Banking & Fintech Newsletter – Issue no.1 (March 2019) Authors: Leonard Bonello, James Debono Published on March 7, 2019 In this issue: MFSA Issued a Circular on Banking Rule BR/14 Relating to Outsourcing to Cloud Service Providers The European Commission Adopts New List of Third Countries with Weak Anti-Money Laundering and Terrorist Financing Regimes ECB Will Directly Supervise 119 Banks in 2019 EBA/GL/2019/02 – Final Report on EBA Draft Guidelines on Outsourcing Arrangements EBA Issues a Call for Expressions of Interest to Participate in its Workshop Group on APIs Under PSD2 A Revised CBM Directive no. 1 MFSA issued a circular on Banking Rule BR/14 relating to outsourcing to cloud service providers On 4 February 2019, the MFSA issued a circular on Banking Rule BR/14 which circular notifies credit institutions of the inclusion of an Annex to the BR in relation to the outsourcing to cloud service providers. The amendments to the BR came into force with immediate effect. The MFSA issued another circular to notify Financial Institutions of the same. Basically the scope of the Annex is to implement the EBA Recommendations on Outsourcing to Cloud Service Providers (EBA/REC/2017/03) which were issued by the EBA on 20 December 2017 and applicable as of 1 July 2018. The Annex is a ‘copy and paste’ from the EBA Recommendations, pages 12 to 19. Circular to Credit Institutions Circular to Financial Institutions Annex 1 EBA Recommendation The European Commission adopts new list of third countries with weak anti-money laundering and terrorist financing regimes The Commission has a mandate to carry out an autonomous assessment and identify the high-risk third countries under the Fourth and Fifth Anti-Money Laundering Directives so as to safeguard the EU financial system by better preventing money laundering and terrorist financing risks. The country list would serve as an indication for credit institutions and other entities covered by EU anti-money laundering rules to apply increased due diligence checks on financial operations involving customers and institutions from these high-risk third countries. The Commission concluded that 23 countries have strategic deficiencies in their anti-money laundering/counter terrorist financing regimes. ECB will directly supervise 119 banks in 2019 The European Central Bank (ECB) reviews whether a credit institution or a group fulfils any of the significance criteria according to the SSM Regulation on at least an annual basis. This annual assessment includes credit institutions, financial holding companies and mixed financial holding companies established in the Euro area, as well as branches established in the Euro area by credit institutions based in other EU Member States. The number of significant institutions that have been directly supervised by the ECB from 1 January 2019 stands at 119 following the annual review of significance and ad-hoc assessments. The changes in significance statuses are the result of new group structures, license withdrawals, mergers and other developments. Several large banking groups have also relocated their activities to the Euro area. This has increased the overall complexity and size of directly supervised banks. ECB’s Press Release EBA/GL/2019/02 – Final Report on EBA Draft Guidelines on outsourcing arrangements The European Banking Authority (EBA) Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the requirements of the Guidelines cannot otherwise be met. The Committee of European Banking Supervisors (CEBS) guidelines on outsourcing of 14 December 2006 and the EBA recommendations on outsourcing to cloud service providers (EBA/REC/2017/03 – EBA Recommendations on Outsourcing to Cloud Service Providers) will be repealed with effect from 30 September 2019. The aim of the Guidelines is to establish a more harmonised framework for financial institutions, namely credit institutions and investment firms subject to the Capital Requirements Directive (CRD), as well as payment and electronic money institutions. In brief, the final guidelines inter alia: provide a clear definition of what is considered outsourcing; clarify the use of the term ‘critical or important functions’; specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important; deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements; clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities; specify that the responsibility of the institution’s management body can never be outsourced; and set up a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers. Final Report on EBA Guidelines EBA issues a call for expressions of interest to participate in its working group on APIs under PSD2 The EBA launched a new working group on Application Programming Interfaces under PSD2 (WG-API) which group will be composed of EBA staff, national competent authorities and representatives of a variety of external stakeholders, and will be chaired by the EBA. The aim of the group is to identify issues that will emerge as the industry is preparing for the application date of the Regulatory Technical Standard (RTS) on strong customer authentication and common and secure communication under PSD2 (RTS on SCA&CSC), and for external stakeholders to propose solutions on how these issues could be resolved, which national authorities and the EBA can then consider. A revised CBM Directive no. 1 The CBM Directive no. 1 has been amended on the 29 January 2019. The significant changes, featuring in the Annexes to the same Directive relate inter alia to security incident reporting, fraud data reporting (including for e-money institutions), and complaint procedures. All the annexes are based on the guidelines published under Directive (EU) 2015/2366 (PSD II) by the European Banking Authority on the 13 October 2017. CBM Directive no. 1 Guidelines on Major Incident Reporting under the PSD2 Guidelines on Procedures for Complaints of Alleged Infringements of Directive (EU) 2015/2366 Guidelines on Fraud Reporting under PSD2 Go back