SAFE Finance Blog
30 Nov 2022

The SAFE Regulatory Radar in November

Initial indication for companies on their sustainability reports, updated regulations for service providers of critical information and communications technologies, and new liquidity requirements for investment firms

At the end of each month, the SAFE Regulatory Radar highlights a selection of important news and developments on financial regulation at the national and EU level.

CSRD: Reporting standards covering corporate sustainability matters

Companies within the scope of the Corporate Sustainability Reporting Directive (CSRD) obtain a first indication on how to report on environmental, social and governance matters. The draft European Sustainability Reporting Standards (ESRS), being published on 23 November 2022 by the European Financial Reporting Advisory Group (EFRAG), propose a first coherent set of reporting standards, covering corporate sustainability matters from a double-materiality perspective, which means outside-in and inside-out. The draft ESRS thus shows how to identify, assess, and disclose sustainability-related (financial) risks and opportunities for undertakings as well as sustainability-related impacts by undertakings. According to EFRAG, in comparison to the exposure drafts, the disclosure requirements in the draft ESRS are nearly cut in half and are aligned to the structure and content of other international sustainability reporting standards – as far as possible. EFRAG’s drafts refer to the following three areas of corporate sustainability reporting:

  1. Environmental disclosures: Five draft ESRS specify how undertakings shall disclose environmental information on climate (e.g. actions for climate change mitigation and adaption, energy intensity and greenhouse gas emissions), water and marine resources (e.g. water consumption), biodiversity and ecosystems (e.g. spatial configuration of land and sea use), resource use and circular economy (e.g. resource inflows and outflows), and pollution.
  2. Social disclosures: Four draft ESRS outline how undertakings are supposed to disclose information on their own workforce (e.g. collective bargaining coverage, adequate wages, and diversity), workers in the value chain, affected communities (e.g. respect for human dignity), and consumers and end-users (e.g. respect for the right of privacy).
  3. Governance disclosures: One draft ESRS focuses on the undertaking’s conduct of business, including confirmed incidents of corruption and bribery, political influence, lobbying activities, and payment practices.

These draft ESRS are accompanied by general requirements (e.g. time horizons and structure of sustainability statements) and general information on disclosures along the categories governance, strategy, impact, risk and opportunity management as well as metrics and targets.

The proposed standards will now be discussed by the European bodies, including the Commission and the member states, before being formally adopted as delegated acts in June 2023. After a period of scrutiny, the final ESRS will have to be applied by the first companies from the financial year 2024 onwards.

DORA: Service providers to follow new rules on how to address information and communication technology risks

Financial entities and critical third-party information and communication technology (ICT) service providers will have to follow a consolidated and upgraded rulebook to address ICT risks that endanger digital operational resilience. The Digital Operational Resilience Act (DORA), approved by the European Parliament on 10 November 2022, harmonizes existing legislative disparities and uneven national regulatory and supervisory approaches on ICT risk management to ensure the stability, integrity, and efficiency of the European financial system. Specifically, the act aims at protecting

  • tangible and intangible information assets,
  • software and hardware assets, and
  • relevant physical components and infrastructure, such as data centers,

from damage, unauthorized access, and usage. The DORA thus requires financial entities, such as trade repositories, credit institutions, payment and electronic money institutions or crypto-asset service providers, and their critical ICT service providers to withstand, respond to, and recover from all ICT-related threats and disruptions. The key measure to reach this objective constitutes the mandatory implementation of a sound and well-documented ICT risk management framework. This framework must define procedures and tools to identify, manage, and report ICT-related incidents and cyber threats. These defense mechanisms are subject to regular threat-led penetration testing. To assure sufficient time to comply, the DORA grants an implementation period of two years after its official publication that is expected to occur until the end of the year.

The protection mechanisms implemented by the DORA can be seen as a prerequisite for an open finance infrastructure that creates innovative and customer-centric financial products based on available data. To share, access, and reuse personal and non-personal data, the expert group of the European Commission clarifies in its Report on Open Finance of 24 October 2022 that risks related to complex data control and cyber-attacks must be successfully handled by payment service providers.

IFD: Investment firms to adjust liquidity buffers

Investment firms will have to adjust their liquidity buffers based on a harmonized risk assessment performed by the competent authorities. The draft regulatory technical standards (RTS), finalized by the European Banking Authority (EBA) on 14 November 2022, foresee a consistent and uniform decision-making procedure to impose specific liquidity requirements for investment firms under the Investment Firms Directive (IFD). If an investment firm is exposed to material liquidity risks that are insufficiently covered by the minimum liquidity requirements, the IFD requires competent authorities to determine specific liquidity requirements. To set these requirements, liquidity risk and its elements must be measured in a manner that is appropriate to the size, the structure, the internal organization of investment firms and the nature, scope, and complexity of their investment activities. The measurement procedure must thus consider possible sources for liquidity shortages, namely

  • investment services and activities (e.g. maturity profiles or time mismatch between fees received by clients and fees paid to trading platforms),
  • funding (e.g. availability and currency of existing funding sources or the access to pre-arranged emergency funding sources),
  • operational events (e.g. external or internal frauds, unavailability of systems or compensation claims and claims related to order execution errors),
  • external events (e.g. a partial or total loss of secured, short-term funding in a stress scenario or potential obligation to buy back debt), and
  • reputational loss (e.g. reduced market access or reduced exposures by counterparties in over-the-counter operations).

Additionally, EBA obliges competent authorities to control the adequacy of the systems for measuring, managing, and reporting liquidity risk, mitigating actions, governance, and recovery plans of the investment firms. The draft RTS will next be submitted to the European Commission for endorsement and will be subject to scrutiny by the European Parliament and the European Council before being officially published.

Current public consultations:

  • European Banking Authority (EBA)Consultation on amending guidelines on improving resolvability for institutions and resolution authorities to introduce a new section on resolvability testing. The deadline is Wednesday, 15 February 2023.
  • EBACall for evidence – jointly with EIOPA and ESMA – on potential greenwashing practices which may be relevant to various segments of the sustainable investment value chain and of the financial product lifecycle. The deadline is Tuesday, 10 January 2023.
  • European Securities and Markets Authority (ESMA): Consultation on guidelines for the use of ESG or sustainability-related terms in funds’ names. The deadline is Monday, 20 February 2023.
  • ESMAConsultation on rules for passporting for investment firms under MiFID II. The deadline is Friday, 17 February 2023.
  • European Insurance and Occupational Pensions Authority (EIOPA): Consultation on methodological principles of insurance stress testing with focus on cyber risk. The deadline is Tuesday, 28 February 2023.

Carl-Georg Luft is Research Assistant at the SAFE Policy Center.