EU & UK FinTech regulatory update

A) EU Digital Finance Strategy update

The Digital Finance package is the European Commission’s extensive Financial Technology (FinTech) action plan;

alongside the European Green Deal, this remains a top priority for the EU regulatory authorities.

Here is a catch-up of key developments, since our last update.

1. European Single Access Point (ESAP) latest

We’ve been monitoring the European Single Access Point (ESAP) platform for a long time.

ESAP is a ‘common data space’, formally proposed by the European Commission in November 2021.

It is a key part of the Capital Markets Union strategy to support both EU Digital Finance package and Green Deal.

The objective is to provide users with “a single access point for public financial and sustainability-related information about EU companies and EU investment products”.

ESAP will rely on a massive amount of source information, previously identified:

• 200 x current EU regime reporting obligations: facing asset managers, funds, banks, issuers of securities, insurance entities, credit rating agencies, auditors, advisors and intermediaries;
• 167,000 entities (aka ‘data preparers’): obliged to digitally prepare reporting information, to be filed with their allocated ‘collection body’.

Originally planned for 2025 launch, ESAP is currently expected to be made available to users from “summer 2027”.

The EU Parliament and Council of EU ministers have now reached by a provisional agreement, which covers ESAP legal scope and a gradual transition (2026-2030) “to allow for a robust implementation”:

• ESAP phase one
  • Scope: Short-selling Regulation, Prospectus Regulation, Transparency directive
  • Transition Period: 1 Jan to 30 June 2027
• ESAP phase two
  • Scope: “quite large”, e.g. SFDR, PRIIPs, UCITS, plus Credit Rating Agency, Benchmark Regulations
  • Transition Period: begins 1 Jan 2028 (ends 48 months after ESAP enters into force)
• ESAP phase three
  • Scope: remaining EU legislation, e.g. AIFMD, MiFID II, plus Capital Requirements directive
  • Transition Period: begins 1 Jan 2030 (ends 72 months after ESAP enters into force)

The European Securities and Markets Authority (ESMA) are now tasked to ensure that an operational ESAP can be completed before 31 December 2026. The ‘minimum viable product’ will comprise:

• Web portal with a user-friendly interface: providing access (incl. persons with disabilities) to ESAP information (all official EU languages)
• API: enabling easy access to the information in ESAP
• Search function: all official EU languages
• Information viewer
• Machine translation service: for the information retrieved
• Download service: including ability for large quantities of data
• Notification service: informing users of any new information in ESAP

In due course, entities in-scope will be required to supply information in data-extractable format or machine-readable format (i.e. alongside their current disclosure obligations) sourced from the likes of:

• Prospectuses
• Annual and Half-yearly reporting
• PRIIPs KIDs, UCITS KIIDs
• SFDR Entity Principal Adverse Impact statement
• SFDR Pre‐contractual disclosure information
• SFDR Periodic reporting information
• …and many more.

ESAP information will require metadata and qualified electronic seals (per specifications to follow in due course).

Although the ‘collection body’ will usually be either the firm’s local regulator or ESMA, the draft legal text states they are able to delegate their tasks to a third party.

The EC will confirm the ESAP timelines when the ongoing trilogue discussions are completed (most likely in 2024).

Meanwhile, given the major impact facing our client firms, we need to keep tracking ESAP progress.

2. Digital Operational Resilience Act (DORA) catch-up

Another reminder of the DORA regulation that legally applies from 17 Jan 2025.

In short, the main objective of DORA is to mitigate ‘concentration risks’ where many regulated firms rely on a handful of (unregulated) external service providers.  It covers a wide scope of EU regimes, including entities operating within the scope of UCITS, AIFMD and MiFID II Directives.

The new regulation will apply rules to:

• Financial entities (FEs): facing a new risk management, incident reporting, information sharing framework;
• “Critical” third party providers (CTPPs) of information communication technology (ICT) related services.

CTPPs in scope of DORA will be subject to direct oversight from one of the European Supervisory Authorities (i.e. ESMA, EIOPA or EBA: acting as the ‘Lead Overseer’) and will be charged fees to cover their administrative costs.

The ESA’s recently issued Technical Advice covers criteria for ‘critical’ ICT third party service providers.  This also includes ‘oversight fees’ payable by CTPPs, based on their ‘Applicable turnover’. This technical advice needs to be incorporated into a ‘Level 2’ DORA regulation, for adoption by the EC before 17 July 2024.  The ESAs plan to finalise their DORA methodology before the 17 Jan 2025 legal deadline.

NB: in total, the ESAs must finalise fourteen sets of technical standards and reports within the time available.

The public consultation on the first batch of ‘DORA policy products’ ended last month; EFAMA claim these draft measures are “excessive”, “very complex” and recommend “a more proportional and simplified” approach.

3. Markets in Crypto Assets (MiCA) Regulation status

The MiCA Regulation entered into force in June 2023 to address crypto-assets (i.e. previously un-regulated by existing financial services legislation).  In due course, a UCITS ManCo or AIFM may provide ‘crypto-asset services’ (equivalent to the management of portfolios of investment and non-core services) if they notify their competent authority at least 40 working days in advance.

Similar to DORA, this new regime is dependent on many implementing measures to be developed and finalised by ESMA, before the regulation legally applies in between June and December 2024.

Last week, ESMA published two documents in their effort to “encourage preparations for a smooth MiCA transition”:

• a Letter addressed to the Economic and Financial Affairs Council (ECOFIN)
• a Statement addressed to entities seeking to provide crypto-asset services and the regulators responsible for their supervision.

ESMA also recently begun the second stage of their MiCA public consultations, with the latest set of draft technical standards (307 pages) open for comment until 14 December 2023.

B) UK FinTech latest

Earlier this year, the Financial Conduct Authority (FCA) outlined elements of their post-Brexit Fintech strategy in the current business plan.  Recent updates include:

• Critical Third Parties (CTPs): the Financial Services and Markets Act 2023 establishes a new Critical Third Party (CTP) regime, similar to EU-DORA. The FCA plan to consult on their proposals to mitigate systemic risks linked to service providers currently un-regulated by the UK supervisory authorities.

NB: this follows a 2022 discussion held with the Bank of England and Prudential Regulation Authority (PRA).

• Cryptoassets: on 8 October 2023, the FCA Cryptoasset Financial Promotions regime applied to all firms marketing cryptoassets to UK consumers (regardless of firm location, or technology used)

• Artificial Intelligence (AI): The FCA has declared their ‘emerging regulatory approach’ to artificial intelligence in financial services and will soon issue feedback following a recent discussion covering potential benefits and risks. This month, the FCA Data, Information & Intelligence chief officer made a speech on AI which attracted widespread media attention.

• Distributed ledger technology (DLT): the FCA will shortly publish a ‘fund tokenization blueprint’. Their recent UK asset manager discussion paper had suggested fund managers might “adopt DLT to offer fully digitised funds to the public”.

• Digital regulatory reporting (DRR): the FCA are also running a project with the Bank of England to identify ways to automate and streamline various parts of the regulatory reporting process, including the creation of machine-readable regulation (MRR) and machine executable regulation (MER). The FCA continue to collaborate “closely with relevant stakeholders in the industry, including firms and Regtech companies”.