ESBG warns for duplication in the Cyber Resilience Act through a joint industry statement

ESBG warns for duplication in the Cyber Resilience Act through a joint industry statement

In the past years, various initiatives to regulate organizations’ cyber resilience were published by the European legislators. One of ESBG’s concerns is the possible overlap between the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA), which could lead to a duplication of requirements and general inefficiencies. Therefore, on 21 November 2023, a joint industry statement was issued by ESBG, Afore Consulting, the Association for Financial Markets in Europe (AFME), the European Association for Co-operative Banks (EACB), the European Banking Federation (EBF) and the European Payment Institutions Federation (EPIF).

Both DORA and the CRA serve to increase the cybersecurity and resilience of the European economy, one through the lens of digital products and the other via the ICT systems of financial entities. With their statement, the stakeholders want to draw attention to the possible duplication between the two initiatives, which could result in a highly complex regulatory landscape for financial services.

All of the objectives outlined in the CRA have not only been successfully accomplished but, in many cases, surpassed within the framework of DORA. Further elaboration into the elevated standards to which the financial sector is held will be provided in the upcoming months as the finalization of the DORA Regulatory Technical Standards unfolds.

The statement stresses the importance of recognizing other sector-specific requirements resulting in similar requirements to the CRA, and underlines that the Commission should have the freedom to set guidance on sector-specific application of its rules.

Read the full statement


Latin American banks reaffirm their commitment to financial education and inclusion

Latin American banks reaffirm their commitment to financial education and inclusion

Members of the World Savings and Retail Banking Institute concluded regional meeting with official Declaration

TELA, HONDURAS, 17 NOVEMBER 2023 – The Latin America and Caribbean Regional Group of the World Savings and Retail Banking Institute (WSBI) today issued a Declaration reiterating its commitment to financial education and inclusion as an indispensable element to eradicate poverty and achieve the Sustainable Development Goals (SDGs) of the United Nations 2030 Agenda.

“We must improve the financial inclusion of our clients through financial education aimed at developing effective decision-making skills that leverage improvements in people’s quality of life and well-being,” said Diego Prieto Rivera, WSBI regional president and President of Banco Caja Social (Colombia).

The WSBI’s regional group, known as GRULAC, made its commitment clear by presenting an official statement detailing measures to achieve the goal of financial inclusion in the region with a focus on banking, but also including the role of civil society, multilateral organisations and national governments.

These measures include joining efforts to create an ecosystem for financial education and inclusion, focusing efforts on vulnerable groups, making decisive progress in building trusting relationships between banks and their customers, defining financial education as financial capability building, and developing reliable metrics to assess the impact of financial education programmes.

The statement was officially endorsed by GRULAC members, which are:

Chile BancoEstado
Colombia Banco Caja Social
Cuba Banco Popular del Ahorro
El Salvador Federation of Credit Unions and Banks of the Workers (Fedecrédito)
Honduras Banco Atlántida
Mexico Inbursa
Panama Caja de Ahorros
Peru Peruvian Federation of Municipal Savings Banks Savings and Credit (FECPMAC), Caja Huancayo
Dominican Republic Asociación Popular de Ahorros y Préstamos (APAP)
Venezuela Banco Nacional de Crédito
Regional Latin American Federation of Banks (FELABAN)

The GRULAC meeting was held in Tela, Honduras, on 16-17 November, hosted by Banco Atlántida.

“It was a very productive meeting between institutions that share our common values of serving our communities through responsible banking,” said WSBI Director General Peter Simon.

“It has been of great benefit to meet again among WSBI members after the forced pause due to the pandemic. We had the opportunity to get closer to each other, learn from each other about new technologies and transformation processes to better serve our clients throughout the region,” said Faustino Laínez Mejía, Chairman of the Board of Banco Atlántida, the host of the meeting.

The meeting was entitled “Latin American banking in the midst of transformation: an exchange of experiences”.

WSBI is an association of banks founded in 1924 with members in 69 countries. Combined, WSBI members globally serve 1.4 billion customers, take deposits of USD 11.4 trillion and employ 2.1 million people.

Press contact:

Leticia Lozano Rodríguez
Senior Advisor for the Americas and the Caribbean
+32 476420953

Declaration GRULAC Financial Education and Inclusion 2023Declaration GRULAC Financial Education and Inclusion 2023( en español)

About WSBI

Founded in 1924, WSBI brings together savings and retail banks from 69 countries, representing 6400 savings and retail banks worldwide with 1.4 billion customers. WSBI focuses on international regulatory issues that affect the savings and retail banking industry and provides a platform for knowledge exchange between member banks. Its aim is to achieve sustainable, inclusive, and balanced growth and job creation. Supporting a diversified range of financial services to meet customer needs, WSBI favours an inclusive form of globalization that is just and fair. It supports international efforts to advance financial access and financial usage for everyone. WSBI recognizes that there are always lessons to be learned from savings and retail banks from different environments and economic circumstances. It, therefore, fosters the exchange of experience and best practices among its members and supports their advancement as sound, well-governed, and inclusive financial institutions.


ESBG's letter on the draft STE package for the SREP 2024 data collection

On 8 November, ESBG sent a letter to the European Central Bank (ECB) Supervisory Methodology Division regarding the draft Short-Term Exercise (STE) package for the Supervisory Review and Evaluation Process (SREP) 2024 data collection. The letter asks to postpone the first remittance dates for at least the IRRBB and Market Risk templates starting with Q2 instead of Q1 2024 and for Digitalisation data by 6 months, as well as to narrow the scope and the volume of the required data.

This initiative was developed as a follow-up to a longer and more detailed ESBG paper already submitted to the ECB on 20 October on the same topic. The paper provided general considerations and suggestions on the draft package, thus highlighting specific issues with the design and timeline of specific templates.

ESBG stressed that the proposed changes significantly increase the operational burden associated with the STE reporting for banks. In particular, the new proposed templates represent a formidable increase in data-gathering requirements which comes in addition to the already significantly expanded reporting obligations outside of the SREP. Moreover, the regulatory reporting framework for both interest rate risk and market risk already goes beyond the scope and requirements of the existing STE templates, thus making the information in the latter redundant.

Considering the material expansion in both the scope and volume of required data, the implementation timeline is too short. In light of the methodological challenges posed by some of the new reporting requirements, as mentioned above, we suggested considering a larger period between the date of presentation of the package and the date of implementation to give appropriate time for operationalisation.

The STE package is currently going through the internal ECB decision-making process and the templates shall published on the ECB website in the second half of November.

ESBG's letter PDF


Roberto Timpano
Principal Advisor-Prudencial Policy and Supervision
t. : +32 2 211 11 66


ESBG publishes a new position paper on the European Commission’s proposal for a new Payment Services Regulation following its review of PSD2

Following the European Commission’s proposal for a new Payments Services Regulation, on 28 June, the Commission launched a call for feedback on the proposed legislation. ESBG has responded to this call with a high-level position paper.

The proposed Payments Services Regulation is a key tranche of the wider EU digital finance strategy. It is one-half of the conclusion to the Commission’s review of the Payment Services Directive (PSD2), with the other being a proposed revision of the Payment Services Directive (PSD3).
The Payments Services Regulation builds on the work of PSD2 to which expanded the definition of Payments Services Providers (PSPs) to include Payment Institutions (PIs) and Electronic Money Institutions (EMIs). It has particularly sought to take greater advantage of the open banking project, in concert with the Financial Data Access Regulation proposal, and prevent forms of fraud not foreseen at the introduction of PSD2.
The Payment Services Regulation also reshapes the liability framework for PSPs. One chief concern of the ESBG, as outlined in the position, is the danger of deviating from the well-established principle of gross negligence.
The full ESBG position paper on the Payment Services Regulation can be found here, along with an executive summary.

Executive SummaryPosition Paper


ESBG’s position paper on the potential inclusion of SMEs in the Taxonomy

In November 2023, ESBG published a position paper on the potential inclusion of SMES in the Taxonomy framework. Given saving banks’ unique role vis-à-vis SMEs (ESBG members provide 313 billion euros in loans to SMEs), ESBG believes it is important that they can benefit and contribute to the transition.

Nonetheless, the current reporting framework must be simplified should they be included. Moreover, this inclusion should be the opportunity for a more global review of some shortcomings, notably regarding some indicators (DNSH, GAR).

First of all, ESBG wishes to stress that SMEs are, of enormous importance in the business ecosystem, and it is essential that they adhere to the transition, given their impact on the various sectors and the entire value chain. Given existing EU legislations requirements (CSRD, CSDDD), SMEs will have to report on their activities in any event. According to ESBG members, SMEs are contributing (or planning at least) to the sustainable agenda, even though the situation varies between member states. For instance, 93% of SMEs that are customers of Groupe BPCE have taken preventive action against the risks associated with global warming, natural disasters, or other climatic events, based on a result from a survey conducted in June 2023.

Therefore, ESBG believes it will make sense to include SMEs in the Taxonomy, notably after meeting with them. However, one must avoid creating disadvantages for SMEs and the credit institutions financing them. Bearing that in mind, ESBG recommendations follow the “three I”:
• Implement some proportionality and flexibility regarding the scope.
• Indicators must be reviewed and simplified (some of them at least).
• Incite support for SMEs wishing to transition through various actors and tools.

Indeed, flexibility will be required vis-à-vis SMEs should they be in-cluded in the EU Taxonomy. A solution could be the adoption of a phase-in approach for SMEs. For instance, there could be an alignment be-tween the Taxonomy reporting requirements and the CSRD ones for consistency pur-poses, notably by allowing voluntary taxonomy reporting for SMEs – in the short term at least.

On top of that, ESBG believes that including SMEs in the Taxonomy could be the opportunity to rethink some key performance indicators, not only for SMEs but also for all the companies falling within the scope of the Taxonomy. This is notably the case of the GAR and of the DNSH.

Finally, SMEs will need both the regulatory advice and financial tools to adapt properly to the Taxonomy requirements. ESBG wishes to highlight that financial institutions cannot bear the entirety of this burden alone. Incentives and public support from other actors are needed.

Executive Summary PDFFull Position Paper

ESBG calls for removing sovereignty requirements from ENISA’s EU Cloud Providers Certification Scheme (EUCS) through joint industry statement

ESBG calls for removing sovereignty requirements from ENISA’s EU Cloud Providers Certification Scheme (EUCS) through joint industry statement

The ongoing process of developing a cybersecurity certification scheme for cloud services (EUCS) has been raising serious concerns amongst the EU financial services industry. Therefore, on 26 October 2023, a joint industry statement was issued by ESBG, Afore Consulting, the Association for Financial Markets in Europe (AFME) the European Banking Federation (EBF), the European Payment Institutions Federation, and Insurance Europe.

With this statement, the stakeholders want to draw attention to certain aspects of the EUCS development process that have been raising concerns. This includes the insertion of sovereignty requirements on the EUCS draft text and the lack of engagement with the industry during this process.

Furthermore, the lack of transparency in the process is concerning. The last and only public consultation carried out on the draft certification scheme took place in 2021. Since then, the text has undergone significant changes, including the introduction of sovereignty requirements which had not been part of the consulted version. However, those changes have never been made officially available.

Therefore, the associations co-signing the statement call upon the European Commission and ENISA to:

• Remove the sovereignty requirements from the EUCS candidate scheme and adopt an implementing act which focuses purely on technical requirements that will strengthen the European internal market, as existing EU policies set out in the Digital Operational Resilience Act (DORA), GDPR, and NIS2 Directive provide the best tools for tackling operational resilience and oversight of ICT critical third-party providers;


• Actively engage with the industry during this process to ensure that the final scheme is adequate and fit for purpose.

Joint Statement Pdf


ECSAs call for clarity on the application of SCA obligations to payments

ECSAs call for clarity on the application of SCA obligations to payments

The European Credit Sector Associations (ECSAs) consider eIDAS 2.0 a very significant initiative and we welcome the opportunities that the EUDIW can bring to our sector and beyond.Although the proposal is in its final phase, we would like to reiterate our concern on the persistent lack of a clear indication on whether the strong customer authentication (SCA) obligations apply to payments or not and in case SCA for payments are in scope, that it is limited to ecommerce / online / remote situations.

The provision in question is recital 31 and as it stands, it is open to interpretation. Strong customer authentication is already a part of the Revised
Payment Services Directive (PSD2) Framework and includes different steps: an identification of a customer, an authentication, and the authorization of the payment, with different implementations depending on the various types of payment (card-based, account based, eCommerce, etc.). Currently, SCA is conducted based on the PSD2 framework and the corresponding infrastructure.We consider that mandatory acceptance of an EIDAS 2.0’s SCA for payments should be out of scope as their inclusion would mean disproportionate costs for EUIDW solutions to include all the needed specifications for the financial sector and all sectors accepting e.g., card payments, to put the necessary infrastructure in place. Leaving acceptance on a voluntary basis, will drive investments and developments to where there is a clear market demand.
If there is no clear indication whether payment SCA’s are mandatory, this could lead to confusion in the payments ecosystem, legal uncertainty, and delays, while banks risk making substantial changes to the current infrastructure and the respective networks with multiple stakeholders, when it may not be an obligation.

This vacuum could potentially provide an opportunity for large technology platforms to exploit the EUDIW to reinforce entrenched positions. While originally conceived as an EU tool to strengthen EU sovereignty, the unintended consequence of the eID wallet might be the opposite of its intended goal.If payments are considered in scope, then we would strongly recommend to indicate that the obligation only applies to online and e-commerce. There must also be a reference for the eID wallet to meet the necessary industry specific requirements. This can also be done in a Commission Implementing Act.

Without a clear orientation, the development of EU banking standards within or for the ARF (EUDIW) is also at risk.In view of the implementation of the Regulation, the ECSAs therefore urge the co-legislators and the European Commission to consider this issue and take the necessary steps to provide clear guidance



Study Visit to Hong-Kong and Shenzen

As part of the 2023 study visit to Hong Kong and Shenzhen, a delegation of nearly 20 WSBI members from Europe, Africa, and Asia led by the WSBI-ESBG Managing Director, Peter Simon, had the privilege to tour the Bank of International Settlements (BIS) Innovation Hub situated within the Hong Kong Monetary Authority (HKMA) on the 31st October.

During this enlightening visit, our delegation delved into comprehensive discussions focused on the collaborative strategies of central banks in the region and beyond with the wider banking community. The pivotal topic of discussion? The initiation and advancement of Central Bank Digital Currencies (CBDCs) with a vision to promote broader financial inclusion and to develop enhanced financing avenues for Small and Medium-sized Enterprises (SMEs).

We are thankful for this opportunity for intellectual exchange and are keenly invested in monitoring and contributing to the evolution of digital banking paradigms globally.

The journey of our WSBI study visit to Hong Kong and Shenzhen on Innovation and Fintech continued, bringing us to the heart of Hong Kong – the BEAST Centre of our esteemed member, the Bank of East Asia, Limited.

The afternoon was a whirlwind of insights and knowledge exchange. BEA’s startup and esteemed tech partners, including giants like Google, Microsoft, and FORMS, shared profound perspectives on the challenges and opportunities intrinsic to data utilization and the seamless integration of next-gen AI within banking operations.

What resonated most was the undeniable role Hong Kong serves as the nerve center for fintech within the Greater Bay Area. Truly, an afternoon of inspiration and forward-thinking discourse.