ESG and IT-Security regulation impacting AML/CFT compliance
EU adopts corporate due diligence rules relating to human rights and sustainability
The European Parliament on 24 April approved new corporate due diligence rules aimed at mitigating the negative impacts of businesses on human rights and the environment. The Corporate Sustainability Due Diligence Directive (CSDDD) requires EU and non-EU companies meeting certain turnover thresholds to address issues such as slavery, child labour, labour exploitation, biodiversity loss and pollution in their own and their business partners’ operations. Companies must integrate due diligence into their policies, seek contractual assurances from partners and adopt transition plans to align with the Paris Agreement's 1.5°C global warming limit.
The rules will eventually apply to all EU-based companies with more than 1,000 employees and a worldwide turnover of more than EUR 450 million. They will also apply to non-EU companies meeting the same thresholds within the EU.
Member states are required to provide detailed online information on the related obligations and establish supervisory authorities to enforce compliance. Penalties for non-compliance include fines up to 5 percent of net worldwide turnover and public naming and shaming. Companies will also be liable for damages and required to compensate victims. The directive, set to be gradually implemented from 2027 to 2029, will become law after formal endorsement by the Council and publication in the EU Official Journal. Although not currently directly relevant to most investment funds, the new rules may be relevant to portfolio investments depending on the number of employees. Also any infringements under the CSDDD will qualify as predicate crimes to money laundering.
BaFin reminds companies of obligations under EU’s new cyber-crime regulation amid growing number of attacks
Germany’s Federal Criminal Police Office (BKA) on 13 May published its Federal Cybercrime Situation Report for 2023, which showed a 28 percent increase in cyberattacks committed from abroad but causing damage in Germany compared to the previous year. The report also highlighted an industry survey indicating that cybercrime caused the Germany economy some EUR 148 billion in damages in 2023.
领英推荐
Earlier, BaFin on 12 April reminded German financial sector companies of the requirement to implement the EU’s new regulation to protect against cyber threats from next year. According to BaFin, more than 3,600 companies will be subject to the regulation. As an example of the threats faced, BaFin highlighted the cyberattack carried out in the summer of 2023 by the cyber gang Clop, which exploited weaknesses in the MoveIT data transfer program, causing thousands of companies to be affected by data breaches.
The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA) aims to enhance the operational resilience of the financial sector, including alternative investment funds (investment funds), by establishing uniform requirements for the security of network and information systems enabling obliged entities to mitigate information and communication technology (ICT) risks and manage disruptions.
Like with the AML/CFT regulatory framework, DORA places the ultimate responsibility for compliance on the management of the fund, requiring it to define, approve, oversee and remain accountable for a fund’s ICT risk management framework.
Compliance with DORA is expected by January 2025. Although it is only mandatory for fully licensed investment funds to meet all the requirements by 17 January 2025, smaller investment funds (registrierte KVG) should proactively undertake a mapping and gap analysis to define an implementation plan for DORA. This will help smaller funds to develop a realistic plan of action, ensuring that they will be able to meet the comprehensive requirements over time and be ready once the other requirements linked to the application of a full license become a priority.