Important aspects for regulated entities in the financial/insurance sectors and payment institutions
click here for useful links_
back to the main page - Arendt Covid-19 Solutions_

Yes. Considering the clear call from the government and doctors to stay home, the CSSF:

  • has communicated that supervised entities (including entities subject to professional secrecy) must prioritise remote access from home over any other alternative (including working from backup sites); and
  • strongly encourages supervised entities to limit staff being sent to the usual workplace or backup centres to critical roles that are essential in order to remain operational, and whose tasks cannot be performed remotely.

The CSSF urges supervised entities to review their organisational set-up to help achieve this. To ensure rapid and effective implementation of these measures, no prior authorisation is needed.

The CSSF further communicated that such measures should be preferred by supervised entities until at least 25 May 2020. Since the situation will be reassess by the Luxembourg government after 11 May 2020, the CSSF may reassess its position thereafter.

The CAA has not yet communicated on regulated entities in the insurance sector, but a similar approach would seem appropriate.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)
(11/05/20)

Useful links:

The CSSF has indicated that a supervised entity may grant remote access to enable its employees to work from home on an exceptional and temporary basis, subject to satisfactory IT security conditions.

Satisfactory security conditions (e.g. strong authentication, access from a secure laptop which is managed by the professional for the higher risk functions, logging and ex-post review of any sensitive actions carried out) shall be defined by each entity in proportion to the risks to which it is exposed. In particular, entities should take into account the roles in question, the access rights of the relevant employees, the duration of remote access and the sensitivity of the systems and data involved. The CSSF has clarified its expectations in terms of encryption and connection monitoring (e.g. disabled access outside of working hours, geofencing).

The CAA has not yet communicated on regulated entities in the insurance sector, but a similar approach would seem appropriate.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)
(24/03/20)

Useful links:

Although there is no general pushback of reporting deadlines, the CSSF has announced on 23 March 2020 that supervised entities experiencing difficulties to prepare or validate their CSSF reporting should contact the CSSF through their usual channels as soon as possible and ahead of reporting deadlines. In this case, the CSSF has confirmed that it will not apply a strict enforcement policy if delays in reporting are duly justified (CSSF press release dated 23 March 2020).

The CSSF has also provided some flexibility as regards to reporting on specific matters, such as in relation to the survey related to the fight against money laundering and terrorist financing, which must now only be provided for 10th April 2020 instead of 15th March 2020 (CSSF circular letter dated 17 March 2020). In addition, and although a timely submission of long form reports (“LFRs”) is encouraged by the CSSF, audited entities and funds may exceptionally remit their LFRs up to four months after their annual general meeting (“AGM”) (excluding delays for such AGMs granted by the government through exceptional measures, as both delays may not apply cumulatively) (CSSF press release dated 25 March 2020).

The CAA has not yet issued any communication on this topic, but EIOPA has called for flexibility on regulatory reporting (EIOPA issues Recommendations on supervisory flexibility regarding deadlines of supervisory reporting and public disclosure by insurers).

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn (Helena.Finn@arendt.com)
(24/03/20)

The EBA announced on 16 March 2020 that the EU-wide stress test for 2020 (initially scheduled to take place between 31 January and 31 July 2020) will be postponed to 2021, in order to allow banks to prioritise the continuity of their business operations. This will enable banks to concentrate on providing services to their customers, thus funding the broader economy.

However, the EBA will still carry out a separate EU-wide transparency exercise in order to provide market participants with updated information on banks’ exposures and asset quality (EBA statement on actions to mitigate the impact of COVID-19 on the EU banking sector).

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn (Helena.Finn@arendt.com)
(24/03/20)

Yes. ESMA has clarified that the requirement to record telephone conversations relating to transactions concluded when dealing on own account, and to the provision of client order services surrounding the reception, transmission and execution of orders, still applies. It refers readers to its previous Q&As on the recording of conversations via mobile devices. However, ESMA recognises that the recording of telephone conversations may not be practicable in the current exceptional situation.

ESMA has emphasised that banks and investment firms must make alternative arrangements where necessary to ensure full compliance with their recording requirements (e.g. by preferring electronic written communications over non-recordable telephone conversations). Where this is not possible (e.g. if the client does not have access to electronic communication tools), banks and investment firms shall take measures to mitigate the risks related to the absence of recordings (e.g. by documenting the conversation via notes or minutes) and inform their clients accordingly. In such cases, banks and investment firms shall also ensure enhanced monitoring and ex-post review of the relevant orders and transactions, and restore the recording of telephone conversations as soon as possible.

Useful document: ESMA press release (20/03/20): COVID-19: Clarification of issues related to the application of MiFID II requirements on the recording of telephone conversations 

Your contacts for more details: Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)
(25/03/20)

EIOPA has indicated that recent stress tests have shown that the (re)insurance sector is well capitalised and able to withstand severe but plausible shocks to the system. Nevertheless, (re)insurance companies are strongly encouraged to take prudent measures to preserve their capital position in balance with the protection of the insured, especially when taking decisions regarding distributions (e.g. distribution of dividends and other distribution policies, including variable remuneration).

Useful document: EIOPA statement on actions to mitigate the impact of Coronavirus/COVID-19 on the EU insurance sector (17/03/20)

Your contacts for more details: Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(25/03/20)

The EBA encourages both payers and merchants using payment devices that require the entering of a PIN to take sanitary precautions, including by considering all payment methods available, such as contactless or remote payments.

In this context, payment service providers are invited by the EBA to contribute to the facilitation of payment methods without the need for physical contact. Payment service providers are strongly encouraged to make full use of the exemption to strong customer authentication for contactless payments at the point of sale and raise their threshold to EUR 50 per transaction if this is not already the case (EBA - Statement on consumer and payment issues in light of COVID19)

Your contacts for more details: Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)
(26/03/20)

No, the CSSF has clarified that, in order to facilitate a rapid implementation of solutions chosen by regulated entities to adapt their working environment in response to the Covid-19 situation, prior authorisation or notification to the CSSF to implement a cloud based solution are waived as long as this exceptional situation last. A simple communication by email to the CSSF contact agent of the concerned entity is sufficient at this stage.

However, the other requirements of the amended CSSF Circular 17/654 (e.g. obligation to carry out appropriate due diligence and risk assessment, recording in the cloud register) remain applicable.

Useful documents: CSSF press release dated 23 March 2020

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(27/03/20)

The CSSF and the CAA remain operational but their offices are closed to external visits.

The CSSF has indicated that all communications by professionals shall be done through the eDesk (if registered), or by e-mail. All-outgoing communications from the CSSF will be done by e-mail without carrying handwritten signature (CSSF - Press Release 17 March 2020). Please refer to the following link for CSSF contact details (CSSF Contact). Any complaints to be lodged with the CSSF as well as any communication concerning complaints already registered with the CSSF should be sent by e-mail to reclamation@cssf.lu (CSSF - COVID-19: Procedure for complaint handling 26 March 2020).

The CAA has indicated that all communications shall be done via e-mail. Documents shall be scanned and sent to the following address: caa@caa.lu or directly to the CAA contact person in the context of an existing file (COVID – 19 : mesures prises par le CAA).

Both the CSSF and the CAA have indicated that they are available for meetings by telephone or video conference. In the specific case of the CAA, telephone meeting request shall be send to caa@caa.lu.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn(Helena.Finn@arendt.com)
(27/03/20)

All AML/CFT requirements remain applicable, and must thus continue to be applied by all professionals on a risk sensitive basis. However, certain measures may need to be adapted to the current circumstances in line with the professional’s internal procedures and processes. The CSSF, in its recent circular 20/740 regarding financial crime and AML/CFT implications during the COVID-19 pandemic (the “Circular”) issued on 10 April, encourages the professionals not only to continue applying the CDD measures provided by the law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the “2004 Law”), but to consider strengthening these measures on a risk-based approach in order to mitigate the lack of face-to-face contact during this time.

The CSSF gives examples of the enhanced measures to be envisaged, notably performing more frequent checks against lists of politically exposed persons, conducting additional or more detailed checks, the reliance on a third party having already identified the customer, or checking by means of a first transfer of funds from a bank account in the name of the customer with a credit institution established in Luxembourg, in the EU, or in any other country applying equivalent AML/CFT obligations and being supervised for that purpose.

The CSSF encourages the use of technology (e.g. Fintech), in line with the latest Financial Action Task Force (the “FATF”) publication (statement by the FATF President: COVID-19 and measures to combat illicit financing issued on 1st April) and the FATF’s Guidance on Digital ID and in compliance with the 2004 Law, as recently amended by the law of 25 March 2020 implementing the 5th AML Directive, to manage some of the CDD issues presented by COVID-19.

The CSSF also reminds professionals that in case the identification of the customer cannot be fully performed, or where it raises suspicions on the identity of the customer, the principle is for the professionals to refrain from entering into the business relationship and to cooperate with the authorities where required.

In line with the measures provided for by the CSSF, it could be envisaged, in lower risk situations, that physical meetings with customers when entering into new business relationships could temporarily be replaced by remote meetings provided that such a form of meetings is expressly provided for in internal procedures. Amendments to the internal governing procedures may be necessary in order to include such remote meetings if they are not initially included.

In the case a lower risk of money laundering and terrorism financing has been identified, copies of customer’s documentation may be communicated to professionals by e-mail. The same may also apply temporarily for standard risks, provided that the professional may verify that the source of the relevant document is reliable. Originals may also be sent by regular mail in higher risk situations.

Are there any particular risks to look out for from an AML/CFT perspective?

The FATF explains in its statement that due to the COVID-19 pandemic, the risk of financial crimes has indeed increased as criminals have taken advantage of such situation to carry out at a larger scale i.a. financial fraud and exploitation scams (e.g. phishing schemes).

The CSSF also mentions new and emerging money laundering and terrorist financing threats in its Circular, relating to cybercrime, fraud, bribery and corruption related to government support schemes, trafficking in counterfeit medicine and other goods, robbery or theft and insider trading and market manipulation. In response to these risks, the CSSF advises supervised professionals to continue mitigating the AML/CFT risks, focusing particularly on AML/CFT business continuity, transaction monitoring, customer due diligence, money laundering and terrorist financing risk assessment and cooperation with authorities.

The CSSF also reminds professionals of the importance of continuing to interact with the CSSF as part of its supervisory activities and of being proactive in using industry bodies, fora, committees and working groups to share typologies and trends in real-time to help collectively combat these new risks.

The FATF finally reminds professionals that any suspicious activity must be declared without delay to the competent financial unit intelligence (e.g. the Cellule de Renseignement Financier).

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn(Helena.Finn@arendt.com)
(17/04/20)

Useful links:

A bill of law n°7540 has been published on 26 March 2020 and introduces a temporary extension for a period of three months to certain reporting requirements applicable to entities of the financial sector pursuant to sectorial laws (the “Bill of Law”)

(Projet de loi portant prorogation de certains délais prévus dans les lois sectorielles du secteur financier durant l'état de crise).

The Bill of Law does not apply to the publications required pursuant to the law of 10 august 1915 on commercial companies, as amended and the law of 19 December 2002 on the trade and companies register and the accounting and annual accounts of undertakings, which shall be subject to a separate bill of law.

The extension period of the Bill of Law applies to reports due after 18th of March 2020. All reports/publications which were due on or before such date shall not be extended.


The three-month extension period applies i.a. to the following reports:

  • For credit institutions, the publication of annual accounts and the reports relating thereto in the register of companies and associations (Recueil électronique des sociétés et associations), as well as the declaration on governance (declaration sur le gouvernement d’entreprise), as referred to in the amended law of 17 June 1992;
  • For insurance and reinsurance undertakings: the publication of annual accounts and the reports relating thereto in the register of companies and associations (Recueil électronique des sociétés et associations), as well as the declaration on governance (declaration sur le gouvernement d’entreprise), as referred to in the amended law of 8 December 1994. The delay is also granted for the non-financial declaration (déclaration non financière);
  • For securitization vehicles: the publication of the annual and bi-annual report as provided for in the law of 22 March 2004;
  • For pension savings companies with variable capital (Sepcav) and pension savings associations (Assep): the publication of annual accounts and the reports relating thereto referred to in Article 87 of the law of 13 July 2005;

During the state of crisis and under certain conditions, the Bill of Law further provides that the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) may extent the deadlines applicable to the publication of other periodic reports which are not listed above, for a maximum of three months. It should be noted that the Council of State (Conseil d’Etat), in its comments on the bill of law, has issued a formal opposition to such power granted to the CSSF and the CAA and this section of the text will thus most likely be amended shortly.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn(Helena.Finn@arendt.com)
(06/04/20)

ESMA considers that the current circumstances constitute a serious threat to market confidence and has issued a decision temporarily requiring the holders of net short positions in shares traded on a European Union (EU) regulated market to notify the relevant national competent authority (NCA) if the position reaches or exceeds 0.1% of the issued share capital. ESMA considers that lowering the reporting threshold normally applicable under EU Regulation 236/2012 on short selling and certain aspects of credit default swaps is a precautionary action that, under the exceptional circumstances linked to the ongoing COVID-19 pandemic, is essential for authorities to monitor developments in market.

Your contacts for more details: Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)
(03/04/2020)

Useful link: ESMA Decision of 16 March 2020

Both the CSSF and the CAA have made publications on their website urging banks and (re)insurers to temporarily suspend discretionary dividend distributions and share buy-backs (until 1 October 2020).

Banks serve the essential role of funding the economy. In light of this, and as indicated by the CSSF in its Q&As in line with ECB and EBA recommendations, banks shall refrain from taking decisions of distributing (or making irrevocable commitments to distribute) dividends and share buy-backs for the financial years 2019 and 2020 where this would make it more difficult to meet the liquidity and credit needs of the markets they serve, brought on by COVID-19. Banks that have already submitted dividend distribution proposals for their upcoming general shareholders’ meeting are expected to amend such proposals. It is, however, possible to defer such distributions to a period after 1 October 2020.

(Re)insurers are still required to maintain a robust level of own funds to protect policyholders and absorb potential losses. Here, they must take due account of the current high degree of uncertainty with respect to the depth, magnitude and duration of the impacts of COVID-19 on financial markets and the economy, and their repercussions for (re)insurers’ solvency and financial positions. In view of this, EIOPA urges (re)insurers to temporarily suspend all discretionary dividend distributions and share buy-backs designed to remunerate shareholders. The CAA has published the EIOPA recommendations on a special webpage about the COVID-19 situation.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(06/04/20)

Useful links:

A prudent approach should be taken with respect to variable remuneration policies, with the goal of maintaining robust capitalisation. This must continue throughout the ongoing period of uncertainty as to the depth, magnitude and duration of the impacts of COVID-19 on financial markets and the economy, and their potential repercussions for (re)insurers’ solvency and financial positions. EIOPA expects (re)insurers to review their current remuneration policies, practices and rewards so that they demonstrate prudent capital planning and are consistent with, and reflective of, the current economic situation. In such context, the variable portion of remuneration policies should be conservative in size, and should be considered for postponement. EIOPA recommendations to this effect have been published by the CAA on a special webpage about the COVID 19 situation.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(06/04/20)

Useful links:

Both the EBA and EIOPA have published guidelines on the treatment of consumers, calling the service providers to exercise a certain level of flexibility since they may temporarily not be able to fulfil their contractual obligations in the current context (e.g. filing a claim in a given timeframe, undergoing a medical check-up, etc.). Both authorities stress the importance to continue focusing on ensuring business continuity and the fair treatment of consumers to avoid that the current situation undermine trust in the sector.

The EIOPA expect in particular insurers and intermediaries to comply with their respective obligations under IDD and Solvency II (e.g. provision of clear and timely information on contractual rights, fair and explicit treatment in all communications avoiding the use of vague or misleading terms, information about contingency measures undertaken such as moving services to online channels, the extension of applicable delays or the publication of FAQs and where relevant review of the product under product governance requirements). The EIOPA recommendations are published on the CAA’s dedicated webpage.

The EIOPA further issued a guide providing information to consumers to understand their insurance coverage during the COVID-19/Corona virus outbreak. 

The EBA calls financial institutions to give special attention to ensure that they act in the interest of the consumer, fully complying with their disclosure obligations, with no hidden charges, clarity on the terms and conditions and no automatic impact on the consumer’s credit rating. Careful consideration shall be given from a legal and reputational perspective, before implementing any new and additional charges specifically introduced in relation to contingency measures, which are ostensibly designed to alleviate the pressure on consumers and businesses, and any cross selling of products to consumers.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(11/05/2020)

Useful links: 

In its statement of 31 March 2020, ESMA has encouraged national competent authorities to have some flexibility regarding reports under RTS 27 and 28.

In this context, ESMA has suggested that execution venues which were unable to publish their RTS 27 reports due by 31 March 2020, should be authorised to publish them as soon as reasonably practicable after that date and no later than by following reporting deadline (i.e. 30 June 2020).

Firms which are unable to publish their RTS 28 reports due by 30 April 2020 should be authorised to publish them on or before 30 June 2020.

At this stage, the Luxembourg authorities have not yet issued any statement in this respect.

Overall, ESMA reminds firms of their obligation to achieve best execution for clients (i.e. by ensuring a fair order handling and allocations during the current market volatility) and recommends that firms and execution venues keep records of the internal decisions taken in relation to the expected delay.

Your contacts for more details : Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com) and Helena Finn (Helena.Finn@arendt.com)

(08/04/20)

Useful link: 

ESMA and the EBA have both published statements designed to ensure a coordinated accounting approach to assessing the current support and relief measures. In particular, these measures may have an impact on the assessment of significant increase in credit risk (SICR) of financial instruments, and on the estimation of expected credit loss (ECL). ESMA recommends that issuers make a distinction between measures with an impact on the credit risk over the expected life of the financial instrument, and those which address borrowers’ temporary liquidity constraints.

As regards SICR: the impact of public support programmes reducing the lifetime risk of default on a financial instrument should be taken into consideration. However, payment relief measures should not in themselves be viewed as an automatic trigger of SICR. ESMA recommends a case-by-case analysis of the conditions of the relief measures, and of whether it is possible to rebut the presumption under IFRS 9 that payment defaults of more than 30 days provide evidence of SICR.

As regards ECL: there is no automatism that issuers can look to with respect to how contextual factors should impact loan loss provisioning. ESMA acknowledges the difficulties that may currently be encountered when seeking reliable information from which to generate reasonable and defensible short-term economic forecasts. ESMA highlights the ECB recommendation that, given the current state of uncertainty, within the framework provided by IFRS, issuers are to give greater weight to a long-term stable outlook supported by past experience, and factor in the relief measures granted by public authorities. When making forecasts, issuers should consider the nature of this economic shock (i.e. whether the COVID-19 effect is expected to be temporary) and the impact that the economic support and relief measures will have.

Your contacts for more details: 

Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com)

Yvan Stempnierwsky (Yvan.Stempnierwsky@arendt.com

Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(08/04/20)

Useful links: 

ESMA has clarified that the value of collateral or the occurrence of any guarantee shall not affect the assessment of SICR. The impact of State guarantees on the ECL measurement will depend on whether or not such guarantees are considered an integral part of the contractual terms, and whether they are recognised separately by the issuer.

Your contacts for more details: 

Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com)

Yvan Stempnierwsky (Yvan.Stempnierwsky@arendt.com

Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(08/04/20)

Useful links: 

As a reminder, credit institutions shall include disclosures to enable users of financial statements to evaluate the ECL recorded, and to understand the assumptions and judgements made in estimating it. In line with the requirements of IFRS 7 and IAS 1 Presentation of Financial Statements, ESMA has clarified that issuers should provide any additional information that might enable users of financial statements to understand the overall impact of COVID-19. ESMA reminds issuers that they are expected to disclose the principal risks and uncertainties they face due to the COVID-19 outbreak in their management reports.

Your contacts for more details: 

Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com)

Yvan Stempnierwsky (Yvan.Stempnierwsky@arendt.com

Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(08/04/20)

Useful links: 

In its Q&As, the CSSF refers to the EBA guidelines which clarify that public and private moratoria, to the extent they are not borrower specific but rather addressed to broad ranges of product classes or customers, do not have to be automatically classified as forbearance measures, as for IFRS 9 and the definition of default (i.e. no automatism in the classification). However, this does not relieve credit institutions from their obligation to assess the credit quality of the exposures benefiting from these measures, and to appropriately identify any situation of borrowers’ unlikeliness to pay. Here, credit institutions should distinguish between obligors for which the credit standing would not be significantly affected by the current situation in the long term, and those that would be unlikely to restore their creditworthiness.

As regards the identification of defaulting loans:

  1. As a reminder, the EBA indicates that defaults do not have to happen until 90 days past due on material credit obligation, providing sufficient time to restructure the loans where necessary. Public and private moratoria may extend this period, in which case payment delays shall be assessed on the basis of the modified schedule of payments.
  2. Loans can be renegotiated in such a way that the financial position of the lender does not diminish (e. the net present value of cash flows of the loan remains the same after restructuring). If the obligor remains likely to meet its obligations under the renegotiated contract, there is no need to classify the exposure as defaulted.
  3. The EBA clarifies that credit institutions facing a substantial number of individual assessments to be carried out should follow a risk-based approach and prioritise the individual exposures most likely to have had a significant impact.

Your contacts for more details: 

Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com)

Yvan Stempnierwsky (Yvan.Stempnierwsky@arendt.com

Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(08/04/20)

Useful links: 

In the context of the COVID 19 pandemic, cybercriminal activities and cyber disruption have increased. The EBA has published a statement calling financial institutions to comply with the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04 of 28 November 2019) which clarify the expectations in terms of cybersecurity.

The EBA notably calls financial institutions to ensure:

  • that they have adequate internal governance and internal control framework in place for operational resilience (business continuity, ICT and security risks management);
  • appropriate ICT and security risk management focusing on the mitigation of the most significant ICT risks, taking into account the evolving environment and staying vigilant in their cyber security monitoring and measures, as the current situation might pose additional cyber threats;
  • that necessary measures are in place to ensure the capacity of their IT systems support their most critical activities, including those enabling their customers to carry out their operations remotely;
  • effective crisis communication measures with all relevant internal and external stakeholders, including appropriate engagement with customers in light of potential additional cyber-crime activities or operational disruptions;
  • the monitoring and seeking assurance on the level of compliance of their third party providers with the financial institution’s security objectives, measures and performance targets;
  • that the business continuity plans are up to date and adapted, including considerations related to potentially longer-term nature of the measures applied for COVID-19.

Useful link: EBA Statement on additional supervisory measures in the COVID-19 pandemic

Your contacts for more details: 

Pierre-Michaël de Waersegger (Pierre-Michael.deWaersegger@arendt.com)

Anne-Sophie Daumont (Anne-Sophie.Daumont@arendt.com)

(11/05/20)