The financial sector finds itself in the midst of two transitions – a green and a digital transition. These transitions can clash, but also reinforce each other, and are thus often referred to as the ‘twin transition’. Financial institutions have to strike a balance between the opportunities and risks that this twin transition presents. At the same time, legislatures and regulators worldwide are continuously issuing new rules and guidance that attempt to steer the transition. New developments occur in rapid succession, and the regulations to address these are not always tangible and may be lagging behind. Consequently, the financial sector is confronted with a task that is not to be underestimated.
1. ESG impact on risk, capital and governance
ESG developments increasingly impact risk, capital and governance requirements of financial institutions. The rules set by (prudential) authorities are not always concrete, but the urgency for financial institutions to act on these topics is evident. Existing governance and suitability requirements that apply to financial institutions are already interpreted by supervisors to include ESG aspects. Financial institutions are expected to take into account the good practices on environmental risk that have been identified with frontrunners in the financial sector. They need to determine their ESG strategy, assess and control any material ESG risks, make sure board members have sufficient ESG knowledge, and integrate ESG aspects into their capital management. Explaining the choices made by the financial institution while adhering to timelines set will play an important role in the coming years.
2. Discretion in transparency obligations
The Sustainable Finance Disclosure Regulation (SFDR) and Taxonomy Regulation have introduced transparency obligations for financial institutions. The European Commission has recently provided useful clarifications of certain SFDR concepts, including 'sustainable investments', 'principal adverse impact' (PAI) statements, and 'do no significant harm' (DNSH) disclosures, while affording flexibility to financial institutions in interpreting some of these concepts. Financial institutions will have to give substance to their assessments regarding the minimum requirements for the key parameters of their SFDR disclosures. Transparency of facts and figures as well as methodology is considered key in this respect. The financial sector is also looking ahead to the Corporate Sustainably Reporting Directive (CSRD), which is set to become applicable from 1 January 2024 for the first batch of companies. A recently published consultation for the European Sustainability Reporting Standards (ESRS) elaborates on the CSRD requirements.
3. Duty of care as tool to encourage sustainable investments
Sustainability (or broader: ESG) has been made an integral part of financial services through the duty of care. Changes in legislation have been made to ensure that sustainability is incorporated in the following steps of the customer journey: (1) the Product Approval and Review Process, (2) the Know-Your-Customer process and (3) the information to be provided at the pre-contractual and contractual stage. This is not without difficulties though. The regulatory duty of care for financial institutions is to ensure that financial institutions act in the best interest of their customer(s), whereas the ESG-rules have a different perspective: to ensure a more sustainable world. In this respect, it is noteworthy that the recently published Retail Investment Package, whose aim it is to make investing by retail investors easier and more accessible, does not mention sustainability as a relevant factor.
4. Green Bonds: a changing regulatory landscape
The market for green bonds has thus far been a self-regulated market in which the ICMA Green Bond Principles has been the market standard. The ICMA Green Bond Principles provide a framework setting out requirements regarding use of proceeds, process evaluation and selection, management of proceeds and reporting. The EU Green Bond Standard meanwhile is set to introduce a new (voluntary) regime for European green bonds. It shares certain similarities with the ICMA Principles, but there are also some significant differences, including the required alignment with the Taxonomy Regulation and the registration and supervision of external reviewers. Whether the market will keep using the ICMA Green Bond Principles, will make a move to the 'golden standard' of the EU Green Bond Standard or we will see both standards alongside each other, remains to be seen and the market seems to be divided in its outlook in this respect.
5. Data-driven supervision
Dutch financial supervisors have started collecting large amounts of data for data-driven supervision. Financial institutions are receiving formal requests from supervisors for large amounts of information. It is however uncertain whether there is a sufficient legal basis for these types of requests, raising the important issue of whether providing the requested information complies with data protection obligations applicable to the financial institutions. At the same time, there are legal developments providing supervisors with more and wider powers to obtain data from financial institutions and to share and combine these data with other supervisors, even though there are still few safeguards for the proper processing, storage and provision of data by regulators. This results in ever-growing tension between the necessity to collect and analyse data for AML, terrorist financing and fraud purposes on the one hand and on the other hand the requirement to protect personal data.
6. DORA: the road to 2025
A key part of the EU's digital finance package, the Digital Operational Resilience Act (DORA), becomes applicable from 17 January 2025. DORA aims to strengthen the management of ICT risks in the financial sector. It will apply to nearly all supervised financial institutions and captures all types of ICT risks (not only cyberthreats). Although ICT risk management is a familiar topic for most financial institutions, DORA adds to the existing regulations and harmonizes these across the EU financial sector. DORA imposes both 'internal' requirements (e. g. on governance, incident reporting and testing) and 'external' requirements (e. g. on ICT third party risks). We expect that a substantial part of the implementation efforts will have to be directed towards contracts with ICT service providers. Although the contractual standards introduced by DORA take inspiration from existing guidelines on (cloud) outsourcing, they are not identical. More importantly, DORA applies to all (existing and new) ICT contracts, whether they qualify as outsourcing or not. Consequently, in order to be compliant with DORA on 17 January 2025, there is no time to waste.
7. Preparing for MiCAR
MiCAR is set to create a new EU-wide regulatory regime for crypto-asset service providers (CASPs), with many similarities to the MiFID II regime for investment services. MiCAR will become applicable to CASPs from 30 December 2024. In the run-up to MiCAR's applicability, financial institutions may wish to consider whether they intend to provide services to CASPs covered by MiCAR (for instance custody services to the CASP or an end-client) or are interested in entering the market as a service provider themselves (e. g. by providing cryptocurrency brokerage services, operating a trading venue or offering a wallet). Obtaining an authorisation to provide such services as an already regulated financial institution requires careful preparation to ensure that such services are embedded in the current policies and procedures.
8. The rise of AI
AI is a hot topic in the financial sector for legislatures, regulators and financial institutions, especially due to the popularity of solutions like ChatGPT. Although the EU's AI Act is still in development, European and Dutch regulators point out that existing regulatory frameworks already introduce norms for financial institutions when they use and/or develop AI systems. In particular, financial institutions will have to safeguard sound and ethical business operations, but there are also more specific requirements on outsourcing and on the distribution of financial products and services (such as product approval requirements). The AI Act will create an additional framework for financial institutions that will also affect their governance and distribution chain of the financial products and services offered. The precise scope of the AI Act is however yet to become clear. EU legislative bodies are currently trying to reconcile their individual positions in 'trilogue' negotiations.
Would you like to know more?
Please contact us if you are interested in continuing the discussion on these topics. If you want to be kept up to date on ESG developments, you can subscribe to our regular 'ESG Matters' update via this form by selecting Environment, Social & Governance (ESG) under 'Your areas of interest'.