Financial industry stakeholders continue to face five-sigma events: the 2007-2008 financial crisis and its regulatory wave, COVID-19, and the Russian invasion of Ukraine’s pressure on the supply chain, inflation, and talent scarcity. As the relentless pace of regulatory publications briefly slowed during the summer break, Deloitte took stock of the challenges ahead.
First, the financial sector has experienced a full regulatory cycle since the 2007-2008 crisis, from initiation to application. This cycle will be reviewed from this year until 2025/2026.
Alongside this review, the ESG and sustainability agenda will also be a major topic over the next 2 years. In the next 12 months, the Sustainable Finance Disclosure Regulation (SFDR) and EU Taxonomy will fully apply. They are followed by publications on the principle adverse impacts by June 2023, quickly followed by Corporate Sustainability Reporting Directive (CSRD) reporting from 2024 for larger institutions.
In parallel, Deloitte has observed two other major trends. The first is the review of the AML-CFT framework and creation of an unprecedented review of EU sanctioning regime. These texts, currently in discussion by EU institutions, will lead to substantial operational challenges, including compliance with requirements pushed by the new EU-level authority (AMLA) alongside the EBA. Establishment of AMLA will increase the spotlight on the most exposed financial institutions (notably those with more cross-border activities and consequently, perceived as of higher AML risk) that will be put under its direct supervision.
The second regulatory trend, and probably the whale in the ocean, is digital regulation.
From a practical and business perspective, these regulatory trends can be split into two camps:
From previous experience, the biggest regulatory challenges do not arise from known-unknown areas but unknown-unknown ones, delivering unanticipated change and maximum disruption.
ESG adaptations are unknown-unknown, potentially transforming products, services and behaviors. However, while these changes are complex to introduce, there is a widespread understanding of the challenges.
Instead, we anticipate the most disruptive risks and opportunities to arise from digitalization. It will not only revolutionize the way services are provided, but also create an entirely new regulatory playground for cryptoassets, payments, data, and artificial intelligence. Existing challenges could be tackled with new solutions and current business models disrupted by new ones.
Of the upcoming EU regulations, digitalization will have the biggest and most far-reaching impact, from client interactions to the governance or operations of financial institutions. This challenge is compounded by the pace of these texts, materializing over the next 36 to 48 months.
Consequently, banks, asset managers, insurers and all financial intermediaries should stand ready and consider how they will tackle these systemic changes looming right around the corner.
A digital regulatory milestone was the “MiFID quick fix” of February 2022, imposing a “digital first, paper second” approach to client communications. This was the first client engagement rule to formally abandon paper since EU regulations began.
Encouraged by this small step, EU legislators jumped on the digitalization train with accelerating speed and to stay competitive on a global market and came up with several transformative legislative acts that will apply starting next year: the Distributed Ledger Technology (DLT) Pilot Regime, the Digital Operational Resilience Act (DORA), and the Markets in Crypto-assets (MiCA) Regulation.
These regulations will help create a fully digital asset universe, from traditional financial instruments that can be issued and governance rules in excess circulated by means of the current General Data Protection Regulation (GDPR), digital platforms and DLT (DLT PR) to issuers of crypto assets and crypto-asset service providers (CASPs). Then all players can finally function in a regulated environment that will provide much needed legal certainty (MiCA) and be emersed in a secured and resilient cyber environment (DORA).
Another milestone recently introduced by EU legislators is a new regulation aiming to modernize EU payments by obliging payment service providers to offer mandatory instant payment services. This will complete the EU framework for payments and help render mainstream instant payments on a pan-EU basis, as already seen under the Payment Services Directive (PSD2). The regulation is also in line with ECB instant payment evolution, which further enables this project.
Together with the upcoming Artificial Intelligence Act (AI) and machine learning (ML) regulations and strategies, these rules will profoundly transform the financial markets as we know them and announce a new digital future.
Regulatory adoption will be layered, as with all new technologies. and reluctance has a disruptive potential. First, financial services will increasingly be offered digitally. Then, the market will need to adapt to the demand for digital assets and forward-thinking financial institutions could reap rewards by moving first. As these digital solutions mature, they will spread to payments, trading and loans, and then to financial institutions’ own structures.
It will take time, but the DLT and its sub-category better known as “blockchain” will eventually become mainstream, especially once we have central bank digital currencies (CBDCs) that will allow a complete financial ecosystem to fully function in a digital way.
Financial institutions may ask why these digital regulations are important to them and their clients.
First, society is increasingly embracing digitalization in all aspects of life, largely thanks to smartphones, and finance is no longer immune. Second, digital technology is sufficiently advanced, robust and available to allow new players to enter the game, and banks need to stay competitive amongst digitally mature peers. Finally, an EU-wide regulatory regime will soon apply, bringing eagerly anticipated legal certainty and potential for economy of scale.
Therefore, we advise financial institutions to confront these challenges and take the lead, or risk their clients jumping ship to a competitor’s digital alternative.
A successful digital journey begins by understanding what is coming, designing a response, and implementing it on time and with enthusiasm. You can embrace this challenge by contemplating your digital strategy, what products and services to provide and how digital assets interact with your existing strategy and the role you would like to play in the ecosystem.
With this in mind, let’s look at the upcoming digital regulations in order of appearance.
It is vital to look beyond the DLT Pilot regime’s go-live deadline of 23 March 2023. This regulation is a canary in a coal mine, allowing the issuance, trading and post-trading of fully digitalized financial instruments issued through this new technology. One can imagine that, as a start, the regime will act alongside the traditional market infrastructures and will have its own processes, as custodian, private or retail bank intervention is not foreseen. In theory, an issuer could create shares, make them accessible via a DLT platform, and allow for trading and custody on this platform with direct retail access.
Let’s imagine 2028, where the DLT Pilot’s size constraints are removed (currently it’s limited to illiquid instruments). A big EU issuer can offer shares to any investor on a trading facility run by an authorized party without intermediary, by putting investors in contact via its open DLT. Tokenized assets, for AML and security purposes, might be traded versus CBDCs held in ECB accounts at a later stage.
While the DLT Pilot impacts entities in the investment value chain, DORA will directly affect all stakeholders in the financial world, barring a few exceptions.
DORA aims to ensure DLT and MiCA can work efficiently in a safe and protected environment, from a cyber and IT security perspective. It is a pan-EU safety net that allows the digitalization of finance based on common rules and streamlined processes across all EU entities. DORA requires third-party IT providers to have an EU physical presence, so that responsible bodies can regulate and supervise them.
Therefore, for large firms, DORA will be akin to the introduction of MiFID I. While these firms already have cyber-resilience, efficient processes, a head of cyber/IT, and governance, they may not be DORA-compliant. Therefore, firms may need to thoroughly review their existing framework’s adequacy to comply.
Smaller institutions will need to adapt to this new cyber and resilience world, for example, by designing and setting up IT and cyber capacities, building Threat Intelligence-led Penetration Testing, defining high-level compliance and governance, investing in training, and becoming audit ready.
DORA will be published later in 2022 with a go-live date of 24 months. However, given the stakes, firms should ready themselves earlier rather than later.
If you’ve heard of MiFID, you might already know what to expect from MiCA. MiCA, no doubt, is inspired by MiFID rules regarding licensing, organization, governance and client relationships and will be a complex and enjoyable ride to implement.
Specifically, MiCA addresses crypto assets that currently fall outside the scope of financial services legislation (whether the DLT Pilot or MiFID). These crypto assets exchange digital utility tokens forward and are further clustered by MiCA into three sub-categories so-called asset-referenced tokens (“ARTs”), E-money tokens (“EMTs”) and other crypto assets that represent those that cannot be categorized upfront and in a straightforward way.
If today’s crypto market is limited to “initiated” parties, once MiCA steps onto the scene (likely early 2025), it will be an open pan-EU market by 2024 or 2025, with a demand for crypto assets and an EU-wide regulatory regime. To enter this market, financial institutions, unlike currently regulated players (FinTechs), will not need a specific licence; however, they must still abide with the most
MiCA requirements from organizational point of view to properly govern and conduct engagement demands with clients and authorities.
The traditional payments business is increasingly being challenged by new players and disruptive technologies. Digitalization and new technologies profoundly re-shaped the payments landscape, which is picked-up by the EU legislators as well and culminated with their proposal on a new strategy that will support the creation of a pan-European payment solution and improve, among others, instant payments.
Payment service providers, including banks providing such services themselves, will certainly be exposed the most to these new and complex demands that will require adaptation of their processes and infrastructure to implement the new requirements.
If you are reluctant to embrace these new technologies and read through this article thinking that you shouldn’t be bothered by the above text, think again. At the very least, AML requirements will catch upon you.
If you wish nothing to do with crypto or blockchain, you still very well might find yourself in a crypto asset transfer that will require you, as an intermediary, to do your part on KYC and pass the information further down the chain.
In an increasingly interlinked financial markets and cross-border nature of these transactions, no one will be spared of their due diligence checks and the sooner you get cosy with the digital assets, the less painful your compliance efforts will be.
Don’t be surprised if in the process of opening what might be perceived as “a can of worms”, you end up in the world of opportunities and great potential crypto assets, digitalised way of work and new technologies have to offer.
ConclusionThere are many ways financial firms will have to adjust to stay compliant with various and fairly complex requirements stemming from these legislative texts. On top of the upcoming digital finance regulatory package, some well-known rules will also be substantially amended to adjust to the tech-driven environment. Hence, if you are reluctant to embrace innovative ways and read this article thinking that you shouldn’t be bothered by the above text, think again. At the very least, AML requirements will catch up to you. If you wish to have nothing to do with crypto or blockchain, you still very well might find yourself in a crypto asset transfer that will require you, as an intermediary, to do your part on KYC and pass the information further down the chain. In increasingly interlinked financial markets and cross-border nature of crypto assets transactions, no one will be spared of their due diligence checks. The sooner you get cosy with digital assets, the less painful your compliance efforts will be. Don’t be surprised if, in the process of opening what might be perceived as a “can of worms,” you end up in the world of opportunities with a great potential that crypto assets, digitalized way of working and new technologies have to offer. |