Three New Insolvency Bills in the pipeline

The Commercial Code (Amendment) Bill (bill no. 11 of 2022), the Pre-Insolvency Bill (bill no. 12 of 2022) and the Insolvency Practitioners Bill (bill no. 13 of 2022) have been published and have all reached the second reading stage.  While the aforementioned bills are not yet part of Maltese legislation and may be subject to amendments, the wider intention is to transpose the provisions of EU Directive 2019/1023 on preventive restructuring frameworks on discharge of debt and disqualifications, and on measures to increase the efficiency of procedures concerning restructuring, insolvency and discharge of debt and amending EU Directive 2017/1132. The bills may be accessed here: bill no. 11 of 2022bill no. 12 of 2022 and bill no. 13 of 2022.

FIR/04 on Security of Internet Payments of Credit, Payment and Electronic Money Institutions has been repealed in its entirety

As of 31st August 2022, FIR/04 on Security of Internet Payments of Credit, Payment and Electronic Money Institutions has been repealed in its entirety. FIR/04 no longer remains effective and is no longer applicable to credit institutions and financial institutions given that its contents have been superseded by EU Directive 2015/2366 (PSD 2).

Peer Review on ICT Risk Assessment Under the SREP

The EBA has carried out a Peer Review on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP) and has concluded that the EBA Guidelines on ICT Risk Assessment have been largely implemented by competent authorities in the EU and that the frequency and depth of assessments carried out by such competent authorities are dependent on the ICT risks of the institutions involved, therefore following a risk-based supervisory approach. The EBA noted that the proportionality assessment of ICT risk under the SREP is challenging and amongst its various recommendations, encouraged that ICT experts supervising ICT risk acquire further expertise and recommended the use of self-assessment questionnaires, IT landscape analyses and use of automated tools.

Transferability Guidelines published by EBA

The guidelines for institutions and resolution authorities to complement the resolvability assessment for transfer strategies (the Transferability Guidelines) have been published by the EBA. These guidelines are set to complement the Resolvability Guidelines and are intended to provide guidance on the definition of transfer perimeters, separability of an entity from the rest of the group in resolution and the manner, tools and steps required (operationally) for the implementation of a transfer of a perimeter by way of proportionate measures.   Compliance by institutions and resolution authorities is mandatory as of 1 January 2024.

EBA’s report on the functioning of AML/CFT supervisory colleges in 2021 published

The European Banking Authority (EBA) has recently published a report whereby it analysed the AML/CFT supervisory colleges in the EU in 2021. The EBA noted that while competent authorities have provided resources to their AML/CFT colleges and are committed to implementing the AML/CFT colleges framework, the EBA has held that collaboration and proactivity should be improved. The EBA has provided the following observations for good practices: pro-active participation and sharing of information and involvement of prudential supervisors. The EBA homed in on the point that supervisory competent authorities should exchange information in colleges, immediately and more regularly and that colleges should be organised in a risk-sensitive manner specifically where institutions are exposed to higher risks.

EBA publishes report on analysis of the EU dependence on non-EU banks and of EU bank’s dependence on funding in foreign currency 

The EBA has published a report wherein it carried out an analysis of the EU dependence on non-EU banks and of EU bank’s dependence on funding in foreign currency, in order to assess opportunities and potential vulnerabilities. The EBA noted that as at June 2021, 19% of EU banks’ total funding was denominated in significant foreign currencies and noted that 20% of EU banks’ total fees and commission expenses where incurred for the use of services by non-EU operators residing outside the EU. Moreover, non-EU entities in the EU banking sector had a 12.2% market share of the total banking assessment as at June 2021 (11.4% loans, 6.6% debt securities and 3.1% derivatives). According to the report the data is based on EU based standalone banks and EU registered entities from EU banking groups. For further information on the findings and the statistics, the report can be accessed here.

EBA’s annual Funding Plans Report

The EBA’s annual Funding Plans Report wherein 159 banks provided their funding plans for the years 2022-2024 has been recently published. The report provides statistics from 2021 and comparisons with the intended bank funding in the upcoming years. The EBA noted that banks intend to increase their market-based funding to counterbalance the expected decline in central bank funding and that in view of the notable changes in the economic and market conditions, it is likely that banks will make further adjustments to their funding plans. The full report can be accessed here for more details and statistics.

Standard Contractual Clauses and Data Protection Obligations to be changed as of 27 December 2022

As of 27 December 2022, the standard contractual clauses used to regulate personal data flows with entities established in third countries (non-EEA) must reflect the latest version of SCCs published by the European Commission on 4 June 2021. Not doing so would mean reliance on a contractual mechanism which is no longer recognised as valid. Updating the SCCs would entail getting the third party (with whom the previous SCCs have been concluded) to agree to this new set of SCCs. This could be an opportunity for operations and data processing activities to be reviewed in order to ensure that there have not been any changes or departures from the assessments made in the past, which would trigger the need for action at data protection level. The following slides (which do not constitute legal advice and are provided merely for information purposes) should serve as assistance to assess the need to look into this matter in more detail. Echoing the words of the UK’s Information Commissioner of the 24 October 2022, the “biggest cyber risk is complacency, not hackers”. With the GDPR in its fifth year, supervisory authorities around the EU, not least Malta, have sharpened their focus and expectation that no gaps in an organisation’s data protection obligations be left unplugged. The harmonisation of fining practices, through the European Data Protection Board (EDPB), is a stark reminder that every entity, irrespective of size and jurisdiction, is not only at risk of being subject to a data breach if data protection obligations are not taken seriously, but that such breaches may have consequences that may go far beyond the reputational harm that ensues.

Changes introduced by Directive 2019/2161 transposed into Maltese consumer rights legislation

Amendments have been made to various consumer rights legislation (including the Consumer Affairs Act and the Consumer Rights Regulations) in order to transpose the provisions introduced by Directive 2019/2161 as regards the better enforcement and modernisation of Union consumer protection rules which strengthen the consumers’ rights under the Unfair Contract Terms Directive ((93/13/EEC); Price Indication Directive (98/6/EC); Unfair Commercial Practices Directive (2005/29/EC); and Consumer Rights Directive (2011/83/EU). The changes have already been made to the relevant legislation.