FIG Top 5 at 5

The Top 5 at 5 is a weekly update in which members of the Financial Institutions Group (FIG) identify five of the key legal and regulatory developments relevant to the financial services industry from the preceding week. Priority is given, in the first instance, to Irish based developments but the update will also include important developments in European law and regulation.

The topics chosen are dictated by the developments during the relevant period but priority is given to cross sectoral developments. The FIG Top 5 at 5 is not intended to represent all developments of note for the relevant period but rather a snap shot of some of the issues which we feel are of particular importance.

Should you have any queries in respect of the contents of the update, please do not hesitate to contact your usual Matheson LLP contact or any member of our team detailed below.

1. DORA Updates: CBI publish reporting templates for ICT incidents and cyber threats and Mandate of ESAs oversight forum is published

1. Central Bank publishes key documents for reporting major ICT incidents and significant cyber threats under DORA

On 14 January 2024, the Central Bank of Ireland (“Central Bank”) published two reporting templates (“Templates”) as regards the reporting of major ICT – related incidents and significant cyber threats under DORA as follows:

the major ICT-related incidents reporting template; and
the significant cyber threat reporting template.

Please note that these Templates were designed and published by the European Supervisory Authorities (“ESAs”) and will be used across the EU for the purposes of reporting.

This publication by the Central Bank is in anticipation of the 17 January 2025 application date of DORA whereby in scope financial entities will be required to submit reports on major ICT – related incidents to the Central Bank together with reports on significant cyber threats. For more details on what the ESA’s have said regarding the importance of financial entities being able to classify and report their major ICT - related incidents from the date of application, please see FIG Top 5 at 5 dated 5 December 2024.

Next Steps

The Central Bank has advised financial entities to be cognisant of the possibility that minor updates to the Templates may be made in the coming months.

The Central Bank has stated that a guide to submitting major ICT – related incidents and significant cyber threats reports to the Central Bank portal will be published on 16 January 2025. We will continue to monitor the Central Bank’s dedicated DORA webpage for developments and update accordingly.

2. Mandate of the oversight forum as a joint sub – committee of the ESAs under DORA is published

On 10 January 2025, the mandate (“Mandate”) of the oversight forum (“OF”) as a joint committee sub – committee of the European Supervisory Authorities (“ESAs”) was published.

The OF is established under article 32(4) of DORA to support the work of the Joint Committee (“JC”) and the Lead Overseer (“LO”) in the area of ICT third – party risks across the financial sector.

The Mandate states that the OF will be responsible for preparing the draft joint positions and the draft common acts of the JC in the area of digital operational resilience and more specifically the ICT third -party risk across financial sectors. Further, the OF is required to regularly discuss relevant developments regarding ICT risk and vulnerabilities and to promote a consistent approach in the monitoring of ICT third - party risk at an EU level.

Some further tasks specified by the Mandate include:

the promotion of coordination measures to increase the digital operational resilience of financial entities, foster best practices on addressing ICT concentration risk and explore mitigants for cross - sector risk transfers;
discuss the draft strategic multi - annual plan prepared by the LO in agreement with the Joint Oversight Network; and
additional tasks in relation to DORA where necessary.

Next Steps

The Mandate will be subject to review, every two years, by the JC and subsequent approval by the ESAs’ Board of Supervisors. The Mandate will be amended to reflect any developments, as appropriate.

The Mandate will apply from 17 January 2025.

2. Central Bank submission date for annual PCF confirmation and CF certification

As reported in last week’s FIG Top 5 at 5, in the final week of December 2024, the Central Bank of Ireland (“Central Bank”) issued its pre approval controlled function (“PCF”) annual confirmation and controlled function (“CF”) certification guidance (“Guidance”).

The Guidance is to be used by Regulated Financial Service Providers and impacted holding companies regarding submitting the annual PCF Confirmation and CF Certification through the Central Bank’s Portal.

Notably, the Guidance did not specify a closing date for the Portal, however, we understand that the Central Bank has confirmed with firms directly that submissions can be made via the Portal until 31 March 2025. At this stage, it is unclear whether this 31 March deadline will apply to the PCF annual confirmation and CF certification process from 2026 onwards. However, we will advise should the Central Bank provide further updates in this regard.

3. Central Bank publishes its 2024 climate observatory

On 14 January 2025, the Central Bank of Ireland (“Central Bank”) published its Climate Observatory 2024 (“Observatory”).

The Observatory provides an update on climate related financial and non – financial metrics using a combination of internal analytics and external data sources. The aim of the Observatory is to act as an annual monitor of progress in relation to national decarbonisation and changes in financial sector climate risks.

Initially launched in 2023, the 2024 Observatory has been updated as follows:

a new section, part A, addresses global trends in the progression of climate change, mitigation and impact;
part B provides insights into climate risk for banks, insurers and funds using climate – aligned financial sector data. The Observatory notes that the financial sector plays an important role in delivering national climate targets and in the mitigation of climate risks. In accordance with the European Green Deal, this includes the financing of the technological transition to net zero emissions by 2050. However, the Central Bank also acknowledges that the financial sector faces risks due to climate change and the transition to net – zero. Some of the matters addressed in this section of the Observatory are as follows:
- green mortgages;
- the fact that 10% of business loans are exposed to flooding risk;
- the high banking sector exposure to climate policy relevant sectors; and
- physical risks in the insurance sector, noting that they are mainly non – domestic;
part C of the Observatory monitors progress and challenges as regards national decarbonisation; and
part D sets out an overview of the Central Bank’s own emissions stemming from operations and investment activities.

The Observatory also provides an overview of developments regarding:

national policy and sustainable finance;
trends in ESG terminology; and
the flood protection gap in Ireland. For more information on this please see FIG Top 5 at 5 dated 17 October 2024.

4. EBA publishes final report with guidelines on management of ESG risks under CRD VI

On 9 January 2025, the European Banking Authority (“EBA”) published its final report containing guidelines on the management of environmental, social and governance(“ESG”) risks (“Guidelines”).

The Guidelines stem from the EBA’s mandate under article 87a(5) of CRD IV (as amended by the CRD VI Directive) to issue guidelines on minimum standards and reference methodologies for the identification, measurement, management and monitoring of ESG risks by institutions.

The EBA consulted on a draft of the Guidelines in January 2024, for more information, please see FIG Top 5 at 5 dated 25 January 2024.

The Guidelines set out requirements for the internal processes and the ESG risk management arrangements that institutions should have in place in accordance with CRD VI. The aim of the Guidelines is to ensure the resilience of the business model and the risk profile of institutions in the short, medium and long term, including a time horizon of at least 10 years.

The Guidelines set out the content of plans that are to be prepared by institutions with regard to monitoring and addressing the financial risks stemming from ESG factors, including those arising from the adjustment process towards the objective of achieving climate neutrality in the EU by 2050.

Further matters addressed in the Guidelines include:

institutions should embed ESG risks in their regular processes including in the risk appetite, internal controls and the Internal Capital Adequacy Assessment Process;
institutions should monitor ESG risks through effective internal reporting frameworks and a range of backward and forward - looking ESG risk metrics and indicators; and
CRD - based plans should be consistent with transition plans prepared or disclosed by institutions under other pieces of EU legislation.

Next Steps

The Guidelines will apply from 11 January 2026 except for small and non – complex institutions, in respect of which the Guidelines will apply from 11 January 2027 at the latest.

5. EIOPA recommends that Bulgarian insurance supervisor review its supervisory processes for assessing solvency positions

On 13 January 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) issued a recommendation (“Recommendations”) to Bulgaria’s Financial Supervision Commission (“FSC”) in relation to its supervisory processes for assessing solvency positions.

EIOPA’s Recommendations are on foot of a solvency verification carried out by the FSC of a Bulgarian reinsurance undertaking (request to the FSC for a solvency verification arose on the signing of a reinsurance agreement between a ceding insurance undertaking and the Bulgarian reinsurance undertaking). EIOPA became involved following a request for a breach of Union law investigation under article 17 of the EIOPA Regulation. EIOPA’s findings and Recommendations detailed below, while addressed to the FSC, will be noted by National Competent Authorities throughout the European Union.

EIOPA’s findings

EIOPA found that:

the FSC’s review of the solvency simulation provided by the Bulgarian reinsurance undertaking was flawed;
the FSC did not properly fulfil its tasks in accordance with the requirements of the Solvency II Directive;
the FSC’s review was too superficial and did not reflect the due diligence expected from a supervisor when verifying the solvency of a supervised entity proportionate to the nature, scale and complexity of this situation;
supervisory authorities are required to question an undertakings’ assessments and challenge its conclusions and decision - making processes; and
time constraints do not diminish the responsibilities of supervisory authorities who are required to take action on a risk - based basis in view of protection of policyholders and beneficiaries.

EIOPA’s Recommendations

EIOPA have recommended that:

the FSC should revise its supervisory review process as regards the verification of the solvency position of insurance or reinsurance undertakings and groups to ensure, under a prospective and risk - based approach proportionate to the nature, scale and complexity of the undertaking, the compliance on a continuous basis with the Solvency II Directive’s solvency requirements;
given that the review of an insurance or reinsurance undertaking is a crucial task of every supervisor which cannot be based on a plain consistency check, the FSC should obtain adequate supporting evidence, where necessary; and
where information as to third parties is provided, the FSC should conduct a proper verification of the accuracy of that information on a risk - based basis proportionate to the nature, scale and complexity of the undertaking.

Next Steps

The FSC is required to confirm to EIOPA whether or not it intends to comply with the Recommendation, setting out any reasons for non – compliance, within two months after the issuance of the translated version of the Recommendation.