digital services provided by the entity: 

a) No (e.g. impact on other services): only Chapter 2 of the Circular applies;

b) Yes, and only on digital services: only Chapter 3, Section 3.2. of the Circular applies. This Chapter describes the steps that need to be fulfilled to comply with the NIS Law. The entity shall assess whether the incident is to be classified as a significant incident under the NIS Law in line with the thresholds indicated in the Commission Implementing Regulation (EU) 2018/151 (point 26.a)). Section 3.2. also refers to Chapter 2 only for some points of the section 2.2. (not related to the classification) and for section 2.3 (for notification requirements) as the NIS Law and the Commission Implementing Regulation are silent on these points. In the notification form the Supervised Entity shall indicate that the ICT-related incident is notified under the NIS framework.

c) Yes, and it impacts both digital services and other services: both Chapter 2 (in its entirety) and Chapter 3, Section 3.2. of the Circular apply. In the notification form the entity shall indicate that the ICT-related incident is also notified under the NIS framework.

With the use of the term “successful” when referring to malicious unauthorised accesses, the CSSF aims to differentiate these from simple “attempts” without intrusion.

In the context of the Circular 24/847, the CSSF considers that an ICT-related incident has an impact on the authenticity respectively integrity when:

• The incident has compromised the trustworthiness of the source of data (authenticity)
• The incident has resulted in a non-authorised modification of data that has rendered it inaccurate or incomplete (integrity)

A physical security incident is considered as an ICT-related incident, and therefore in the scope of the Circular, if, following such incident, the security of the network and information systems is compromised, and this has an adverse impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the Supervised Entities. For example, fiber network cable cuts are to be considered as ICT-related incidents.

WHAT'S NEXT?

The circular shall enter into force on April 1 2024 for credit and payment institutions and on June 1 2024 for investment fund managers. This CSSF regulation shall enter into force on April 1 2024. 

ICT-related incident notifications shall be submitted by considering the time limits and the data fields respectively laid down in the Annex I and II of the Circular CSSF 24/847 as from April 1 2024 and June 1 2024 respectively.

Any question relating to the Regulation, the Circular or the new ICT-related incident notification process should be addressed to ictrisksupervision@cssf.lu.

Version française

BACKGROUND

La Circulaire abrogera et remplacera la Circulaire CSSF 11/504 relative aux fraudes et incidents dus à des attaques informatiques externes.

Le terme « Loi NIS » utilisé dans l'ensemble de la Circulaire fait référence à la loi du 28 mai 2019 relative aux réseaux et aux systèmes d'information, également appelée « Loi NIS1 ». Il s'agit de la loi NIS actuellement applicable et c'est donc la loi à laquelle il est fait référence dans la circulaire. NIS2 deviendra applicable lorsqu’il sera transposé au Luxembourg d’ici le 17 octobre 2024.

Le chapitre 3 de la Circulaire s'applique uniquement aux entités surveillées qui sont soit des opérateurs de services essentiels « OES » soit des fournisseurs de services numériques « DSP » au sens de la loi NIS1. Ces entités auront été notifiées de leur identification en tant qu'OES ou informées de leur considération en tant que DSP lors de l'entrée en vigueur de la loi NIS. La CSSF reconfirmera aux Entités surveillées concernées leur statut respectivement d'OES ou de DSP au plus tard le 1er mars 2024. Les Entités surveillées qui ne recevront pas ces informations à cette date ne sont donc pas désignées respectivement comme OES ou considérées comme DSP, sans préjudice à une éventuelle désignation ou information future. Les Entités Supervisées qui sont soit OES, soit DSP sont par défaut soit des établissements de crédit, soit des infrastructures de marchés financiers, qui sont des professionnels du secteur financier.

Il est précisé que « service essentiel » désigne un service essentiel au maintien d'activités sociétales et/ou économiques critiques et qui est répertorié comme service essentiel à l'article 2 du règlement CSSF n° 20-04 du 15 juillet 2020.

Les entités suivantes doivent être considérées comme des entités surveillées dans le cadre de la présente Circulaire :

a) les établissements de crédit et les professionnels du secteur financier au sens de la LFS

b) les dispositifs de publication agréés (APA) dérogatoires et les mécanismes de reporting autorisés (ARM) dérogatoires au sens de la LFS

c) les établissements de paiement et les établissements de monnaie électronique au sens de la LPS

d) POST Luxembourg régie par la loi du 15 décembre 2000 relative aux services financiers postaux

e) sociétés de gestion de droit luxembourgeois et soumises au chapitre 15 de la loi OPCVM

f) sociétés de gestion de droit luxembourgeois et soumises aux articles 125-1 ou 125-2 du chapitre 16 de la loi OPCVM 2010

g) Succursales luxembourgeoises de GFI soumis au chapitre 17 de la loi OPCVM

h) les sociétés d'investissement n'ayant pas désigné de société de gestion au sens de l'article 27 de la loi OPCVM

i) les gestionnaires de fonds d'investissement alternatifs agréés au titre du chapitre 2 de la loi AIFM

j) fonds d'investissement alternatifs gérés en interne au sens de l'article 4 (1) point (b) de la loi AIFM

k) les contreparties centrales (CCP) au sens de l'article 2, paragraphe 1, d'EMIR, y compris les CCP de pays tiers de niveau 2 au sens de l'article 25, paragraphe 2 bis, d'EMIR, qui respectent les exigences pertinentes d'EMIR conformément au point ( a) de l’article 25(2b) du règlement EMIR

l) dépositaires centraux de titres au sens de la loi CSD

m) administrateurs d'indices de référence critiques au sens de l'article 20, paragraphe 1, point b), du règlement sur les indices de référence

n) Prestataires de services de financement participatif au sens de la loi du 16 juillet 2019 relative à l'opérationnalisation de la réglementation européenne dans le domaine des services financiers

o) les établissements de crédit et les infrastructures des marchés financiers pour lesquels selon l'article 3 de la loi NIS la CSSF est l'autorité compétente en matière de sécurité des réseaux et de l'information et qui ont été identifiés comme OES

p) les PSF de support agréés conformément à l'article 29-3 de la LFS pour lesquels selon l'article 3 de la loi NIS la CSSF est l'autorité compétente en matière de sécurité des réseaux et de l'information et qui ont été informés par la CSSF de leur considération comme DSP en vertu de la loi NIS

Le 30 janvier 2024, la Chambre des députés - Luxembourg a publié un Projet de loi modifiant le Code pénal en vue de transposer la Directive 2013/40/UE du Parlement européen et du Conseil du 12 août 2013 relative aux attaques contre les systèmes d'information et remplaçant le Conseil Décision-cadre 2005/222/JAI.

Il a été recommandé que le Luxembourg élabore une disposition juridique permettant une application conforme et plus littérale du droit européen. De ce fait, ce projet de loi prévoit d'inclure les circonstances aggravantes prévues par la directive, tout en appliquant une sanction efficace, proportionnée et dissuasive. En fin de compte, il appartient aux autorités judiciaires d’apprécier au cas par cas s’il s’agit ou non d’une circonstance aggravante.

WHAT'S NEW?

Le 5 janvier 2023, la Commission de Surveillance du secteur financier (CSSF) a publié la Circulaire CSSF 24/847 relative au cadre de déclaration des incidents liés aux TIC, une FAQ pertinente et le Règlement n° 24-01 du 5 janvier 2024 relatif à la notification des incidents liés aux TIC. incidents conformément à la loi du 28 mai 2019 transposant la directive (UE) 2016/1148 du Parlement européen et du Conseil du 6 juillet 2016 concernant des mesures pour un niveau commun élevé de sécurité des réseaux et des systèmes d'information dans l'ensemble de l'Union européenne.

La circulaire apporte les changements suivants au mécanisme actuel de signalement des incidents :

1) Augmente la couverture des incidents, actuellement limitée aux fraudes et aux incidents dus à des attaques informatiques externes selon la circulaire CSSF 11/504, en couvrant plus largement les incidents opérationnels et de sécurité TIC tout en évitant la double déclaration pour les incidents à notifier dans d'autres cadres de notification d'incidents.

2) Introduit des rapports basés sur la classification. Les Entités surveillées seront tenues de classer les incidents liés aux TIC sur la base des critères indiqués dans la présente Circulaire et de notifier à la CSSF les cas où les incidents liés aux TIC sont classés comme incidents majeurs ou significatifs.

3) Introduit un nouveau formulaire de notification de rapport d'incident. Pour obtenir des données sous une forme structurée, les entités supervisées devront remplir et soumettre un formulaire de notification d'incident lié aux TIC au cas où l'incident lié aux TIC serait classé comme incident majeur ou significatif.

4) Introduit un chapitre spécifique pour couvrir dans la même circulaire les exigences de notification d'incidents (précédemment communiquées via des communications bilatérales aux entités surveillées qui relèvent du champ d'application de la loi NIS) afin d'appliquer les nouveaux formulaires de notification d'incidents et les exigences pratiques aux notifications d'incidents jugés importants en vertu de la loi NIS.

Les entités surveillées doivent notifier les incidents suivants :

a) Tout accès malveillant non autorisé réussi au réseau et aux systèmes d’information. Aux fins de la présente circulaire, ces accès malveillants non autorisés réussis doivent être considérés comme des incidents majeurs liés aux TIC.

b) Tout autre incident classé comme incident majeur lié aux TIC

Les entités surveillées doivent classer les incidents liés aux TIC et évaluer leur impact sur la base des critères suivants :

a) le nombre et/ou l'importance des clients ou des contreparties financières concernés et, le cas échéant, le montant ou le nombre de transactions affectées par l'incident lié aux TIC, et si l'incident lié aux TIC a eu un impact sur la réputation

b) la durée de l'incident lié aux TIC, y compris le temps d'arrêt du service

c) la répartition géographique par rapport aux zones touchées par l'incident lié aux TIC, en particulier s'il affecte plus de deux États membres

d) les pertes de données qu'entraîne l'incident lié aux TIC, en termes de disponibilité, d'authenticité, d'intégrité ou de confidentialité

e) la criticité des services concernés, y compris les transactions et opérations de l’entité surveillée

f) l'impact économique, en particulier les coûts et pertes directs et indirects, de l'incident lié aux TIC, en termes absolus et relatifs

Les exemples suivants doivent clarifier le flux de classification et de notification :

1. Un incident lié aux TIC se produit dans une entité surveillée qui est un établissement de crédit et une OES.

L'entité supervisée doit évaluer si l'incident lié aux TIC a un impact sur la continuité des services essentiels :

a) Non (par exemple impact sur d'autres fonctions critiques ou importantes) : seul le chapitre 2 de la Circulaire s'applique ;

b) Oui, et uniquement sur les services essentiels : uniquement le chapitre 3, section 3.1. de la Circulaire s’applique. Ce chapitre décrit les étapes à suivre pour se conformer à la loi NIS. Il fait référence à des éléments du chapitre 2 concernant les critères de classification (2.2.) et les exigences de notification (2.3), car la loi NIS est muette sur ces points. Dans le formulaire de notification, l'entité surveillée

indique que l'incident lié aux TIC est notifié dans le cadre du NIS.

c) Oui, et cela affecte à la fois les services essentiels et d'autres fonctions critiques ou importantes : à la fois le chapitre 2 (dans son intégralité) et le chapitre 3, section 3.1. de la Circulaire s'appliquent, qui font référence aux mêmes exigences de classification et de notification. Dans le formulaire de notification, l'entité indique que l'incident lié aux TIC est également notifié dans le cadre du NIS.

2. Un incident lié aux TIC survient au sein d’une Entité Supervisée qui est un PSF de support et une DSP.

L'entité surveillée doit évaluer si l'incident lié aux TIC a un impact sur la fourniture de services numériques fournis par l'entité :

a) Non (par exemple impact sur d'autres services) : seul le chapitre 2 de la Circulaire s'applique ;

b) Oui, et uniquement sur les services numériques : uniquement chapitre 3, section 3.2. de la Circulaire s’applique. Ce chapitre décrit les étapes à suivre pour se conformer à la loi NIS. L'entité doit évaluer si l'incident doit être classé comme incident significatif en vertu de la loi NIS, conformément aux seuils indiqués dans le règlement d'exécution (UE) 2018/151 de la Commission (point 26.a)). Section 3.2. fait également référence au chapitre 2 uniquement pour certains points de la section 2.2. (sans rapport avec la classification) et pour la section 2.3 (pour les exigences de notification), car la loi NIS et le règlement d'exécution de la Commission sont muets sur ces points. Dans le formulaire de notification, l'entité surveillée indique que l'incident lié aux TIC est notifié dans le cadre du NIS.

c) Oui, et cela concerne à la fois les services numériques et les autres services : à la fois le chapitre 2 (dans son intégralité) et le chapitre 3, section 3.2. de la Circulaire s’appliquent. Dans le formulaire de notification, l'entité indique que l'incident lié aux TIC est également notifié dans le cadre du NIS.

En utilisant le terme « réussi » pour désigner les accès malveillants non autorisés, la CSSF entend les différencier des simples « tentatives » sans intrusion.

Dans le cadre de la Circulaire 24/847, la CSSF considère qu'un incident lié aux TIC a un impact sur l'authenticité respectivement l'intégrité lorsque :

• L'incident a compromis la fiabilité de la source des données (authenticité)
• l'incident a entraîné une modification non autorisée des données qui les a rendues inexactes ou incomplètes (intégrité)

Un incident de sécurité physique est considéré comme un incident lié aux TIC, et donc dans le champ d'application de la Circulaire, si, à la suite d'un tel incident, la sécurité du réseau et des systèmes d'information est compromise, ce qui a un impact négatif sur la disponibilité, l'authenticité. , l'intégrité ou la confidentialité des données ou sur les services fournis par les Entités Supervisées. Par exemple, les coupures de câbles dans les réseaux de fibre optique doivent être considérées comme des incidents liés aux TIC.

WHAT'S NEXT?

La circulaire entre en vigueur le 1er avril 2024 pour les établissements de crédit et de paiement et le 1er juin 2024 pour les gestionnaires de fonds d'investissement. Ce règlement CSSF entrera en vigueur le 1er avril 2024.

Les notifications d'incidents liés aux TIC doivent être soumises en tenant compte des délais et des champs de données respectivement prévus aux annexes I et II de la circulaire CSSF 24/847 à compter respectivement du 1er avril 2024 et du 1er juin 2024.

Toute question relative au Règlement, à la Circulaire ou au nouveau processus de notification des incidents liés aux TIC doit être adressée à ictrisksupervision@cssf.lu.

On January 2 2024, the Commission de Surveillance du secteur financier (CSSF) reminded of new methods of transmitting marketing notifications and de-notifications for UCITS.

Following the communiqués published on November 15, 2023 and December 13, 2023, the CSSF would like to inform the supervised entities concerned that the eDesk module for cross-border marketing notifications and de-notifications is now available for Luxembourg-domiciled UCITS.

As a reminder, the supervised entities concerned are UCITS that, in accordance with Chapter 6 of the 2010 Law, wish to:

• market their shares in another Member State of the European Union (EU);
• de-notify arrangements made for marketing their shares in another EU Member State.

As of January 2 2024, these entities must transmit notification and de-notification files to the CSSF either directly via the eDesk Portal or via the CSSF API solution (S3 technology).

The subsequent monitoring of these procedures will be carried out exclusively via the eDesk Portal. Additional information and instructions can be found in the dedicated user guide: Guidelines on cross-border marketing notification and de-notification procedures.

Circulars CSSF 11/509 and CSSF 21/778 are hereby repealed. For any questions, please contact the helpdesk at the following email address: edesk_opc@cssf.lu.

Version française

Le 2 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a rappelé de nouveaux modes de transmission des notifications et dénotifications de commercialisation pour les OPCVM.

Suite aux communiqués publiés le 15 novembre 2023 et le 13 décembre 2023, la CSSF souhaite informer les entités surveillées concernées que le module eDesk de notifications et dé-notifications de commercialisation transfrontalière est désormais disponible pour les OPCVM domiciliés au Luxembourg.

Pour rappel, les entités surveillées concernées sont les OPCVM qui, conformément au chapitre 6 de la loi 2010, souhaitent :

• commercialiser leurs actions dans un autre Etat membre de l'Union européenne (UE) ;
• dénotifier les accords conclus pour la commercialisation de leurs actions dans un autre État membre de l'UE.

Depuis le 2 janvier 2024, ces entités doivent transmettre les fichiers de notification et de dé-notification à la CSSF soit directement via le portail eDesk, soit via la solution API CSSF (technologie S3).

Le suivi ultérieur de ces procédures sera effectué exclusivement via le portail eDesk. Des informations et instructions supplémentaires peuvent être trouvées dans le guide de l’utilisateur dédié : Lignes directrices sur les procédures de notification et de dénotification de commercialisation transfrontalière.

Les circulaires CSSF 11/509 et CSSF 21/778 sont abrogées. Pour toute question, veuillez contacter le helpdesk à l'adresse email suivante : edesk_opc@cssf.lu.

On January 15 2024, the Commission de Surveillance du secteur financier (CSSF) published an FAQ on National reporting B4.5 and  B4.6.

From January 2 2024, the CSSF requires that credit institutions transmit their national reports B4.5 (Analysis of shareholdings) and B4.6 (Persons responsible for certain functions and activities) using one of the two following methods:

• A dedicated eDesk approach accessible via the eDesk Portal;
• An API solution based on the submission of a structured exchange file (json format) via the S3 protocol (“simple storage service”).

These FAQs aim at clarifying certain elements of the new procedure. Clarifications concern the communication channel, the reporting frequency, the Luxembourg branch obligations, the reference period for reporting, the starting and ending date on the report, the report of a function which is not currently occupied, the correction of errors in the report, the report of changes  in the shareholding or in the governance structure, the report in case no changes took place between the two submissions and the correct sequence numbering.

Also, a list of requested functions and activities for B4.6 is included.

Version française

Le 15 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a publié une FAQ sur les reportings nationaux B4.5 et B4.6.

A compter du 2 janvier 2024, la CSSF impose aux établissements de crédit de transmettre leurs rapports nationaux B4.5 (Analyse des participations) et B4.6 (Personnes chargées de certaines fonctions et activités) selon l'une des deux modalités suivantes :

• une approche eDesk dédiée accessible via le portail eDesk ;
• une solution API basée sur la soumission d'un fichier d'échange structuré (format json) via le protocole S3 (« simple storage service »).

Ces FAQ visent à clarifier certains éléments de la nouvelle procédure. Les précisions concernent le canal de communication, la fréquence de reporting, les obligations de la succursale luxembourgeoise, la période de référence pour le reporting, la date de début et de fin du rapport, le rapport d'une fonction qui n'est pas actuellement occupée, la correction des erreurs dans le rapport, le rapport sur les changements dans l'actionnariat ou dans la structure de gouvernance, le rapport dans le cas où aucun changement n'est intervenu entre les deux soumissions et la numérotation correcte.

En outre, une liste des fonctions et activités demandées pour B4.6 est incluse.

On January 8 2024, the Commission de Surveillance du secteur financier (CSSF) informed about the enforcement of the 2023 annual reports published by issuers subject to the Transparency Law referring to themes and issues to be monitored specifically in 2024.

As issuers are now preparing their reporting for the 2023 financial year, the CSSF wishes to draw the attention of those preparing their financial statements in accordance with IFRS and/or their non-financial report in accordance with the law of July 23 2016 which transposes the Directive 2014/95/EU (Non-Financial Reporting Directive or NFRD), as well as of their auditors, to a number of topics and issues that will be the subject of a specific monitoring during the CSSF’s enforcement campaign planned for 2024.

ESMA issued on October 25 2023 a public statement which describes the 2023 European Common Enforcement Priorities (ECEP) (ESMA32-193237008-1793).

1. IFRS Financial Statements: Impact of Climate-related matters
2. Non-Financial Statements: Disclosures relating to Article 8 of the Taxonomy Regulation
3. Alternative Performance Measures: Impact of Article 8 of the Taxonomy Regulation

Version française

Le 8 janvier 2024, la Commission de Surveillance du secteur financier (CSSF) a informé de la mise en application des rapports annuels 2023 publiés par les émetteurs soumis à la loi Transparence faisant référence aux thématiques et problématiques à suivre spécifiquement en 2024.

Alors que les émetteurs préparent désormais leur reporting pour l'exercice 2023, la CSSF souhaite attirer l'attention de ceux qui préparent leurs états financiers selon les normes IFRS et/ou leur rapport extra-financier conformément à la loi du 23 juillet 2016 qui transpose les Directive 2014/95/UE (Non-Financial Reporting Directive ou NFRD), ainsi que de leurs commissaires aux comptes, à un certain nombre de sujets et de questions qui feront l'objet d'un suivi spécifique lors de la campagne d'application de la CSSF prévue en 2024.

L'ESMA a publié le 25 octobre 2023 une déclaration publique décrivant les priorités européennes communes en matière d'application (ECEP) pour 2023 (ESMA32-193237008-1793).

1. États financiers IFRS : impact des questions liées au climat
2. États non financiers : informations relatives à l'article 8 du règlement taxonomie
3. Mesures alternatives de performance : impact de l’article 8 du règlement taxonomie

On January 30 2024, the Autoriteit Financiële Markten (AFM) ruled that in the event of a large, sudden drop in the value of derivatives, Dutch pension funds do not have to sell investments en masse.

They have enough sources of liquidity to meet the collateral obligations that arise when the value of their derivatives changes. In that case, it is crucial that money markets continue to function properly in order to be able to raise cash in a short period of time.

The AFM's study shows that pension funds are able to meet the collateral requirements of derivative contracts in the various stress scenarios, without being forced to sell many investments. Pension funds use various sources for this purpose. Initially, the main source of use is that is available at all times, such as cash and deposits. In addition, pension funds make use of other sources of liquidity, such as transactions on the repo market, withdrawals from money market funds and the use of high-quality debt securities as collateral.

At the same time, the results show that pension funds depend on the proper functioning of money markets, where they can raise cash for a short period of time. For example, in the stress scenarios, pension funds raise a lot of money through repo transactions – despite the restrictions on the repo market in the stress scenarios – and withdrawals from money market funds. In times of broader stress – where many market participants are in need of cash – this may not be possible. For example, at the beginning of the coronavirus crisis (March 2020), money market funds struggled to meet investors' withdrawal requests. Money market funds eventually managed to create sufficient liquidity through the sale of investments, but this sale did contribute to the self-reinforcing dynamics in financial markets at the time. Liquidity in the repo market can also come under pressure in situations of stress, for example when banks want to hold more reserves in volatile market conditions and are less willing to lend cash.

The need for liquidity for pension funds will increase further in the coming years due to new legislation. The exemption for mandatory central clearing of derivatives expired in 2023. In the case of centrally cleared contracts, collateral obligations must always be met with cash. As the clearing obligation only applies to new transactions, the share of centrally cleared derivatives, and thus the need for liquidity, will gradually increase. On the other hand, the new pension contract may have a downward effect on the need for liquidity if the hedging of interest rate risk shifts from long to shorter maturities. Because it is uncertain how liquidity needs will develop in the future, it is important to repeat this analysis in the future and to continue to monitor liquidity risks closely.

On January 15 2024, the Autoriteit Financiële Markten (AFM) highlighted the necessity of accelerating sustainability transition in the financial sector.

Both nationally and internationally, there is a growing social and political desire to speed up financial markets. In 2024, there will be (new) legislation that the financial sector must comply with and that the Netherlands Authority for the Financial Markets (AFM) will supervise. The development of an integrated strategy for the supervision of sustainability is one of the AFM's priorities. Digitalisation, cross-border financial services and the monitoring of the pension transition are also among the priorities in 2024.

The Netherlands Authority for the Financial Markets (AFM) is publishing all its priorities and other supervisory activities for this year in its annual supervisory agenda today. The Agenda 2024 is based, among other things, on the trends and risks described in the AFM Trend Monitor 2024.

The digitalisation of the financial sector and the provision of products and services via online platforms are continuing at a steady pace. The crypto market also continues to move. With the Markets in Crypto Assets Regulation (MiCAR), a start is made in the regulation of the crypto sector. The AFM also notes that the financial sector is increasingly intertwined with tech companies. This often leads to lower costs and greater efficiency, but also creates more dependency and concentration risks and vulnerabilities such as digital crime. Driven by digitalization, we are seeing an increase in cross-border financial services. The Dutch financial markets are attractive to foreign parties. In addition to the positive effects of an increase in supply and a greater diversity of providers, the international nature of financial markets leads to cross-border risks. Such as, for example, rogue foreign providers of investment products and cross-border market abuse on the capital markets. These risks require an international approach by the AFM with fellow European supervisors.

This year, the AFM's focus is also on supervising the implementation of the Future Pensions Act. Because pensions will move faster in line with the financial markets, pension outcomes will be more dependent on financial and economic trends, such as developments in the stock market price and interest rates. The information for participants about possible decreases and increases in assets and their expected distribution must be correct. We have been preparing for the pension transition with more extensive pension supervision for some time now, together with the pension sector and the Dutch Central Bank. 

On January 24 2024, the Dutch Banking Association (Nederlandse Vereniging van Banken, NVB) announced that ESG and Climate risks will be taken into account in determining the market value of commercial real estate.

ESG and climate risks are increasingly influencing the development of real estate values. It is therefore important that these types of risks are better taken into account in the valuation of real estate. That is why banks, together with the major valuation firms, valuation software suppliers and trade associations of appraisers and brokers, have developed a new sustainability section for valuations of commercial and commercial real estate. As a result, ESG and climate risks, such as flooding, are explicitly taken into account in the valuation report when determining the market value. The new sustainability section will take effect on February 17 2024

By completing this new paragraph, it will be easier for appraisers to describe the sustainability performance of a property and to price the impact into the market value. For example, the actual energy consumption is queried, so that CO2 emissions and the costs for energy use can be estimated. Risks such as flooding, forest fires and foundation problems must also be taken into account when determining the market value. Finally, the appraiser is asked to determine the market value of the appraised object, if it is made more sustainable to, for example, an A-label, including the measures and costs for this.

For banks and other clients, it is important that these risks are taken into account, because the value of the collateral may not be too low in relation to the requested loan. A correct valuation therefore forms the basis for responsible lending to the real estate sector. The new paragraph is in line with the ESG reporting obligations of large and listed companies to report on their sustainability policies and performance.

On January 25 2024, the Ministry of Economic Affairs and Digital Transformation published a press release on the appointment of the National Commission on Markets and Competition (CNMC) as Spain's Digital Services Coordinator.

The Government thus complies with the provisions of Regulation (EU) 2022/2065 on a single market for digital services and amending Directive 2000/31/EC (DSA), which establishes the obligation for Member States to designate a coordinating competent authority that meets requirements of independence from external influences and sufficient autonomy in managing their budget.

The CNMC will therefore be responsible for ensuring in Spain the coordination, supervision and consistent effective compliance with the European Digital Services Regulation, the European standard that regulates the liability and obligations of digital intermediaries and online platforms (such as social networks, marketplaces, search engines, app stores and online hosting platforms). The regulation aims to prevent illegal and harmful activities on the internet, ensure the safety of users and create a safer, more transparent and predictable digital environment for citizens and businesses.

The DSA provides the Coordinator with broad powers of supervision, investigation and sanction over service providers established in Spain, such as requesting access to data and algorithmic systems for moderating and recommending content and advertising, ordering inspections and imposing fines on intermediaries in the event of infringement of the Regulation, which could reach up to 6% of the global annual turnover of large Internet platforms.

They will also be responsible for certifying trusted flaggers (entities with preference in relation to the notification of illegal content) and out-of-court dispute resolution bodies.

For its part, the European Commission has designated 20 very large platforms (VLOPs) and 2 very large search engines (VLOSEs), which will be subject to a system of obligations and reinforced supervision in relation to the systemic risks they generate related to the dissemination of illegal content, fundamental rights, electoral processes, etc. public safety, gender-based violence, public health, or negative consequences on the physical and mental well-being of minors, particularly when they come from disinformation campaigns.

As designated Digital Services Coordinator, the CNMC will participate in the inaugural session of the European Digital Services Board (EBDS), which will be held on February 19 2024.

On January 15 2024, the European Commission confirmed the adequacy of the Swiss level of data protection.

The EU thereby recognises that Switzerland's legislation continues to provide an adequate level of protection for the processing of personal data.

Personal data from a member state of the European Union (EU) or the European Economic Area (EEA) can continue to be transferred to Switzerland without the need for additional guarantees to ensure an adequate level of data protection.

Switzerland has had an EU adequacy decision since 2000, but this was issued under the precursor directive to the General Data Protection Regulation (Directive 95/46/EC) and remained in force until the new EU decision was issued. The Commission's new adequacy decision confirms that Switzerland's new data protection legislation meets the applicable adequacy requirements of the GDPR. This is of great importance in terms of Switzerland's standing as a business location and in terms of its competitiveness.

Version française

Le 15 janvier 2024, la Commission européenne a confirmé le caractère adéquat du niveau suisse de protection des données.

L'UE reconnaît ainsi que la législation suisse continue d'assurer un niveau de protection adéquat pour le traitement des données à caractère personnel.

Les données personnelles provenant d'un État membre de l'Union européenne (UE) ou de l'Espace économique européen (EEE) peuvent continuer à être transférées vers la Suisse sans qu'il soit nécessaire de fournir des garanties supplémentaires pour garantir un niveau adéquat de protection des données.

La Suisse dispose d'une décision d'adéquation de l'UE depuis 2000, mais celle-ci a été émise dans le cadre de la directive précurseur du règlement général sur la protection des données (directive 95/46/CE) et est restée en vigueur jusqu'à la nouvelle décision de l'UE. La nouvelle décision d'adéquation de la Commission confirme que la nouvelle législation suisse en matière de protection des données répond aux exigences d'adéquation applicables du RGPD. Cela revêt une grande importance pour la position économique de la Suisse et pour sa compétitivité.

On January 31 2024, the Swiss Federal Council brought into force the legal basis for a new fund category, the L-QIF.

The Federal Council decided that the revision of the Collective Investment Schemes Act (CISA) and the amendment of the Collective Investment Schemes Ordinance (CISO) will enter into force on March 1 2024. These set out the legal basis for the limited qualified investor fund (L-QIF). The aim of the L-QIF is to contribute to strengthening the attractiveness and innovation capacity of the Swiss investment fund market.

The L-QIF was introduced as part of an amendment to the CISA decided by the Federal Parliament in December 2021. This is a new category of collective investment fund that will not be subject to authorisation or approval by the Swiss Financial Market Supervisory Authority (FINMA). The L-QIF will be reserved exclusively for qualified investors and must be administered by institutions subject to FINMA supervision.

The amendment to the OPCC establishes the implementing provisions relating to the L-QIF. It also revises various other points of the CISO and other ordinances, including the Financial Institutions Ordinance. These amendments are intended to implement a number of international standards, to keep pace with market developments and to increase legal certainty.

Version française

Le 31 janvier 2024, le Conseil fédéral suisse a mis en vigueur la base juridique d'une nouvelle catégorie de fonds, le L-QIF.

Le Conseil fédéral a décidé que la révision de la loi sur les placements collectifs (LPCC) et la modification de l'ordonnance sur les placements collectifs (OPCC) entreront en vigueur le 1er mars 2024. Celles-ci fixent la base juridique du fonds d'investisseur limité ( L-QIF). L'objectif du L-QIF est de contribuer au renforcement de l'attractivité et de la capacité d'innovation du marché suisse des fonds de placement.

Le L-QIF a été introduit dans le cadre d'une modification de la LPCC décidée par le Parlement fédéral en décembre 2021. Il s'agit d'une nouvelle catégorie de placements collectifs qui ne sera pas soumise à l'autorisation ou à l'approbation de l'Autorité fédérale de surveillance des marchés financiers (FINMA). ). Le L-QIF sera réservé exclusivement aux investisseurs qualifiés et devra être administré par des établissements soumis à la surveillance de la FINMA.

L’avenant à l’OPCC fixe les modalités d’application relatives au L-QIF. Elle révise également divers autres points du RSSI et d'autres ordonnances, dont l'ordonnance sur les institutions financières. Ces modifications visent à mettre en œuvre un certain nombre de normes internationales, à suivre l'évolution du marché et à accroître la sécurité juridique.

On January 23 2024, the Swiss Federal Council published a draft of the Federal Foreign Investment Review Act (FIRA).

The purpose of the investment review is to prevent acquisitions of Swiss companies by foreign investors if such acquisitions threaten or compromise the public order or security of Switzerland. In concrete terms, investors controlled by a foreign state who wish to acquire a Swiss company active in a particularly critical area will be required to submit an application for approval in advance. Particularly critical areas include, inter alia, military capital goods and assets that can be used for civilian and military purposes, electricity generation and grid operation, water supply, and health, telecommunications and transport infrastructure. Small businesses will be exempt from the regulations.

The focus is on state-controlled investors, as acquisitions that are purely entrepreneurial are in principle not problematic. Private investors seek to make the companies they buy prosper; They are generally not driven by destabilizing intentions or geopolitical interests. As a result, the risks posed by foreign private investors to public order or security appear to be relatively low. The outcome of the risk assessment is quite different when the acquisitions serve political objectives. It can therefore be assumed that public order or security may be more threatened or compromised when investors are controlled by a foreign state. This was also noted by several speakers during the parliamentary debates on Motion 18.3021 Rieder. It should be noted that the test for state control also includes private investors who are controlled directly or indirectly by a state.

The State Secretariat for Economic Affairs (SECO) will be responsible for implementing the investment review and coordinating with the relevant administrative units. The approval process will take place in two stages. Within one month, it will be decided whether the acquisition can be approved directly or whether a review procedure should be initiated. It will take a maximum of three additional months, if necessary, for the review procedure to be completed. The decision on whether or not to initiate an examination procedure will be taken by consensus between the administrative units participating in the procedure (i.e., SECO and the administrative units concerned). If the latter are of the opinion that an acquisition should be prohibited or are unable to reach an agreement at the end of a review procedure, it will be up to the Federal Council to decide.

With the adoption of Motion Rieder 18.3021 of February 26 2018 ("Protecting the Swiss economy by controlling investments"), Parliament instructed the Federal Council to create a legal basis for a foreign direct investment review mechanism. The proposed Federal Foreign Investment Review Act (FIRA) fulfills this mandate.

The Federal Council has ensured that the draft law is drafted in such a way as to preserve Switzerland's openness to foreign investors and its attractiveness for investment in general. The investment review is therefore intended to be focused, efficient and unbureaucratic. The Federal Council has also endeavoured to ensure the highest possible level of transparency, predictability and legal certainty, with clearly defined competences. Finally, the investment review mechanism is compatible with Switzerland's commitments under international law.

The Federal Council remains opposed to the introduction of an investment review, as it is of the opinion that the cost-benefit ratio is not advantageous and that the current regulatory framework is sufficient. It is not aware of any acquisitions that have posed a threat to Switzerland's public order or security in the past. For this reason, the Federal Council is not proposing that Parliament adopt this bill.

Version française

Le 23 janvier 2024, le Conseil fédéral suisse a publié un projet de loi fédérale sur l'examen des investissements étrangers (LIF).

L'objectif de l'examen des investissements est d'empêcher les acquisitions d'entreprises suisses par des investisseurs étrangers si de telles acquisitions menacent ou compromettent l'ordre public ou la sécurité de la Suisse. Concrètement, les investisseurs contrôlés par un Etat étranger qui souhaitent acquérir une entreprise suisse active dans un domaine particulièrement critique devront introduire au préalable une demande d'agrément. Les domaines particulièrement critiques comprennent, entre autres, les biens d’équipement et les actifs militaires pouvant être utilisés à des fins civiles et militaires, la production d’électricité et l’exploitation du réseau, l’approvisionnement en eau et les infrastructures de santé, de télécommunications et de transport. Les petites entreprises seront exemptées de la réglementation.

L'accent est mis sur les investisseurs contrôlés par l'État, car les acquisitions purement entrepreneuriales ne posent en principe pas de problème. Les investisseurs privés cherchent à faire prospérer les entreprises qu’ils achètent ; Ils ne sont généralement pas motivés par des intentions déstabilisatrices ou des intérêts géopolitiques. En conséquence, les risques que font peser les investisseurs privés étrangers sur l’ordre public ou la sécurité semblent relativement faibles. Le résultat de l’évaluation des risques est tout à fait différent lorsque les acquisitions servent des objectifs politiques. On peut donc supposer que l’ordre public ou la sécurité peuvent être davantage menacés ou compromis lorsque les investisseurs sont contrôlés par un État étranger. Cela a également été souligné par plusieurs intervenants lors des débats parlementaires sur la motion 18.3021 Rieder. Il convient de noter que le critère du contrôle étatique inclut également les investisseurs privés contrôlés directement ou indirectement par un État.

Le Secrétariat d'État à l'économie (SECO) sera responsable de la mise en œuvre de l'examen des investissements et de la coordination avec les unités administratives compétentes. Le processus d'approbation se déroulera en deux étapes. Dans un délai d'un mois, il sera décidé si l'acquisition peut être approuvée directement ou si une procédure de réexamen doit être engagée. Il faudra au maximum trois mois supplémentaires, si nécessaire, pour mener à bien la procédure de réexamen. La décision d'ouvrir ou non une procédure d'examen sera prise par consensus entre les unités administratives participant à la procédure (c'est-à-dire le SECO et les unités administratives concernées). Si ces derniers estiment qu'une acquisition doit être interdite ou ne parviennent pas à trouver un accord à l'issue d'une procédure de réexamen, il appartiendra au Conseil fédéral de trancher.

Avec l'adoption de la motion Rieder 18.3021 du 26 février 2018 (« Protéger l'économie suisse par le contrôle des investissements »), le Parlement a chargé le Conseil fédéral de créer une base juridique pour un mécanisme de contrôle des investissements directs étrangers. La proposition de loi fédérale sur l’examen des investissements étrangers (FIRA) remplit ce mandat.

Le Conseil fédéral a veillé à ce que le projet de loi soit rédigé de manière à préserver l'ouverture de la Suisse aux investisseurs étrangers et son attractivité pour les investissements en général. L’examen des investissements se veut donc ciblé, efficace et non bureaucratique. Le Conseil fédéral s'est également efforcé d'assurer le plus haut niveau possible de transparence, de prévisibilité et de sécurité juridique, avec des compétences clairement définies. Enfin, le mécanisme d'examen des investissements est compatible avec les engagements de la Suisse en vertu du droit international.

Le Conseil fédéral reste opposé à l'introduction d'un examen des investissements, estimant que le rapport coût/bénéfice n'est pas avantageux et que le cadre réglementaire actuel est suffisant. Elle n'a connaissance d'aucune acquisition ayant par le passé constitué une menace pour l'ordre public ou la sécurité de la Suisse. C'est pourquoi le Conseil fédéral ne propose pas au Parlement d'adopter ce projet de loi.

On January 31 2024, the United Kingdom published the Financial Services Act 2021 (Overseas Funds Regime and Recognition of Parts of Schemes) (Amendment and Modification) Regulations 2024.

These Regulations make amendments consequential on provision in the Financial Services Act 2021 (c. 22) for recognition of collective investment schemes authorised in approved countries. The Financial Services Act 2021 inserted a new section 271A into the Financial Services and Market Act 2000 (c. 8). The provisions amended refer to overseas schemes that are individually recognised under section 272 of the Act and the amendments add references to schemes recognised under section 271A of the Act. The amendments also refer to provisions contained in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (S.I. 1975/1023), Rehabilitation of Offenders (Exceptions) Order (Northern Ireland) 1979 (S.R. & O. (N. I.) No. 1979 No. 195), Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (S.I. 2005/1529), Rehabilitation of Offenders Act 1974 (Exclusions and Exceptions) (Scotland) Order 2013 (S.S.I. 2013/50) and Regulation (EU) No 1286/2014 (EUR 2014/1286, as amended by S.I. 2019/403 (which was amended by S.I. 2020/1385)).

The Financial Services Act 2021 also made provision for recognition of parts of collective investment schemes under section 271A or 272 of the Act. 

The entry into force is foreseen for February 26 2024.

On January 29 2024, the United Kingdom published the Securitisation Regulations 2024.

These Regulations specify certain securitisation activities as “designated activities” for the purposes of the Financial Services and Markets Act 2000 (Part 5A) (c. 8) and confer powers on the Financial Conduct Authority (FCA) to make rules and give directions in relation to these activities. The activities are acting as an originator, sponsor, original lender or securitisation special purpose entity in a securitisation and selling a securitisation position to a retail client in the United Kingdom.

The Regulations specify the coherence of the overall framework for the regulation of securitisation as a matter to which the FCA and the Prudential Regulation Authority (PRA) must have regard when making rules relating to securitisation.

The Regulations also restate some provisions of Regulation (EU) 2017/2402 of December 12 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation (Securitisation Regulation), in some cases with modifications. The restated provisions are revoked by section 1(1) of, and Schedule 1 to, the Financial Services and Markets Act 2023 (c. 29) alongside the remainder of the Securitisation Regulation, related EU tertiary legislation and the Securitisation Regulations 2018 (S.I. 2018/1288). Most other provisions revoked are restated (where appropriate with modifications) in rules made by the FCA and the PRA.

Revoked provisions of the Securitisation Regulation restated in these Regulations, in some cases with modifications, include:

• Articles 10 to 15 (registration of securities repositories);
• Article 18 (use of the designation “simple, transparent and standardised securitisation” or “STS”);
• Article 27 (STS notification requirements) including the duty of the FCA to publish and maintain a list of STS securitisations;
• Article 28 (registration of third parties verifying STS compliance);
• Article 28A, which was inserted by the Financial Services and Markets Act 2023 (Treasury power to designate a country or territory in relation to securitisations).

The Regulations require the FCA and PRA to make rules setting out due-diligence requirements for certain institutional investors who are authorised persons and who are not trustees or managers of an occupational pension scheme. They also enable the FCA to make rules in relation to the holding of securitisation positions by small registered UK AIFMs.

The Regulations also restate, with some modifications, the existing duty of the FCA to monitor compliance and powers for the FCA and PRA to take enforcement action, including imposing disciplinary measures.

The Regulations contain savings relating to certain pre-2019 securitisations to which the Securitisation Regulation did not apply. The Regulations also contain provisions dealing with the transition from the existing law to the new provisions.

The following provisions come into force on January 30 2024:

• Part 1
• Part 2 (designated activities)
• regulation 8 (matters to which FCA and PRA must have regard when making rules relating to securitisation)
• regulation 13 (designation of country or territory in relation to securitisations), for the purpose only of enabling the Treasury to make regulations, and
• the remaining provisions, for the purposes only of enabling the FCA or the PRA: (i) to make rules, (ii) to give directions or guidance, or (iii) to issue statements of policy.

On January 16 2024, the Financial Conduct Authority (FCA) established an industry-led working group for financial advisers.

The new working group is focused on building capability in sustainable finance across the financial advice sector. The Personal Investment Management & Financial Advice Association (PIMFA) will provide the secretariat.

Following its publication in November last year of a package of measures to support the UK’s position as a world-leading, competitive centre for asset management and sustainable investment, the FCA is convening the group to support industry in advising consumers on products making claims about sustainability.

The FCA will sit as an active observer of the group and has asked that it be ready to report on how the advice sector can be supported in delivering good practice in the second half of 2024.

The chair will appoint the group’s membership from across the advice sector, including both small and larger industry participants. The working group will also engage with stakeholders outside of the group throughout its work to ensure a balanced representation of views, including those of consumers.

On January 24 2024, the Financial Stability Board (FSB) published its work programme for 2024.

The FSB’s work programme for 2024 aims to maximise the value of its work to foster global financial stability while preserving the capacity for the FSB to respond to new issues that may emerge. The FSB’s work priorities reflect the global nature of financial challenges and their ability to affect the financial system as a whole. These challenges include digitalisation, climate change, and the consequences of shifts in the macroeconomic and interest rate environment.

Priority areas of work include:

• Supporting global cooperation on financial stability: Vulnerabilities in the global financial system continue to be elevated, reflecting high interest rates and an uncertain growth outlook, while vulnerabilities from structural change continue to emerge in areas such as climate change, cyber and crypto-asset markets.
• Completing resolution reforms: The FSB will continue its work to promote the full implementation of the Key Attributes of Effective Resolution Regimes for Financial Institutions across all sectors.
• Enhancing the resilience of non-bank financial intermediation (NBFI): The NBFI sector has grown faster than the banking sector since the 2008 global financial crisis and has become more diverse. As a result, the importance of NBFI for the financing of the real economy has increased.
• Enhancing cross-border payments: The G20 Roadmap for enhancing cross-border payments, co-ordinated by the FSB, contains a comprehensive set of actions and a framework for monitoring progress toward achieving the quantitative targets that have been set for end-2027.
• Harnessing the benefits of digital innovation while containing its risks: Harnessing the benefits of digital innovation while containing its risks. Digitalisation is fundamentally changing the way finance works and the way the financial industry is organised. Harnessing the opportunities of digital innovation while containing associated risks is critical for financial stability and prosperity.
• Enhancing cyber and operational resilience: Greater interconnections in the financial system increase the surface area for cyber attacks, reinforcing the need to streamline incident reporting practices.
• Addressing financial risks from climate change: There is a growing focus on potential risks that climate change could pose to financial stability.

On January 30 2024, the International Organization of Securities Commissions (IOSCO) published an investment funds statistics report.

The Investment Funds Statistics Report (IFSR) is composed of survey submissions from IOSCO members and incorporates a broad range of market statistics to better understand and analyze the industry size, gross leverage, financial leverage, liquidity risk, and counterparty risk within hedge fund, open-ended fund, and closed-ended fund industries around the globe. The 2024 IFSR contains information from 28 IOSCO member jurisdictions for the 2022 reporting year and encompasses 99,722 funds representing USD 54.5T in global aggregate net asset value (NAV) and ~80% of the global investment funds industry.

The report contains data on qualified hedge funds (QHFs), open-ended funds (OEFs) and closed-ended funds (CEFs), though reporting for OEFs and CEFs is limited in certain jurisdictions. The report builds off the 2020 IOSCO Report on Hedge Funds and incorporates data for OEFs and CEFs from 2020 onwards. The data contains Form PF and N-PORT filings in the United States (US), as well as data reported under the Alternative Investment Funds Managers Directive (AIFMD) in the European Union (EU) and the United Kingdom (UK). Additionally, Luxembourg, Italy, Spain, and Belgium provided data on Undertakings for Collective Investment in Transferable Securities (UCITS).

On January 18 2024, the International Accounting Standards Board (IASB) published the interoperability considerations for greenhouse gas (GHG) emissions when applying GRI (Global Reporting Initiative) Standards and International Sustainability Standards Board (ISSB) Standards.

This document illustrates the areas of interoperability between GRI 305: Emissions 2016 (GRI 305) and IFRS S2 Climate-related Disclosures (IFRS S2) that a company should consider when measuring and disclosing Scope 1, Scope 2 and Scope 3 GHG emissions in accordance with both Standards.

This document is not a comprehensive assessment of the requirements in GRI 305 and IFRS S2. When applying GRI or ISSB Standards, preparers must refer to the GRI and ISSB Standards respectively, including their respective definitions of materiality.

According to the ISSB Standards, information is material if omitting, misstating or obscuring that information could reasonably be expected to influence investor decisions. ISSB Standards are focused on meeting the information needs of investors.

According to the GRI Standards set by the Global Sustainability Standards Board (GSSB), a topic is material when it represents an organisation’s most significant impacts on the economy, environment and people, including impacts on their human rights. GRI Standards are focused on meeting the information needs of stakeholders, including investors.

This document uses the 2016 version of GRI 305, which is currently under revision, and will be updated to reflect changes to GRI 305.