June, 2024

Dear LinkedIn community,

Did you know new regulations are coming that will impact how you use financial and crypto services? This month's newsletter dives into the recently adopted 6th AML package and explains what it means for you. Plus, we've got updates on AI and cybersecurity. Wondering how the new AML rules will affect crypto transactions? We've got you covered.

Read the full newsletter below to learn more about these important updates and how they might impact you.

P.S. Have any questions about the new regulations? Drop a question below and let us know!

??EBA reports on risks associated with virtual IBANs

In 2023/2024, the EBA conducted a fact-finding exercise on the use of virtual IBANs (vIBANs) by payment service providers (PSPs). The resulting report outlines the EBA's observations and highlights risks and challenges that vIBANs pose to consumers, financial institutions, national competent authorities (NCAs), and the integrity of the EU financial system. vIBANs have the same functionality and format as standard IBANs but are linked to a master account with its own IBAN. Despite potential benefits, the EBA identified 10 key risks, including regulatory inconsistencies, money laundering/terrorist financing risks, and lack of consumer protection. The report suggests actions for PSPs, co-legislators, and NCAs to mitigate these risks and includes an annex to help identify ML/TF risks.

The EBA noted that vIBANs serve various purposes and have different functionalities, allowing users to make and receive payments with third parties or for more limited uses. The EBA outlines six use cases where PSPs or their partners provide vIBANs to customers.

1. PSPs having a branch in a host Member State offer to customers vIBANs with the country code of that host Member State, while the master account it held and services from the home Member State;
2. PSPs partner with another PSP to offer vIBANs that have been issued by the partner PSP and the identifier is that of the partner PSP and the country code is that of the host Member State in which the partner PSP is authorized or has a branch;
3. PSPs partner with a bank to offer vIBANs that have been issued by the partner bank and the identifier is that of the bank, with the country code being that of the Member state in which both the institution and the partner bank are authorized;
4. Non-EU institutions offer to their non-EU customers vIBANs that are issued by a partner PSP and the identifier is that of the partner PSP, with the country code being that of the Member State in which the partner PSP is authorized;
5. Non-EU institutions offer to their customers worldwide vIBANs that are issued by a partner PSP and the identifier is that of the partner PSP, with the country code being that of the Member State in which the partner PSP is authorized;
6. PSPs offer vIBANs to companies managing payments on behalf of other group companies that allocate the vIBANs to other subsidiaries of the group.

The EBA also identified key risks and challenges associated with the use of vIBANs for institutions, competent authorities, and end users. These risks include, among others:

1. Divergent interpretations on the applicable AML/CFT regulatory framework in case of cross-border provision of vIBANs, leading to risks of AML/CFT supervisory gaps;
2. Unlevel playing field and regulatory arbitrage issues stemming from divergent interpretations across competent authorities on the way in which the SEPA Regulation and the ISO IBAN standard apply to vIBANs;
3. Risks for end users where they are not the master account holders and issues stemming from divergent interpretation across authorities about the qualification of the relevant payment services in these cases;
4. Risks of divergent categorization and reporting of payment transactions by PSPs under PSD2, where the vIBANs and the IBAN of the master account have different country codes;
5. Unlevel playing field on the application of the service ensuring verification of the payee, introduced by the EU’s Instant Payments Regulation, where the payee using a vIBAN is not the master account holder.

In addressing every risk identified above individually, the EBA suggests measures which PSPs and competent authorities may implement to mitigate such risks, including in respect of the risk set out in c) above by way of example, a recommendation for a clarification of the definition of a ‘payment account’ and whether the uses of vIBANs that are not the holder of the master account are considered to have a payment account within the meaning of PSD2.

More information

??????Basel Committee on Banking Supervision issues a report for Digitalization of finance

Technological innovation is revolutionizing banking services through expanded financial products, new tech suppliers, and enhanced risk management tools. The Basel Committee on Banking Supervision (BCBS) monitors these digital trends to address challenges and issue standards. Key points from the report include:

1. Key Technologies: The adoption of APIs, AI, ML, DLT, and cloud computing varies among banks, with cautious use of AI/ML but significant growth in cloud computing.
2. New Competitors and Business Models: Increased competition from fintechs and strategic partnerships are reshaping the banking landscape.
3. Risks: Digitalization introduces strategic, reputational, operational resilience, and system-wide risks, such as greater interconnection and potential contagion during stress.
4. Risk Mitigation: Banks are developing governance structures and risk management processes, though many strategies are still evolving and untested.
5. Regulatory Frameworks: Jurisdictions are expanding regulatory scopes and issuing specific guidance on digital banking, applying principles like "same risk, same activity, same regulation" to prevent regulatory arbitrage.
6. Human Judgment and Data: Despite advances, human oversight in risk management remains crucial, and data protection requires robust safeguards.
7. Coordination and Capacity Building: Effective communication and coordination among supervisors and banks, along with adequate resources and skilled staff, are essential for managing digitalization risks.

The BCBS will continue to monitor developments in digital finance and consider additional standards or guidance as needed.

More information

????The EBA publishes final draft technical standards under the Markets in Crypto-Assets Regulation

The European Banking Authority (EBA) published final draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) relating to the authorization as issuer of asset-referenced tokens (ARTs), to the information for the assessment of acquisition of qualifying holdings in issuers of ARTs and to the procedure for the approval of white papers for ARTs issued by credit institutions under the Markets in Crypto-assets Regulation (MiCAR).

The scope of the authorization in the RTS has been amended to clarify that: a) the applicant issuer may only be a legal person or undertaking established in the EU, and b) whilst the issuance is not subject to authorization, which only covers the public offer or the admission to trading, an application may only be submitted by an applicant issuer, therefore only an issuer may be granted authorization.

The ITS set out the standard application letter and the application template and clarify the process relating to the assessment of completeness of the application by the competent authority.

Background: Regulation (EU) 2023/1114 on Markets in Crypto-assets establishes a regime for the regulation and supervision of crypto-asset issuance and crypto-asset service provision in the European Union (EU). The provisions relating to ARTs will be applicable from 30 June 2024.

More information

?? EU Commission delegated Regulations supplementing Markets in Crypto-Assets Regulation (MiCAR) were published in the official journal of EU

Publication in the Official Journal of EU means that it will come into effect on 19th of June.

These Regulations are:

• Criteria for classifying asset-referenced tokens (ARTs) and e-money tokens (EMTs) as significant. Press here
• The fees charged by the European Banking Authority (EBA) to issuers of significant ARTs and issuers of significant EMTs. Press here
• The procedural rules for the exercise of the power to impose fines or periodic penalty payments by the EBA on issuers of significant ARTs and issuers of significant EMTs. Press here
• The criteria and factors to be taken into account by the European Securities Markets Authority, the EBA and competent authorities in relation to their intervention powers. Press here

??The EBA will start collecting information on natural persons through its AML/CFT database, EuReCA

Starting from May 2024, supervisors across the EU will be able to report names of natural persons to EuReCA - the EU central database on AML and CFT of the European Banking Authority (EBA). With this step, the EBA will contribute to further strengthening the fight against money laundering (ML) and terrorist financing (TF) in the EU.

EuReCA contains information on serious AML/CFT deficiencies in individual financial institutions that have been identified by EU supervisors. It also contains information on the measures taken by supervisors to address those deficiencies.

If a serious deficiency or a measure is linked to a natural person, supervisors will be able to report this information to EuReCA. Supervisors can also report the name of a member of the management body or a key function holder in a financial institution.

More information

?? ESMA makes recommendations for more effective and attractive capital markets in the EU

The European Securities and Markets Authority (ESMA) has published its Position Paper on “Building more effective and attractive capital markets in the EU”. The Paper includes recommendations to strengthen EU capital markets and address the needs of European citizens and businesses.

Key proposals:

• EU citizens: Simple, cost-efficient investment options are crucial for empowering citizens to invest their savings in capital markets that serve their long-term needs. Key recommendations in this area include the development of basic long-term investment products and pension systems that are suitably incentivized. This should be complemented by efforts to improve financial education.
• EU companies: Diverse and sustainable financing options are critical for fueling growth and innovation in the EU, especially for SMEs. Key recommendations in this area include developing a conducive ecosystem for public companies and fostering pan-European markets while addressing barriers to integration, particularly for market infrastructures.
• EU regulation and supervision: EU capital markets must be agile to respond to evolving needs. Key recommendations to address this include modernization of the EU’s regulatory framework, to account for new tools such as effective forbearance powers. At the same time, supervisory consistency amongst EU supervisors should be prioritized, while further centralization of supervision at EU level should be evaluated.

More information

?European Council gives final green light to the first worldwide rules on AI

On May 21, 2024, the Council of the European Union announced that it approved the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (further - the AI Act).

The new legislation follows a ‘risk-based’ approach, which means the higher the risk to cause harm to society, the stricter the rules.

The AI Act will apply to:

• providers placing on the market or putting into service artificial intelligence (AI) systems or placing on the market general-purpose AI (GPAI) models in the EU, irrespective of whether those providers are established or located within the EU or in a third country;
• deployers of AI systems that have their place of establishment or are located within the EU;
• providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the EU;
• importers and distributors of AI systems;
• product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark;
• authorized representatives of providers, which are not established in the EU; and
• affected persons in the EU.

The AI Act provides some exemptions, for example, the AI Act does not apply to AI systems placed on the market, put into service, or used with or without modification exclusively for military, defense or national security purposes, regardless of the type of entity carrying out those activities.

AI systems presenting only limited risk would be subject to very light transparency obligations, while high-risk AI systems would be authorized, but subject to a set of requirements and obligations to gain access to the EU market. AI systems such as, for example, cognitive behavioral manipulation and social scoring will be banned from the EU because their risk is deemed unacceptable. The law also prohibits the use of AI for predictive policing based on profiling and systems that use biometric data to categorize people according to specific categories such as race, religion, or sexual orientation.

The AI act also addresses the use of general-purpose AI (GPAI) models. GPAI models not posing systemic risks will be subject to some limited requirements, for example with regard to transparency, but those with systemic risks will have to comply with stricter rules.

The new regulation will apply 2 years after its entry into force, with some exceptions for specific provisions.

More information

??ESMA publishes report on MiFID II marketing requirements

ESMA, together with the National Competent Authorities (NCAs), found that globally, marketing communications (including advertisements) comply with MiFID II requirements, and investment firms generally have procedures in place to ensure compliance with MiFID II of marketing materials, including during their development. Some concerns were raised by NCAs regarding sustainability claims in marketing communications, including advertisements.

In the report, ESMA identifies several areas of improvements, such as the need for marketing communications to be clearly identifiable as such, and to contain a clear and balanced presentation of risks and benefits. In cases where products and services are marketed as having ‘zero cost’, they should also include references to any additional fees.

MiFID II marketing guidelines used to and continue to serve as guideline for crypto service advertisements until MiCAR comes into full force.

More information

More information

??DORA delegation Regulations published in the official Journal

On 30 May 2024, two Commission Delegated Regulations supplementing the Regulation on digital operational resilience for the financial sector (DORA) were published in the Official Journal of the EU. These delegated Regulations will come into force on 19 June 2024

Here they are:

1. Regulation specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. Press here
2. Regulation determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid. Press here

ESMA issues a statement providing guidance for firms that use AI when providing investment services to retail clients

?? EU Council has adopted a 6th AML package

The 6th AML package contains the following:

• A Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AML Regulation).
• A Regulation establishing the new EU authority for AML and Countering the Financing of Terrorism (AMLA Regulation).
• A Directive on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD6).

This package was first published in July 2021

Next steps

After the text will be published in EU Official journal it will come into force.

The AML Regulation will apply 3 years after it enters into force. Member States will have 2 years to transpose some parts of the AML Directive and 3 years for others. AMLA will be based in Frankfurt and will start operations in mid-2025.

More information