Our preceding article on Investment Officer addressed how Luxembourg’s CSSF is helping asset managers prepare for the introduction of the EU’s Digital Operational Resilience Act (Dora) and highlighted that the Dutch supervisory authority, the AFM, would provide an update on ICT-related incidents for the implementation.
This update was published on 27 June 2024. It offers further insight into managing ICT incidents, classifying and registering ICT incidents, and reporting significant cyber threats and serious ICT incidents.
Key highlights of the AFM update
With the compliance deadline of 17 January 2025 approaching, asset managers must ensure substantial organisational work to meet Dora requirements. The AFM and the Dutch Central Bank will commence their supervision from this date. While some Dora-related requirements are already in effect for financial companies under existing legislation, several aspects of Dora will necessitate considerable attention, review, and restructuring.
Action points for financial firms
The AFM identifies three critical areas where financial firms should begin preparation:
- ICT-Related Incident Management: Firms must establish and implement an ICT-related incident management process as outlined in Article 17 of DORA. This includes creating a communication policy for internal staff, stakeholders, and media, in accordance with Article 14 of DORA.
- Classification of ICT-Related Incidents: Procedures for classifying incidents must be established and implemented as per Article 18 of DORA. While financial companies can define their own classification criteria, policies must distinguish between major ICT incidents, cyber threats, and other lower or medium risk incidents.
- Reporting of Major ICT-Related Incidents and Cyber Threats: Article 19/20 of DORA mandates the reporting of significant ICT-related incidents and cyber threats. Regulatory technical standards and implementation technical standards are due by 17 July 2024. From 17 January 2025, the AFM portal will be ready to receive incident reports from supervised entities.
Context: New AML/CFT Framework
In addition to Dora, asset managers must also prepare for the EU’s new Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework.
Published in the Official Journal of the EU on 19 June 2024, the framework includes:
- Regulation (EU) 2024/1620 (Amla Regulation): Establishes the Authority for AML/CFT, effective 26 June 2024, applying from 1 July 2025.
- Regulation (EU) 2024/1624 (AMLR): Addresses the prevention of using the financial system for money laundering or terrorist financing, effective 9 July 2024, applying from 10 July 2027.
- Directive (EU) 2024/1640 (AMLD6): Requires EU Member States to implement mechanisms for preventing the use of the financial system for money laundering or terrorist financing, with various deadlines extending to 10 July 2029.
This new framework aims to unify and strengthen the EU’s approach to AML/CFT, addressing cross-border risks more effectively.
Implications for asset managers
Both Dora and the new AML/CFT framework will necessitate significant updates to internal procedures and policies. Dora, in particular, will require a thorough review of existing contracts with IT service providers, potentially necessitating amendments or renewals. With just over six months remaining until the compliance deadline, asset managers should prioritise these preparations to ensure timely compliance.
Conclusion
The forthcoming regulatory changes under Dora and the new AML/CFT framework represent substantial compliance challenges for asset managers. Early and proactive measures will be crucial in navigating these updates, ensuring operational resilience, and maintaining regulatory adherence.
Our next contribution, scheduled for Q3 2024, will address the testing of digital operational resilience.
Jan Saalfrank is an investment funds partner at Pinsent Masons Luxembourg. Lous Vervuurt is a lawyer at Pinsent Masons Netherlands and advises clients on financial regulation and anti-money laundering compliance. The law firm is a knowledge partner of Investment Officer.