With the increased importance of corporate social responsibility and the development of the manner in which banks collect, manage, store and report data, it is imperative for banks to ensure that they have the right data strategy, integrated data solutions and suitable governance and compliances practices in place. Having a proper data strategy ensures not only that all legal requirements and supervisory expectations are being adhered to, but also that license holders keep up with current market trends and continue to build customers’ trust.
Although internationally (including at European Union level), data requirements and practices have been codified for banks in various legislative and regulatory instruments, there is no single legislative source that covers all the applicable data requirements pertaining to banks.
The purpose of this article is to provide a general insight into current trends and upcoming regulatory requirements applicable to banks in relation to data.
The Euro system Integrated Reporting Framework (‘the IReF’)
Banks are bound to report a significant amount of data to supervisory and monetary authorities ranging from statistical, resolution and prudential information, just to mention a few.
The Euro system Integrated Reporting Framework (the ‘IReF’) is part of a broader data initiative for an integrated reporting system for statistical, prudential and resolution data in the European Union. This was originally requested by the European banking industry and as provided in Article 430c of the CRR [1] which states, inter alia, that the European Banking Authority (the ‘EBA’) (involving relevant authorities) shall prepare a report on feasibility regarding the development of a consistent and integrated system for collecting statistical data, resolution data and prudential data. The proposed plan is to have proportionality under the IReF to favour derogations for small institutions, which would be subject to simplified reporting. Given the different reporting populations of the datasets within its scope, the IReF specifies different requirements. For example, instrument-level requirements on loans to legal entities will apply to credit institutions, whereas deposit-taking corporations other than credit institutions will continue to report loan data on an aggregated basis. Subject to adoption of the IReF Regulation by the Governing Council, currently scheduled for 2025, the IReF is expected to go live around 2027.
In relation to the above, on 18 March 2024, the European Central Bank (the ‘ECB’) and the EBA published a Memorandum of Understanding (the ‘MoU’) on the establishment of the Joint Bank Reporting Committee (the ‘JBRC’). The JBRC will be tasked, inter alia, to assist in developing common definitions and standards for the data that banks are required to report for statistical, supervisory and resolution purposes. The process will involve all relevant European Union bodies, as well as national authorities and banking industry representatives.
The MoU may be accessed here: https://www.ecb.europa.eu/pub/pdf/other/ecb.mou240318~bc6b929078.en.pdf
FiDA and Open Finance
The European Commission (the ‘EC’) had identified the promotion of data-driven finance as one of the priorities in its 2020 Digital Finance Strategy. In June 2023, the EC published the Proposal for a Regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554 (the ‘FiDA’).
This proposal builds on the revised Payment Services Directive (the ‘PSD II[2]’) and mainly relies on customer consent for the sharing of data. The proposal also seeks to ensure compliance with rules on cybersecurity and operational resilience in the financial sector, as set out in the Digital Operational Resilience Act (the ‘DORA[3]’) by introducing financial information services providers (the ‘FISPs’[4]) within the scope of DORA. The FiDA expands the type of data eligible for sharing beyond mere payment account data that was originally enshrined by the PSD II. Indeed, pursuant to the proposed Regulation, financial institutions would be required to make available certain customer data to other financial institutions, authorised FISPs and to the customers, at the customer’s request.
It should be noted that regulated financial institutions that already have a licence (including banks) would not be affected by the new licensing regime that this proposal would establish, and there would be no additional regulatory reporting and licensing requirements for such licensed entities.
Data Security and DORA
The Digital Operational Resilience Act, which will come into force in January 2025, introduces a comprehensive framework for enhancing the operational resilience of financial entities, including credit institutions.
DORA includes, inter alia, specific rules governing ICT risk management, incident reporting, operational resilience testing and ICT third party risk monitoring and requires financial entities to use ICT solutions and processes that are appropriate in terms of a set of requirements. Specifically, the ICT solutions and processes shall (in terms of Article 9):
- Ensure the security of the means of transfer of data;
- Minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;
- Prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data and;
- Ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error.
It should be noted that, while the General Data Protection Regulation[5] governs data security in terms of personal data, the DORA establishes data security and data resilience requirements in relation to a broad spectrum of data in relation to a number of financial entities such as credit institutions, payment institutions and electronic money institutions. DORA also requires that institutions classify ICT-related incidents and shall determine their impact based on the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data.
CRR III – Supervisory Reporting
The EBA has sought and is currently seeking industry input via consultations on amendments to various regulatory requirements emanating from the CRR III[6] and CRD VI[7]. On supervisory reporting, the Commission Implementing Regulation (EU) 2021/451 on supervisory reporting will be amended; one consultation relates to amendments in relation to credit risk, credit valuation adjustments, market risk, output floor and leverage ratio (EBA/CP/2023/39), while the other consultation is related to amendments in relation to operational risk (EBA/CP/2024/07).
Some examples of changes related to supervisory reporting data requirements for banks include changes to reporting templates to cater for the new output floor requirements (set at 72.5% of the own funds requirements that would apply based on standardised approaches) which is aimed to reduce the excessive variability of a credit institution’s own funds requirements calculated using internal models. Credit institutions using internal based models will have to collect and manage data as if they were using the standard methods in order to compute the output floor. There are also changes to templates to cater for more granular credit risk exposures. Notably, exposures secured by immovable properties are now categorized into a number of new granular classifications. In relation to operational risk (more specifically Article 314 et seq of the CRR[8]), new supervisory reporting templates are being introduced to specify the components of the new Business Indicator, the elements to be excluded and the mapping of the Business Indicator components with corresponding supervisory reporting references.
All current consultations and documentation of the EBA can be accessed on https://www.eba.europa.eu/publications-and-media/consultations.
ESG – Pillar III Disclosures
Pillar III disclosures ensure market discipline by making it mandatory for banks to disclose relevant qualitative and quantitative information publicly on a regular basis, as part of their financial reports or in separate Pillar III reports. Indeed, the European Union has led the way in upgrading corporate Environmental Social and Governance (‘ESG’) reporting requirements with, inter alia, with the adoption of the Corporate Sustainability Reporting Directive (‘CSRD’).[9]
Credit institutions are required to adhere to the requirements of the CSRD within the applicable transitional periods (which depend on the size of the institutions concerned).
Moreover, apart from the CSRD, all banks, regardless of size, will need to abide by the ESG Pillar III disclosures (subject to the proportionality principle, as applicable) in terms of the proposed amended Article 449a of the CRR III which stipulates that credit institutions are bound to disclose information on ESG risks, including physical risks and transition risks. This information is to be disclosed on an annual basis by small and non-complex institutions and on a semi-annual basis by other institutions.
The amendments to the CRR III and the CRD VI also form part of the green transition plan of the European Union which includes new rules (including new data requirements) requiring credit institutions to identify, disclose and manage risks arising from environmental, social and governance factors as part of their risk management framework. The data will be used to feed into the European Centralized Infrastructure of Data and the EBA’s Pillar 3 hub project, which will later contribute to the European Single Access Point (the ‘ESAP’) Regulation[10].
The EBA is also consulting on the Draft Guidelines on the Management of ESG risks (EBA/CP/2024/02) that would require banks to collect and assess ESG-related data from their counterparties and ensure they are managing any risks that are identified. The Draft Guidelines provide for requirements related to, inter alia, data processes. The Draft Guidelines also stipulate that banks’ “internal procedures should provide for the implementation of sound systems to collect and aggregate ESG risks-related data across the institution as part of the overall data governance and IT infrastructure and should have in place arrangements to assess and improve ESG data quality”. The Draft Guidelines also propose that banks aggregate and exploit their already available data, collect additional ESG data when engaging with their clients and counterparties and use as intermediary step proxies, estimation and external data sources when data is not available.
The Proposed New Conduct of Business Rulebook of the MFSA
On 19 February 2024, the Malta Financial Services Authority (the ‘MFSA’) published a proposed Conduct of Business Rules for enhanced Protection of Consumers in the Provision of Banking Products and Services by Credit Institutions[11] which highlights, inter alia, the importance for banks to provide adequate information to existing and prospective clients.
The proposed Rulebook (which also sources from current legislation in force) provides for various disclosures that need to be made by credit institutions both on a pre-contractual and post-contractual basis to clients. Furthermore, insofar as credit agreements and credit worthiness are concerned, the Rulebook requires credit institutions to have in place appropriate data infrastructure which should be “detailed and sufficiently granular to capture specific loan-by-loan information, in particular actual credit-granting criteria applied at the point of origination, allowing data regarding the client to be linked with data regarding collateral, to support the effective monitoring of credit risk and enable effective audit trailing, operational and credit performance and efficiency measurement, as well as the tracking of policy deviations, exceptions and overrides (including credit/transaction rating or scoring overrides)”[12].
Concluding Remarks
As part of the Supervisory Priorities of the MFSA for 2024[13], the MFSA is also strengthening the importance of the quality and granularity of data for license holders (including credit institutions) in adhering to the outcome-based supervisory priorities for 2024. The document states that[14]:
“In establishing a set of outcomes the quantification of such outcomes will be critical. These should result from strengthened data quality and data capacity.”
Having proper qualitative and quantitative data is paramount for, inter alia, credit institutions, not only in order for them to comply with all applicable regulatory and legislative requirements, but also to ensure profitability and market resilience. Apart from satisfying the applicable legal and regulatory requirements, adopting the right data strategy and infrastructure can improve decision-making processes for banks, allowing them to gain a competitive advantage and enhance relationships with their clients.
Footnotes:
[1] Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012.
[2] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
[3] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
[4] FISPs are a new category of regulated service provider with the proposed regulation.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
[6] Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 575/2013 as regards requirements for credit risk, credit valuation adjustment risk, operational risk, market risk and the output floor.
[7] Proposal for a Directive of the European Parliament and of the Council amending Directive 2013/36/EU as regards supervisory powers, sanctions, third-country branches, and environmental, social and governance risks, and amending Directive 2014/59/EU.
[8] Being replaced by the CRR III.
[9] Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting.
[10] Regulation (EU) 2023/2859 of the European Parliament and of the Council of 13 December 2023.
[11] The proposed Rulebook is currently in consultation.
[12] This requirement also emanates from the EBA Guidelines on Loan Origination and Monitoring which was recently implemented in BR/28.
[13] https://www.mfsa.mt/wp-content/uploads/2024/02/MFSA-Supervision-Priorities-2024.pdf
[14] Page 16 (Setting the Context for Outcomes-Based Supervision).
Disclaimer: This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr Michael Psaila or Dr Sarah Zerafa Lewis.