Author: Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

Final ESMA Guidelines on cloud outsourcing

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the end of December 2020, the European Securities and Markets Authority (ESMA) published its final report on its guidelines on outsourcing to cloud service providers (CSP). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. Since the main risks associated with cloud outsourcing are similar across financial sectors, ESMA has considered the European Banking Authority (EBA) Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud services providers and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. This ensures consistency between the three sets of guidelines. The ESMA Guidelines on cloud outscoring apply to MiFID II firms such as investment firms and other financial services providers indirectly but they describe the market standard and set the supervisory framework for the National Competent Authorities (NCAs) in Europe such as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).

For the German jurisdiction, BaFin published guidance on outsourcing to cloud providers back in 2018. Please note that the amended MaRisk include outsourcing requirements for investment firms and other financial services providers and already reflect the EBA Guidelines on outsourcing, including cloud outsourcing. For more information on the MaRisk amendment, please see our previous Blogpost.

The guidelines in more detail

The following gives a brief overview of the main content of the ESMA cloud outsourcing guidelines.

  • Guideline 1: Governance, oversight and documentation

Firms should have a defined and up-to date cloud outsourcing strategy which should include, inter alia, a clear assignment of the responsibility for the documentation, management and control of cloud outsourcing arrangements, sufficient resources to ensure compliance with all legal requirements applicable to the firm’s outsourcing arrangements, a cloud outsourcing oversight function directly accountable to the management body and responsible for managing and overseeing the risk of cloud outsourcing arrangements, a (re)assessment of whether the cloud outsourcing arrangements concern critical or important functions as well as an updated register of information on all cloud outsourcing arrangements. For the outsourcing of critical or important functions, the ESMA guidelines include a detailed list of information which should be included in the register.

  • Guideline 2: Pre-outsourcing analysis and due diligence

ESMA provides information on what is required for the pre-outsourcing analysis (e.g. an assessment if the cloud outsourcing concerns a critical or important function). In the case of outsourcing of critical or important function, firms should conduct a comprehensive risk analysis and take into account benefits and costs of the cloud outsourcing and perform an evaluation of the suitability of the CSP.

  • Guideline 3: Key contractual elements

The guidelines provide a detailed list of what a written cloud outsourcing agreement should include in case of outsourcing of critical or important functions. Such agreements should include, inter alia, provisions regarding data protection, agreed service levels incident management, business continuity plans, termination rights and access and audit rights for the firm and its competent supervisory authority.

  • Guideline 4: Information security

Firms should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis. In case of outsourcing of critical or important functions, additional requirements apply regarding information security organization, identity and access management, encryption and key management, operations and network security, application programming interfaces, business continuity and data location.

  • Guideline 5: Exit strategies

In case of outsourcing of critical or important functions, firms should develop and maintain exit strategies that ensure that the firm is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its client. Exit strategies should include comprehensive and documented exit plans, the identification of alternative solutions and provisions in the written outsourcing agreements that oblige the CSP to support orderly transfer of the outsourced function from the CSP to another CSP.

  • Guideline 6: Access and audit rights

Firms should ensure that the cloud outsourcing written agreement does not limit the firm´s and competent authority´s effective exercise of the access and audit rights on the CSP (see also Guideline 3). However, the Guideline also includes provisions aimed at reducing the organizational burden on the CSP and its clients when exercising access and audit rights: firm may use e.g. third-party certifications and external or internal audit reports made available by the CSP. However, in case of outsourcing of critical or important functions, the guidelines stipulate additional requirements that must be met in order to be able to rely on third party certifications or assessments.

  • Guideline 7: Sub-outsourcing

In case of sub-outsourcing, the firm should ensure that the CSP appropriately oversees the sub-outsourcer. In addition, ESMA provides information on the provisions that should be included in the written outsourcing agreement between the firm and the CSP in the case of sub-outsourcing critical or important function. This includes the remaining accountability of the CSP, a notification requirement for the CSP in case of any intended sub-outsourcing allowing the firm sufficient time to carry out a risk assessment of the proposed sub-outsourcer, the firm´s right to object to the intended sub-outsourcing and termination rights in case of such objection.

  • Guideline 8: Written notification to competent authorities

Firms should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangement that concern critical or important functions. The notification should include, inter alia, a description of the outsourced functions, a brief summary of the reasons why the outsourced function is considered critical or important and the individual or decision-making body in the firm that approved the cloud outsourcing arrangement.

What´s next?

In a next step, the guidelines will be translated in the official EU languages and published on the ESMA´s website. The publication of the translation will trigger a two-month period during which the national competent authorities must notify ESMA whether they comply or intend to comply with the guidelines (comply or explain mechanism). For the German jurisdiction, it is to be expected that BaFin will comply with the ESMA guidelines.

Brexit update on cross-border services: MiFID II requirements vs. reverse solicitation

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

The European Securities and Markets Authority (ESMA) has recently issued a public statement to remind firms of the MiFID II requirements on the provision of investment services to retail or professional clients by third-country firms. With the end of the UK transition period on December 2020, UK firms now qualify as third-country firms under the MiFID II regime. The third country status of the UK as of 2021 was explicitly confirmed by the German regulator BaFin in a recent publication.

Pursuant to MiFID II, EU Member States may require that a third-country firm intending to provide investment services to retail or to professional clients in its territory have to establish a branch in that Member State or may conduct business requiring a license on a cross-border basis, without having a presence in Germany (so-called notification procedure/EU Passport). However, according to MiFID II, where a retail or professional client established or situated in the EU initiates at its own exclusive initiative the provision of an investment service or activity by a third-country firm, the third country firm is not subject to the MiFID II requirement to establish a branch and to obtain a license (so-called reverse solicitation).

With the end of the UK transition period on December 2020, ESMA notes that some “questionable” practices by firms around reverse solicitation have emerged. For example, ESMA states that some firms appear to be trying to circumvent MiFID II requirements by including general clauses in their Terms of Business or by using online pop-up boxes whereby clients state that any transactions are executed in the exclusive initiative of the client.

With its public statement, ESMA aims to remind firms that pursuant to MiFID II, where a third-country firm solicits (potential) clients in the EU or promotes or advertises investment services in the EU, the investment service is not provided at the initiative of the client and, therefore, MiFID II requirements apply. Every communication means used (press release, advertising on internet, brochures, phone calls etc.) should be considered to determine if the client has been subject to any solicitation, promotion or advertising in the EU on the firm´s investment service or activities. Reverse solicitation only applies if the client actually initiates the provision of an investment service or activity, it does not apply if the investment firm “disguises” its own initiative as one of the client.

However, despite this seemingly rather strict approach of ESMA, reverse solicitation is generally still applicable if a (UK) third-country firm

  • only offers services at the sole initiative of the client,
  • (only) continues an already existing client relationship or
  • continues to inform its clients about its range of products within the scope of existing business relationships (which is often agreed upon in the client´s contract).

It is argued that, for example, in the case of an existing account or deposit or an existing loan agreement that a UK third country firm continues to provide to an EU client after Brexit, no direct marketing or solicitation of the client in the EU takes place. In this case, the third country firm would not have solicited the client.

In a nutshell: What UK firms should consider

The provision of investment services in the EU is subject to license requirements and can include the requirement to establish a branch or a subsidiary in the relevant EU member state. The provision of investment services without proper authorization exposes investment firms to administrative or criminal proceedings. Where a client established in the EU initiates at its own exclusive initiative the provision of an investment service by a third-country firm, such firm is not subject to the requirement to establish a branch or to obtain a license (reverse solicitation). Generally, reverse solicitation also applies when existing client relationships are continued (which have been legitimately established), as the investment firm would not solicit a client in this case.

ESMA update: Impact of Brexit on MiFID II/MiFIR and Benchmark Regulation

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the beginning of October 2020, the European Securities and Markets Authority (ESMA) has updated its previous statements from March and October 2019 on its approach to the application of key provisions of MiFID II/MiFIR and the Benchmark Regulation (BMR) in case of Brexit. As the EU-UK Withdrawal Agreement entered into force on February 2020 and the UK entered a transition period (during which EU law still applies in and to the UK) that will end on 31 December 2020, these statements needed to be revised.

This Blogpost highlights the updated ESMA approach on third-country trading venues regarding the post-trade transparency requirements (MIFID II/MiFIR) and the inclusion of third country UK benchmarks and administrators in the ESMA register of administrators and third country benchmarks (BMR).

MiFID II/MIFIR: Third-country trading venues and post-trade transparency The regulations of MiFID II/MiFIR provide for post-trade transparency requirements. EU investment firms which, for their own account or on behalf of clients, carry out transactions in certain financial instruments traded on a trading venue, are obliged to publish the volume, price and time of conclusion of the transaction. Such publication requirements serve the general transparency of the financial market. As ESMA has already stated in 2017, post-trade transparency obligations also apply where EU investment firms conduct transactions on a third country trading venue.

By the end of the transition period on 31 December 2020, UK trading venues will qualify as third country trading venues. Therefore, if an EU investment firm carries out transactions via a UK trading venue, it is, in general, subject to the MiFID II/MiFIR post-trade transparency obligations.

However, EU-investment firms would not be subject to the MiFID II/MiFIR post-trade transparency requirements if the relevant UK trading venue would already be subject to EU-comparable regulatory requirements itself. This would be the case if the trading venue would be subject to a licensing requirement and continuous monitoring and if a post-trade transparency regime would be provided for.

In June 2020, ESMA published a list of trading venues that meet these requirements. While the UK was a member of the EU and during the transition period, ESMA did not asses UK trading against those criteria. However, ESMA intends to perform such assessment of UK trading venues before the end of the transition period. Transactions executed by an EU investment firm on a UK trading venue that, after the ESMA assessment, would be included in the list, will not be subject to MiFID II/MiFIR post-trade transparency. In this case, sufficient transparency requirements would already be ensured by the comparable UK regime. However, any transactions conducted on UK trading venues not included in the ESMA list on EU-comparable trading venues will by the end of the transition period be subject to the MiFID II/MiFIR post-trade transparency rules.

BMR: ESMA register of administrators and third country benchmarks

Supervised EU-entities can only use a benchmark in the EU if it is provided by an EU administrator included in the ESMA register of administrators and third country benchmarks (ESMA Register) or by a third country administrator included in the ESMA Register. This is to ensure that all benchmarks used within the EU are subject to either the BMR Regulation or a comparable regulation.

So far, UK administrators qualified as EU administrators and have been included in the ESMA Register. After the Brexit transition period, UK administrators included in the ESMA register will be deleted as the BMR will by then no longer be applicable to UK administrators. UK administrators that were originally included in the ESMA Register as EU administrators, will after the Brexit transition period qualify as third country administrators. The BMR foresees different regimes for third country administrators to be included in the ESMA Register, being equivalence, recognition or endorsement.

“Equivalence” must be decided on by the European Commission. Such decision requires that the third country administrator is subject to a supervisory regime comparable to that of the BMR. So far, the European Commission has not yet issued any decision on the UK in this respect.  Until an equivalence decision is made by the European Commission, UK administrators therefore have (only) two options if they want their benchmarks eligible for being used in the EU: They/their benchmarks need to be recognized or need to be endorsed under the BMR.

Recognition of a third country administrator requires its compliance with essential provisions of the BMR. The endorsement of a third country benchmark by an administrator located in the EU is possible if the endorsing administrator has verified and is able to demonstrate on an on-going basis to its competent authority that the provision of the benchmark to be endorsed fulfils, on a mandatory or on a voluntary basis, requirements which are at least as stringent as the BMR requirements.

However, the BMR provides for a transitional period itself until 31 December 2021. A change of the ESMA Register would not have an effect on the ability of EU supervised entities to use the benchmarks provided by UK administrators. During the BMR transitional period, third country benchmarks can still be used by supervised entities in the EU if the benchmark is already used in the EU as a reference for e.g. financial instruments. Therefore, EU supervised entities can until 31 December 2021 use third country UK benchmarks even if they are not included in the ESMA Register. In the absence of an equivalence decision by the European Commission, UK administrators will have until the end of the BMR transitional period to apply for a recognition or endorsement in the EU, in order for the benchmarks provided by these UK administrators to be included in the ESMA Register again.

Brexit, still great uncertainty

Currently, the whole Brexit situation is fraught with great uncertainty due to the faltering political negotiations. The updated ESMA Statement contributes to legal certainty in that it clearly sets out the legal consequences that will arise at the end of the transition period. This is valuable information and guidelines for all affected market participants, who must prepare themselves in time for the end of the transition period and take appropriate internal precautions.

EBA´s New Role in Anti-money Laundering and Countering the Financing of Terrorism

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the turn of the year, there have been some new developments in anti-money laundering (AML) law at both German and EU level. Part 1 of our series dealt with the changes at German law resulting from the implementation of the Fifth EU Anti-Money Laundering Directive. Part 2 sheds some light on the European Banking Authority’s (EBA) new leading role in anti-money laundering and countering the financing of terrorism (CFT).

What is changing in the approach to AML/CFT?

In 2019, the EU legislator gave EBA a legal mandate to preventing the use of the financial system for the purposes of money laundering and terrorist financing and to leading, coordinating and monitoring the AML/CFT efforts of all EU financial service providers and competent authorities. The law implementing EBA´s new powers came into effect on 1 January 2020.

However, assigning EBA a leading role in AML/CFT will not change the EU´s general approach to AML/CFT, which remains based on a minimum harmonisation directive and an associated strong focus on national law and direct supervision of financial institutions by national competent authorities. This reduces the influence and the degree of convergence and consistency EBA´s work can achieve from the outset.

To the extent legally possible, EBA will use its new role to

  • lead the establishment of AML/CTF policy and support its effective implementation by competent authorities and financial institutions;
  • coordinate AML/CFT measures by fostering effective cooperation and information exchange between all relevant authorities;
  • monitor the implementation of EU AML/CFT standards to identify vulnerabilities in competent authorities´ approaches to AML/CFT supervision and to mitigate them before money laundering and financing of terrorism risks materialise.

How will EBA lead on AML/CFT?

To fulfill its new leading role, EBA will focus on two key point: developing an EU-wide AML/CFT policy and ensuring a consistent supervision by national competent authorities. EBA intends to develop such EU-wide AML/CFT policy through standards, guidelines or opinions where this is provided for in EU law as well as on its own initiative where it identifies, for example, gaps in competent authorities´ supervision. In 2020, EBA will be setting clear expectations on the components of an effective risk-based approach with targeted revisions to the core AML/CFT guidelines: the Risk Factors Guidelines and the Risk-Based Supervision Guidelines.

EBA intends to foster a consistent supervision by national competent authorities by assisting them through training, bilateral support and detailed bilateral feedback on their approach to the AML/CFT supervision of banks.

What will EBA do to coordinate?

To coordinate the European work against money laundering and terrorism financing, EBA will focus to coordinate national competent authorities´ AML/CFT supervision by fostering effective cooperation and information exchange. To achieve its goal, the EBA will set up a permanent internal AML/CFT standing committee (AMLSC). The AMLSC will bring together, inter alia, representatives of all AML/CFT competent authorities from Member States, along with representatives from ESMA and EIOPA, the Commission and the European Central Bank. Its main task will be to provide subject matter expertise. It will also serve as a forum to facilitate information exchange and ensure effective coordination and cooperation to achieve consistent outcomes in the EU’s work against money laundering and terrorism financing. The AMLSC has met for the first time in February 2020.

In addition to the AMLSC, EBA will create a new AML/CFT database. This database will not only contain information on AML/CFT weaknesses in individual financial institutions and measures taken by competent authorities to correct those shortcomings, but EBA will use it to meet wider AML/CFT information and data need to supports its objectives on AML/CFT work. EBA will draft two regulatory technical standards  that will specify the core information that competent authorities must submit to the date base and how EBA will analyse the obtained information and make it available to competent authorities.

What will EBA do to monitor?

One main tool for EBA to monitor the implementation of EU AML/CFT standards will be using information from the new database and to ask national competent authorities to take action if EBA has the indication that a financial institution´s approach to AML/CFT materially breaches EU law. EBA envisages to use this new tool proactively to ensure that AML/CFT risks are addressed by competent authorities and financial institutions in a timely and effective manner. This approach aims to rectify shortcomings at the level of financial institutions; they do not, however, serve to establish whether or not a competent authority may be in breach of Union law.

The difference EBA´s new role will make

As the national implementation of the Fifth European AML Directive and the EBA´s new leading role show, effective AML/CFT measures remain in the focus of the EU legislator, not least due to political developments (terrorist attacks in France, “Panama Papers” etc.). Market participants should prepare themselves for stricter audits by their competent national authorities on AML/CFT compliance. For example, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) has announced AML/CFT as one of its focuses of its supervisory practice for 2020. By assigning a leadership role to EBA, European efforts to prevent money laundering will in future be better coordinated, bundled and consistently implemented throughout the European financial market and therefore, hopefully, be more effective. However, we need to keep in mind that BaFin and subsequently also EBA are only part of the European and national AML regime. In Germany, for example, the FIU has a leading role in AML activities. An overview of the authorities involved can be found here.

Brexit Update: What Happened So Far

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

The last year of the old decade brought so many twists and turns on the subject of Brexit that one could easily lose track. Hence, our first blogpost of the new decade will shed some light on the current Brexit situation and the next steps currently planned by British and European politicians. As always, we will focus in particular on the effects on the financial market.

Current Situation: What Will Happen Now?

Since the British Parliament approved Johnson´s Brexit deal in December 2019, the UK will leave on 31 January 2020. An 11-month transition phase will then come into force: the UK will remain in the EU single market and the customs union until the end of 2020. During this period everything will remain mostly the same for the time being.

During the transition period, the EU and the UK will have to reorganise their relations with each other, with future economic relations as well as security and defence cooperation being key issues. First of all, a comprehensive Free Trade Agreement is to be concluded, which can above all prevent customs duties at the borders. But other economic areas, such as the financial market in particular, must also be regulated, either as part of the Free Trade Agreement (which would be unusual from a legal perspective) or through a separate agreement.

11 months are a short time and one may have doubts as to whether this time will be sufficient. The European Commission is already considering equivalence assessments for the financial market. However, there will be not ONE equivalent decision (see here) for an earlier analysis of the equivalence principle of the EU). There are currently around 40 equivalence areas which need to be assessed in each case. Most equivalence decisions provide for prudential benefits, some provide for burden reduction and some can lead to market access. There will also have to be close cooperation between the UK and EU financial supervisory authorities. During the assessment process the EU will look at UK legislation and supervision and will take a risk-based approach – as for all other third countries. This means that the higher the possible impact on the EU market, the more granular will the assessment be conducted. In case the UK will stick with the current EU regulation, this will be an easier task. But as soon as the UK will break new ground to make the UK financial market more attractive the impact on the equivalent status will need to be considered.

It can be assumed that the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdiensteistungsaufsicht – BaFin) and the other European financial supervisory authorities will monitor the negotiations regarding a financial market agreement very closely during the transition phase and will adapt and communicate their intentions for action accordingly.

To Be Continued

Although a hard Brexit has been avoided, there will still be uncertainties about future relations between the EU and the UK. Financial market participants should follow the negotiations between the EU and the UK closely and not rely on the fact that a financial market agreement can be concluded successfully in the short transition period.

ESAs publish joint report on regulatory sandboxes and innovation hubs – Part 1: Innovation hubs available for enquiries

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

On January 7th 2019, the European Supervisory Authorities (ESAs) (consisting of the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pension Authority) published as part of the European´s Commission FinTech Action Plan e a joint report on innovation facilitators (i.e. regulatory sandboxes and innovation hubs) available here . The report sets out a comparative analysis of the innovation facilitators established to date within the EU including the presentation of best practices for the design and operation of innovation facilitators.

We take the report as an occasion to present both innovation hubs and regulatory sandboxes in a two-part article. In Part 1 we will discuss what exactly innovation hubs are, what goals they pursue and how they are structured in Germany. Part 2 will then deal with the regulatory sandboxes.

Innovation hubs – What they are and what their goals are

It is often difficult for companies to obtain binding statements on regulatory requirements when a business model is still developing. Innovation hubs create a formal framework that considerably simplifies the exchange between innovators and supervisors, thereby promoting market access.

Innovation hubs provide a dedicated point of contact for firms to raise enquiries with competent authorities on Fin Tech-related issues to seek non-binding guidance on the conformity of innovative financial products, financial services, business models or delivery mechanisms with licensing or registration requirements and regulatory and supervisory expectations. In general, the innovation hubs are available to companies as a user interface at the relevant national authority. In Germany, the innovation hub is located at the Federal Financial Supervisory Authority (Bundesanstalt für FinanzdienstleistungsaufsichtBaFin) and is available here. A total of twenty-one EU Member States have established innovation hubs.[1]

Innovation hubs have been set up to enhance firms´ understanding of the regulatory and supervisory expectations regarding innovative business models, products and services. To achieve this goal, firms are provided with a contact point for asking questions of, and initiate dialogue with, competent authorities regarding the application of regulatory and supervisory requirements to innovative business models, financial products, services and delivery mechanisms. For example, the innovation hubs provide firms with non-binding guidance on the conformity of their proposed business model with regulatory requirements; specifically, whether or not the proposition would include regulated activities for which authorisation is required.

Who can participate and how does an innovation hub work exactly?

In the following, we explain which companies can participate in the innovation hubs and describe how exactly the communication between the companies and the innovation hub takes place.

Scope

The innovation hubs are open to all firms, whether incumbents or new entrants, regulated or unregulated which adopt or consider to adopt innovative products, services, business models or delivery mechanisms.

Communication process between firms and competent authorities

The following ESA graph illustrates the communication process between the firms and the competent authority using the innovation hub. The individual phases of the communication process are explained below. [2]

Submission of enquiries via interface

In order to submit enquiries, all innovation hubs set up in the EU Member States offer interested companies user interfaces through which contact can be established with the respective supervisory authority. This can be done e.g. by telephone or electronically, but also via online meetings or websites. Some innovation hubs also offer the possibility of organising physical meetings. In Germany, BaFin provides an electronic contact form in which both the company data and the planned business model can be presented and transmitted to BaFin. The contact form is available here.

Assigning the request to the relevant point of contact within the competent authority

As soon as the contact has been established and the request has been submitted, typically the authority conducts a screening process to determine how best to deal with the queries raised. In this process, the authority considers factors such as the nature of the query, its urgency and its complexity, including the need to refer the query to other authorities, such as data protection authorities.

Providing responses to the firms

Depending on the nature of the enquiries raised, several information exchanges between the firm and the competent authority may take place. Responses to firms may be routed to different channels such as meetings, telephone calls or email. Typically, the responses provided via the innovation hub are to be understood as preliminary guidance based solely on the facts established in the course of the communications between the firms and the competent authority. The companies can use the information gained to better understand the regulatory requirements for their planned business model and develop it further on this basis.

Follow-up actions

Some authorities offer follow-up actions within their innovation hubs. Especially if the communication process between the company and the authority shows that the business model of the company includes a regulated activity. In this case, some competent authorities may provide support within the authorisation process (e.g. dedicated point of contact, guidance on the completion of the application form).

Previous experiences on the use of innovation hubs

Although innovation hubs are available to all market participants, according to the ESA report, three categories of companies in particular use the innovation hubs: (i) start-ups, (ii) regulated entities that are already supervised by competent authorities and are considering innovation products or services and (iii) technology providers offering technical solutions to institutions active in the financial markets.

Typically, the firms use the innovation hub to seek information about the following: (i) whether or not a certain activity needs authorisation and, if so, information about the licensing process and the regulatory and supervisory obligations, (ii) whether or not anti-money laundering issues arise, and (iii) the applicability of consumer protection regulation and (iv) the application of regulatory and supervisory requirements (e.g. systems and controls).

Upshot

Innovation hubs provide companies with a good opportunity to interact with regulators via a user-friendly platform. They can therefore clarify the regulatory requirements for the products they plan to develop at an early stage and incorporate them into their business planning. By setting up innovation hubs, especially for young and dynamic (FinTech-) start-ups, the inhibition threshold to contact the supervisory authority is significantly lowered, especially because predefined user interfaces can be used.

[1] Austria, Belgium, Bulgaria, Cyprus, Germany, Denmark, Estonia, Spain, Finland, France, Hungary, Ireland, Iceland, Italy, Liechtenstein, Lithuania, Luxembourg, Latvia, Netherlands, Norway, Poland, Portugal, Romania, Sweden, UK.

[2] Source: ESA Report FinTech: Regulatory sandboxes and innovation hubs.

ESMA publishes Final Report on Guidelines on non-significant benchmarks – Part 2

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

On December 20, 2018 ESMA published its Final Report on the Guidelines on non-significant benchmarks. These represent ESMA´s administrative practice and fill the broad regulations of the Benchmark Regulation (BMR) with more details, which makes their implementation considerably easier for the obligated parties. The guidelines have no direct effect in the EU member states but are generally to be adopted one-by-one by the national supervisory authorities, so that they will be applied as the administrative practice of the respective national authority.

In Part 1 we looked at the definition of a non-significant benchmark (NSB) and the Guidelines on the oversight function and on input data. Part 2 will highlight the new requirements on the transparency of methodology and governance set out in the Guidelines.

Guidelines on transparency of methodology (Article 13 BMR)

Article 13 BMR states transparency requirements regarding the development, use and management of the benchmark by the administrator. To this end, Article 13 sets out standards with regard to the methodology for determining the benchmark. The Guidelines contain three sections: (i) on the key elements of the methodology; (ii) the elements of the internal review of the methodology; and (iii) on the information to be provided in case of a proposed material change to an administrator´s methodology.

The key elements of the methodology used to determine the benchmark should include, inter alia, a definition and description of the NSB and the market it is intended to measure, the types of input data used to determine the NSB, minimum requirements of the quality of the input data, the compositions of any panel of contributors and the criteria to determine eligibility for panel membership.

The information to be provided by an administrator of a NSB in compliance with the requirements regarding the internal review of the methodology should include at least a description of the policies and procedures relating to the internal review and approval of the methodology. In case of material changes of the methodology the information to be provided by an administrator should include at least the disclosure of the key elements of the methodology that would, in its view, be affected by the proposed material change.

Guidelines on governance and control requirements for supervised contributors (Article 16 BMR)

Article 16 BMR provides requirements for the governance and control of a supervised contributor. To this end, Article 16 sets out specific but broad requirements for the management of a contributor’s company and its systems, which serve to preserve the integrity and reliability of its input data. In addition, the Guidelines set out, inter alia, provisions on the control framework, control of submitters, the management of conflicts of interest and record-keeping requirements. All these elements are mentioned in Art. 16 BMR to ensure proper governance and control by the contributor but outlined in more detail in the Guidelines.

According to the Guidelines, the contributor´s control framework for example should include at least an effective oversight mechanism for overseeing the process for contributing input data, a policy on whistle-blowing and a procedure for detecting breaches of BMR. The measures for the management of conflicts of interest should include, inter alia, a register of material conflicts of interests. Additionally, the records to be kept with regard to the provision of input data should include, e.g., the names of the submitters.

Applicability of the Guidelines

As already mentioned in Part 1, NSB have less impact on markets than critical or significant benchmarks. Therefore, the BMR provides options for administrators of non-significant benchmarks not to apply some BMR provisions (Article 4 to 7, 11 and 13 to 15 BMR). However, an incentive to apply the provisions nonetheless may exist, for instance, the administrator does not have to maintain different internal structures and processes for its benchmarks if he administers mainly significant benchmarks.

Since some of the Guidelines concern regulations whose applicability the administrator can exclude, the Guidelines do not apply if the administrator has decided in a permissible manner not to apply the corresponding regulations. However, if the Guidelines concern regulations from which the administrator may not deviate or if he has decided not to make use of the simplifications, the Guidelines shall apply.

ESMA publishes Final Report on Guidelines on non-significant benchmarks – Part 1

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

What does the European Securities and Markets Authority (ESMA) regulate in the newest Guidelines on benchmarks? When is a benchmark not significant? The following article will answer these questions and more.

The regulation of benchmarks

Since January 2018, the administration, provision and use of benchmarks has been regulated by the Regulation (EU) 2016/1011 on indices used as benchmark in financial instruments and financial contracts or to measure the performance of investment funds (BMR). The BMR introduces a regime for benchmark administrators, contributors and users that ensures the accuracy and integrity of benchmarks so that they are robust, reliable, representative and suitable for the intended use by establishing rules for administrators, contributors and users of critical, significant and non-significant benchmarks. We already shared this blog post on November 22, 2018 on emergency plans, which are also part of the BMR´s regulatory regime.

ESMA Guidelines on non-significant benchmarks

On December 20, 2018, ESMA published its Final Report on the Guidelines for non-significant benchmarks (NSB) (available here), which refers to the provisions in Article 5, 11, 13 and 16 BMR. This was preceded by the consultation of the Guidelines in September 2017. The Guidelines serve to concretise the provisions of Article 5, 11, 13 and 16 BMR and provide more detailed input on how the BMR’s provisions are to be implemented, thus ultimately present ESMA’s supervisory practice.

Non-significant benchmarks

NSB are benchmarks that are neither critical nor significant. A benchmark is considered critical if it serves as a reference basis for financial instruments or contracts with a total value of at least €500 billion. A benchmark is also critical if its sudden disappearance could have considerable negative effects on the stability of the markets. Significant benchmarks are those that are used as a reference basis for financial instruments or contracts with a total value of at least €50 billion. For critical and significant benchmarks, ESMA published Draft technical standards (RTS) under the Benchmark Regulation on March 30, 2017. They were published in the Official Journal of the European Union on November 5, 2018 . Since the RTS are issued as a regulation, they apply directly in the EU member states. However, for non-significant benchmarks, ESMA is mandated to prepare Guidelines which are not directly binding in the EU member states, but are generally adopted one-to-one by the respective national supervisory authority, thus they become part of its administrative practice. If the guidelines were not to be adopted, the national supervisory authorities must announce this publicly.

The Guidelines on non-significant benchmarks set out details for four areas of the BMR: the oversight function (article 5 BMR); input data (Article 11 BMR); the transparency of methodology (Article 13 BMR); and the requirements for the governance of supervised contributors (Article 16 BMR). As a result, the broad rules of the BMR are filled in with more details that make their implementation considerably easier for the obligated parties.

In Part 1, we will look at the Guidelines on the oversight function and on input data. Part 2 will highlight the Guidelines on the transparency of methodology and the governance requirements.

Guidelines on procedures and characteristics of the oversight function (Article 5 BMR)

Article 5 BMR sets out the oversight requirements that each administrator must maintain to ensure that all aspects of the provision of its benchmarks are monitored. The Guidelines on Article 5 BMR contain different sections on the composition of the oversight function, on its internal positioning and on procedures that should govern the oversight function, as well as a non-exhaustive list of governance arrangements.

For example, the Guidelines require that the oversight function should be composed of one or more members who together have the skills and expertise appropriate to the oversight of the provision of a particular benchmark and to the responsibilities the oversight function is required to fulfill. Administrators should also consider including, as members of the oversight function, representatives from trading venues. To ensure that no conflicts of interests intervene, persons directly involved in the provision of the NSB that may be members of the oversight function should have no voting-rights. Representatives of the management body should not be members or observers of the oversight function but may be invited to attend meetings by the oversight function in a non-voting capacity.

The oversight function should constitute a part of the organisational structure of the administrator, but needs to be established separately from the management body and other governance functions. Additionally, the oversight function should have its own procedures, for example, in relation to the criteria for member selection, the election, nomination and replacement of its members and access to the documentation necessary to carry out its duties.

Guidelines on input data (Article 11 BMR)

Article 11 BMR regulates the requirements for input data provided for the determination of the benchmark. Input data is the data used to determine the benchmark and relates to the value of an underlying asset. This may include, for example, real time transaction data of the respective underlying asset.

The Guidelines contain two sections on ensuring appropriate and verifiable input data and the internal oversight and verifications procedures of a contributor to a NSB.

In order to ensure that the input data used for a benchmark is appropriate and verifiable, the administrator should have available all information necessary to check whether the submitter is authorised to contribute the input data on behalf of the contributor in accordance with Article 25 of BMR, whether the input data is provided by the contributor within the time-period prescribed by the administrator and whether the input data meets the requirements set out in the methodology of the benchmark.

The internal oversight and verification procedures of a contributor that the administrator of a NSB ensures should include procedures governing, inter alia, requested communication of information to the administrator and three levels of control functions. The first level of control should be responsible for, inter alia, the effective checking of input data prior to its contribution and the submitter´s authorisations to submit input data on behalf of the contributor. The second level of control should be responsible for establishing and maintaining whistle-blowing procedures and internal reporting of any attempt or actual manipulation of input data. The third level of control should be responsible for performing checks on the controls exercised by the other two control functions. Therefore it must be independent from the first and second control level.

Applicability of the Guidelines

As NSB have less impact on markets than critical or significant benchmarks, Article 26 BMR provides for numerous simplifications for administrators with regard to NSB. Administrators may decide not to apply some of the provisions of Article 4 to 7, 11, and 13 to 15 BMR. However, an incentive to apply the regulations may be, for example, that the administrator does not have to maintain different internal structures and processes for its benchmarks. It is not necessary to constantly check whether the NSB exceeds the threshold that makes it a significant benchmark if the requirements of a significant benchmark are consistently met.

Since some of the Guidelines concern regulations whose applicability the administrator can exclude according to Article 26 BMR, the Guidelines do not apply if the administrator has decided in a permissible manner not to apply the corresponding regulations. However, if the Guidelines concern regulations from which the administrator may not deviate or if he has decided not to make use of the simplifications in Article 26 BMR, the Guidelines shall apply.

 

Why equivalence is not the easy solution for Brexit

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

When reading the news, one cannot deny that a hard Brexit may well be looming. While we all hope that a political solution will be agreed upon in the end, it still makes sense to discuss legal possibilities that might soften the impact if no agreement can be reached.

When it comes to the UK’s loss of access to the European single market, the “equivalence solution” is almost automatically mentioned as a solution for the financial market. But what exactly does equivalence entail? And does it really represent a viable way for the UK and the EU in case of a hard Brexit? In this post we will provide an overview of the current equivalence regime within the European regulation.

In the event of a hard Brexit, the UK will lose access to the European single market overnight and will become a third country under European law. The solution for maintaining access to the European single market could be the so-called equivalence solution. This would allow companies established in third countries to gain access to the European single market, even if no bilateral agreement is concluded in time between the UK and the EU, which seems likely at the moment. The prerequisite is that the third country’s legal and supervisory standards would need to be recognised by the EU as equivalent to the European regulations. UK banking and financial services providers and fund managers would thus continue to have access to the European single market if the EU recognises the British legal and supervisory standard in the financial sector as equivalent to that of the EU. Since the UK currently applies EU regulations, this should at a first glance be a no-brainer.

However, the European legislator does not provide market access for third countries in all areas of banking and financial services easily through regulation. Specific third country rules are contained, for example, in:

  • the European Financial Markets Regulation (MiFIR);
  • the Second Financial Instruments Directive (MiFID II);
  • the Regulation on OTC derivatives, central counterparties and trade repositories (EMIR); and
  • the Directive on Alternative Investment Fund Managers (AIFMD).

In the Fourth Capital Requirements Directive (CRD IV), the Second Payment Services Directive (PSD II) and the UCITS Directive, the European legislator has not stipulated third country rules. In these contexts, access to the European single market through recognition of the equivalence of the supervisory regime is not currently possible. In the areas of the concerned financial services sectors (i.e. credit institutions, payment institutions and the management of UCITS), the UK would therefore be dependent on a bilateral agreement with the EU in any case in order to keep (or regain) access to the European single market.

In those areas where third country rules are provided for, the recognition procedure and the number of third countries recognised as equivalent differ.

For example, under EMIR, the following applies: If a Central Counterparty (CCP) established in a third country wishes to provide clearing services to clearing members or trading venues established in the EU, it may do so only if it has previously been recognised by the European Securities and Markets Authority (ESMA). For this purpose, the CCP must submit an application to ESMA. The latter may only recognise a CCP from a third country if the EU Commission has recognised the legal and supervisory mechanism of the third country as equivalent to that of the EU, and provided that the CCP is authorised in its home country and is subject to effective supervision and enforcement in that country. Moreover, it is required that ESMA has concluded a cooperation agreement with the local supervisory authorities which, for example, simplifies the exchange of information and the home country of the CCP must have an equivalent system for combating money laundering and terrorist financing. If these conditions are no longer met, ESMA may withdraw recognition from the CCP.

CCPs currently recognised by ESMA are located in Australia, Hong Kong, Japan, Singapore, South Africa, Canada, Mexico, Switzerland, South Korea, USA, UAE, India, Dubai International Financial Centre, Brazil and New Zealand.

The recognition procedure for trading venues under MiFIR is slightly different. It is not the trading venue for derivatives itself that can apply for equivalence. Rather, the EU may, at its own discretion and in cooperation with ESMA and the member states, issue a resolution recognising the legal and supervisory framework of a third country as equivalent to that of the EU. Before issuing a resolution, the member states must approve equivalence. The recognition of the equivalence of a third country in the area of MiFIR requires that: (i) the trading venues are admitted in their home country and are subject to effective and continuous supervision and enforcement; (ii) the trading venue has transparent admission rules; (iii) the issuers are subject to regular information obligations which guarantee a high level of investor protection and (iv) rules against market abuse in the form of insider dealing and market manipulation are in place.

So far, the EU has only recognised the USA as an equivalent third country under MiFIR. Under MiFID II, however, the EU has recognised four countries providing trading venues for other financial products (such as listed shares) as equivalent to EU venues: USA, Australia, Hong Kong and Switzerland (the recognition of Switzerland is limited to one year until 31 December 2018 but may be extended if there is sufficient progress on a common institutional framework).

This shows that even if the UK is recognised by the EU as a third country with equivalent regulatory standards, this is far from resolving all the difficulties.

On the one hand, the UK would actually have to maintain its current regulatory and supervisory standards and adapt to those of the EU in the future; a substantial deregulation is thus ruled out. A comparatively minor problem, on the other hand, is that the recognition of equivalence by the EU may well take some time. The UK’s supervisory standard currently corresponds to that of the EU, so if it were to be maintained after Brexit, there would at least be no legal grounds against swift recognition. However, much more serious for the UK, would be that as a third country they would no longer be able to influence the European legal and supervisory standards for lack of voting rights; they would be referred to the role of a “rule-taker”.

Therefore, it remains questionable whether recognition as an equivalent third country is really a good solution for the UK. The alternative would be one or more bilateral agreement(s) with a dispute settlement mechanism. In any event, the advantage of such an agreement would be that it would be negotiated by both sides and would not refer the UK to the passive role of an equivalent third country.