EIOPA Guidelines and other Convergence Instruments

The objective of these Guidelines is to:

• provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;
• avoid potential regulatory arbitrage;
• foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.

The Opinion addresses how to ensure consistent practices in the application of the remuneration principles included in Solvency II. While the Solvency II framework provides for provisions of remuneration for sound and prudent management, the remuneration principles defined in the Delegated Regulation are high-level and leave considerable discretion to undertakings and supervisory authorities.

In this opinion EIOPA sets out its expectation about how institutions for occupational retirement provision (IORPs) should conduct their Own Risk Assessment (ORA), as well as the minimum content of the ORA report. In so doing EIOPA also states how the documentation in question should flow in the supervision of investment policies (incl. the principles of the investment policy).

From EIOPA’s perspective, IORPs have a social purpose and should therefore adopt a pioneering role in taking into account ESG factors. In so doing the impact of long-term investment decisions and activities are to be taken into account. The opinion clearly shows the relationship between ESG risks and traditional ones.

EIOPA wishes to contribute towards ensuring harmonised supervisory practices in relation to operational risk. This opinion therefore also covers outsourcing and cyberrisks. The assessment of operation is also part of the ORA and should therefore in any case also contain forward-looking information.
EIOPA orients itself towards Solvency II in terms of definitions. Operational risk is defined as the risk of loss arising from inadequate or failed internal processes, personnel or systems, or from external events. Operational risks include compliance/legal risks, but exclude risks arising from strategic decisions as well as from reputational risks.

The Common Framework (CF) is a useful risk management tool from EIOPA’s perspective and therefore should be deployed accordingly in the supervised entities. This is particularly the case where risks that are split between employers, beneficiaries and the IORP itself. IORPs, which offer “pure DC schemes” (where all risks are borne by the beneficiaries) are not captured by this opinion.
The CF contains comprehensive principles and technical specifications, which may be used by the supervisory authorities and by the IORPs on a voluntary basis.

Full title: Joint Guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information

Subject matter and scope

1. These guidelines are addressed to:

a) payment service providers (PSPs) as defined in point (5) of Article 3 of Regulation (EU) 2015/847 where they act as the PSP of the payee, and intermediary payment service providers (IPSPs) as defined in point (6) of Article 3 of Regulation (EU) 2015/847; and

b) competent authorities responsible for supervising PSPs and IPSPs for compliance with their obligations under Regulation (EU) 2015/847.

2. These guidelines:

a) set out the factors PSPs and IPSPs should consider when establishing and implementing procedures to detect and manage transfers of funds that lack required information on the payer and/or the payee to ensure that these procedures are effective; and

b) specify what PSPs and IPSPs should do to manage the risk of money laundering (ML) or terrorist financing (TF) where the required information on the payer and/or the payee is missing or incomplete.

3. Competent authorities should use these guidelines when assessing the adequacy of the procedures and measures adopted by PSPs and IPSPs to comply with Articles 7, 8, 11 and 12 of Regulation (EU) 2015/847.

4. PSPs, IPSPs and competent authorities should also use these guidelines to ensure compliance with Articles 9 and 13 of Regulation (EU) 2015/847.

5. The factors and measures described in these guidelines are not exhaustive. PSPs and IPSPs should consider other factors and measures as appropriate.

6. These guidelines do not apply to restrictive measures imposed by regulations based on Article 215 of the Treaty on the Functioning of the European Union, such as Regulations (EC) No 2580/2001, (EC) No 881/2002 and (EU) No 356/2010 (‘the European sanctions regime').

Full title: Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (The Risk Factors Guidelines)

These guidelines set out factors firms should consider when assessing the money laundering and terrorist financing (ML/TF) risk associated with a business relationship or occasional transaction. They also set out how firms should adjust the extent of their customer due diligence (CDD) measures in a way that is commensurate to the ML/TF risk they have identified.

These guidelines focus on risk assessments of individual business relationships and occasional transactions, but firms may use these guidelines mutatis mutandis when assessing ML/TF risk across their business in line with Article 8 of Directive (EU) 2015/849.

The factors and measures described in these guidelines are not exhaustive and firms should consider other factors and measures as appropriate.

These guidelines set out the characteristics of a risk-based approach to anti-money laundering and countering the financing of terrorism (AML/CFT) supervision and the steps competent authorities should take when conducting supervision on a risk-sensitive basis as required by Article 48(10) of Directive (EU) 2015/849.

These Guidelines are aimed at clarifying the procedural rules and the assessment criteria to be applied by competent authorities for the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector. These Guidelines apply to competent authorities in the prudential assessment of acquisitions or increases of qualifying holdings in target undertakings.