The primary purpose of the Austrian regulatory framework for the banking sector is to maintain a stable financial system, by doing the following:
In accordance with its EU membership, Austria has implemented a banking and financial framework that is highly influenced by European rules and regulations. The key Austrian legislation applicable in the banking sector is as follows.
In addition to Austrian law, certain EU regulations are directly applicable to Austrian credit institutions, such as the Capital Requirements Regulation (Regulation No 575/2013/EU – CRR), which, to a large extent, is based on the Basel III standards issued by the Basel Committee on Banking Supervision. The CRR includes most of the technical provisions governing the prudential supervision of Austrian credit institutions.
Regulatory Authorities
Austrian Financial Market Authority (FMA)
The FMA is established as an integrated supervisory institution, supervising all financial service providers in Austria. It shares responsibilities with the Oesterreichische Nationalbank (OeNB) in connection with banking supervision. While the OeNB is in charge of fact-finding, including on-site and off-site analysis of banks, the FMA is responsible for the decision-making process and is therefore empowered to act as the competent authority in the areas of banking supervision and banking recovery and resolution.
European Central Bank (ECB)
The ECB is responsible for banking supervision in the European area under the Single Supervisory Mechanism (SSM) and supervises significant entities in Austria, together with the FMA as the National Competent Authority (NCA) and the OeNB. Therefore, the FMA works in close co-operation with the ECB and the OeNB. However, the exclusive responsibility for granting and extending concessions of CRR credit institutions (ie, those credit institutions that receive deposits or other repayable funds from the general public and grant loans on their own account pursuant to Article 4 paragraph 1 no 1 of the CRR) lies with the ECB. For Austrian non-CRR credit institutions and branches of foreign credit institutions, the exclusive responsibility remains with the FMA.
Types of Licence
The ECB licenses CRR credit institutions in SSM member states and those (mixed) financial holding companies for which it is the consolidating supervisor. However, the scope of the licence granted by the ECB also extends to regulated activities under Austrian law.
The FMA licenses the following:
Licences granted can be subject to conditions and requirements, and can cover one or more types of transactions listed in Section 1 of the BWG.
In Austria, licensed credit institutions may also provide banking services in other EU member states by way of using the freedom of establishment or by using the freedom to provide services.
Since 29 May 2021, (mixed) financial holding companies registered in Austria must apply for a special licence as a (mixed) financial holding company upon exceeding specified trigger thresholds relating to the equity, consolidated assets, revenues, personnel or other indicators of a subsidiary qualifying as a credit institution, investment firm or financial institution. The corresponding licensing procedure is basically comparable to that of a banking licence procedure, but its scope is somewhat reduced. Thus, (mixed) financial holding companies are required to provide the FMA with certain information, such as detailing the organisation and allocation of tasks within the group, and whether they are suitable shareholders of credit institutions held as subsidiaries. A (mixed) financial holding company as well as its management needs to be able to ensure regulatory compliance with capital requirements, but also to prevent conflicts within the group and to ensure the enforcement or implementation of group-wide policies and adequate risk management.
Activities and services covered, and any restrictions on licensed banks’ activities
Pursuant to the BWG, an entity requires a credit institution licence issued by the competent supervisory authority to carry out activities listed in Section 1 paragraph 1 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose:
An entity must also be licensed by the competent supervisory authority as a financial institution to carry out additional activities listed in Section 1 paragraph 2 of the BWG, particularly when carrying out one or more of the following activities for a commercial purpose in addition to their activities as a credit institution:
The licence for conducting banking activities as a credit institution or additionally as a financial institution may be granted with connected conditions and obligations, and may be restricted to the individual banking activities mentioned above. The scope of the licence(s) granted to each entity is publicly available in the company database of the FMA.
In September 2020, the FMA established an accompanying licensing procedure in the form of a regulatory sandbox. In this sandbox, FinTechs seeking a license, but also existing licensed entities wanting to test financial innovations, are to be prepared for supervision in an intensive dialogue with the FMA so that they can test their business models.
Application Process
In general, the ECB is responsible for granting and extending licences to CRR credit institutions. For Austrian non-CRR credit institutions and branches of foreign credit institutions in Austria, competence remains with the FMA.
Nevertheless, all applications must be submitted to the FMA, regardless of whether the decision is to be taken by the FMA or the ECB.
The following key documents are to be reviewed by the FMA/ECB as part of the licensing process:
The licensing process for CRR credit institutions, for which the ECB is responsible, is outlined below.
Before the application is submitted to the FMA, there is a preliminary discussion phase in which the receipt of the application is confirmed. After formal confirmation by the FMA, a formal ECB approval decision must be issued within 12 months. The ECB’s experts must be involved by the FMA at an early stage of this process.
The FMA assesses whether the conditions set out in the BWG are met in the application. If the applicant fulfils the conditions, the FMA forwards the application with a draft decision and the relevant documentation to the ECB for the decision-making process. The applicant must provide specific details regarding the business plan, including the nature of the planned transactions, the credit institution’s organisational structure, risk management strategies for banking activities, as well as the identity and the amount contributed by owners, who possess a qualifying holding in the credit institution and information required for the purpose of assessing the reliability of these owners. The ECB conducts its own assessment of the application based on the FMA’s draft decision and makes a final decision, which is then notified to the applicant. The average timing depends on whether or not the application is for a “full” licence and therefore for major banking activities, but the process should be completed within 12 months.
Licensing applications for Austrian non-CRR credit institutions (CRR financial institutions) or Austrian branches of non-EU-based and non-EEA-based (CRR and non-CRR) credit institutions are conducted entirely by the FMA.
Requirements
The licence is issued by the FMA (or the ECB for CRR credit institutions) if the following requirements are fulfilled:
Costs
The fee for an FMA licence for the operation of bank transactions amounts to approximately EUR10,000, and the extension fee for a licence amounts to EUR2,000. If the applicants engage a lawyer, further costs for the licence proceedings arise. Annual ongoing costs for the licence are also charged.
The ECB further charges annual supervisory fees to all CRR credit institutions in Austria, whereby significant banks must pay a higher supervisory fee than less significant banks.
Pursuant to Section 20 paragraph 1 of the BWG, the FMA must be informed in advance in writing by any person who has taken a decision to acquire or dispose of (directly or indirectly) a participation of 10%, or to increase or decrease a qualified shareholding by reaching a 20%, 30% or 50% threshold of voting rights or capital in an Austrian credit institution (or in such a way that the credit institution becomes a subsidiary undertaking of that party). This includes investors acting together.
Furthermore, the credit institution shall immediately notify the FMA in writing of any acquisition or relinquishment of qualified shareholdings, and of any reaching, exceeding or falling below the shareholding thresholds as soon as it becomes aware thereof. In addition, credit institutions must notify the FMA in writing at least once a year of the names and addresses of shareholders holding qualified interests.
The FMA has a maximum of 60 working days from the receipt of the notification and all the documents required pursuant to Section 20b paragraph 3 of the BWG to prohibit the proposed acquisition in writing following an assessment according to the assessment criteria set forth in Section 20b of the BWG, provided there are reasonable grounds therefor, or if the information submitted by the proposed acquirer is incomplete. Thus, the FMA shall examine the suitability of the interested buyer and the financial stability of the intended acquisition.
The FMA will review and assess all information provided by the proposed acquirer in connection with the notification, focusing on the criteria set by law.
Specific information to be filed is provided for in the Ownership Control Regulation, including information about:
If the bank is listed on the Austrian stock exchange, an acquirer must also comply with the provisions of the BörseG and the Takeover Act (eg, filing and notification obligations, mandatory takeover bid, etc).
Similar requirements must be fulfilled if the proposed acquirer intends to acquire a qualified holding in an insurance company, an investment firm, an investment service provider or a payment institution.
The FMA has published a detailed set of guidelines and circular letters (FMA Rundschreiben) on the application and scope of the organisational regulations, which depend on the type of business activities envisaged by the entity. An institution has to implement and continuously monitor a comprehensive set of organisational requirements, such as organisational structure, clear decision-making processes, documentation and reporting obligations, and responsibilities.
The management shall define and oversee the internal principles of proper business management (“fit and proper”), guaranteeing the requisite level of care when managing the institution, and focus particularly on the segregation of duties in the organisation and the prevention of conflicts of interest and, therefore, establish mechanisms to safeguard the security and confidentiality of information, pursuant to Section 38 of the BWG.
The BWG stipulates that management boards of credit institutions whose total assets exceed EUR1 billion or which have transferable securities listed on a regulated market must establish an audit committee. This committee supervises the audit and issuance of financial statements, the internal control system, audit function and risk management system.
Further, the management boards of credit institutions whose total assets exceed EUR5 billion must establish (i) a nomination committee; (ii) a remuneration committee; and (iii) a risk committee.
Banks are required to ensure the suitability of their managing directors, supervisory board members and holders of key functions on an ongoing basis. In addition to an internal guideline for the assessment process, banks are also required to provide ongoing training for their governing bodies and employees.
Sections 5 (1) (6)-(13), 28a and 30 (7a) of the BWG contain requirements for the members of the management and the supervisory board of credit institutions.
Fit and Proper Hearings
The FMA and the ECB apply an increasingly strict assessment procedure when evaluating the professional suitability of functionaries. Newly appointed governing bodies are invited to a hearing, and the theoretical knowledge required for the respective company is tested in an oral examination. The material covered for credit institutions includes financial expertise, the BWG and related ordinances, applicable special laws and European supervisory laws (CRR, EBA Regulatory Technical Standards, EBA Guidelines, etc) as well as the contents of the FMA Minimum Standards and FMA circulars. Basic knowledge of corporate law and knowledge of the institution within the framework of the “know your structure” principle is also required.
Requirements for the remuneration policies and practice of credit institutions licensed in Austria are set out in Sections 39/2 and 39b of the BWG, and in the Annex to Section 39b. These provisions implement the EU Directive governing remuneration policies and practices (CRD IV and CRD V) into Austrian Law. The FMA has to take these regulations into account, according to the European convergence in respect of supervisory tools and supervisory procedures. As a consequence, the guidelines and recommendations (and other measures) that are issued by the EBA must be applied. Therefore, the Annex to Section 39b of the BWG, the circular letter (re-)issued by the FMA in January 2018 (Grundsätze der Vergütungspolitik und –praktiken; Rundschreiben der FMA zu §§ 39 Abs. 2, 39b und 39c BWG) and the guidelines from the EBA considering remuneration policies (eg, guidelines on sound remuneration policies under CRD IV and disclosures under the CRR) contain the main rules for restrictions on remuneration.
Therefore, the remuneration provisions of the BWG shall ensure that credit institutions adopt remuneration policies and practices that encourage their employees to act in a sustainable and long-term manner and align their personal objectives with the long-term interests of the credit institution.
Pursuant to Section 39 paragraph 2 of the BWG, credit institutions and groups of credit institutions need to have administrative, accounting and control procedures for the identification, assessment, management and monitoring of banking business and banking operational risks, as well as risks arising from remuneration policies and practices, that are appropriate to the nature, scale and complexity of the banking business conducted.
The Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz – FM-GwG) has been in force since 1 January 2017, transposing the international and European rules for the prevention of money laundering and terrorist financing into national law. Provisions relating to beneficial ownership are now also set out in the Beneficial Owners Register Act (Wirtschaftliche Eigentümer Registergesetz – WiEReG).
The FM-GwG imposes special due diligence requirements and defines special obligations for credit and financial institutions regarding due diligence and reporting in order to prevent money laundering and terrorist finance. Bank business may only be transacted with customers who have been identified – the “know-your-customer” principle.
Before a credit or financial institution begins a business relationship, it must verify the identity of the customer.
The Act on Deposit Guarantee Schemes and Investor Compensation (ESAEG) implements the Directive on Deposit Guarantee Schemes (Directive 2014/49/EU) and regulates the protection of deposits and credit balances, including interest on accounts and savings. The objective of the ESAEG is to ensure the rapid and comprehensive compensation of depositors’ claims in the event of a guarantee. The aim is to ensure that claims arising from security incidents are satisfied by the member institutions of the security schemes within a short period of time, so that financial obligations for the federal government can be avoided. In a guarantee case, deposits of up to EUR100,000 per customer and bank are covered. Every credit institution domiciled in Austria that wishes to accept customer deposits or provide investment services requiring guarantees must belong to a protection scheme.
Since 1 January 2019, the single deposit guarantee and investor compensation scheme limited liability company (Einlagensicherung Austria GesmbH – ESA) has assumed the responsibility for the compensation of all depositors and investors in Austrian credit institutions. Another institutional protection scheme as a limited liability company (Sparkassen-Haftungs-GmbH) is recognised as an alternative deposit guarantee and investor compensation schemes in Austria by the FMA and the ECB. In 2022, a third institutional protection scheme (Österreichische Raiffeisen-Sicherheitseinrichtung eGen) was recognised.
Section 38 paragraph 1 of the BWG stipulates the obligation of a bank, its shareholders, corporate bodies, staff and other persons who are acting on behalf of the bank not to disclose certain information and secrets that have come to their attention based on their relationship with the customers.
Secret in the legal context means a fact that is known only to the keeper of the secret themselves or only to a relatively limited circle of persons. Furthermore, the fact must not be accessible, or can only be accessible with difficulty to persons otherwise interested in such fact. This includes circumstances where disclosure or exploitation is likely to violate a legitimate interest of the customer. Accordingly, banking secrecy includes the name and contact details of the creditor, the amount of the credit volume and the account balance information of the customer.
The concept of a secret is also characterised by the subjective component that the holder of the secret has an interest or desire to treat a fact as a business secret, as the owner of the secret would be at a disadvantage in case of disclosure. However, as this desire to maintain secrecy may not be established in some situations, the negative criterion that the existence of a secret is excluded if the owner of the secret renounces the secrecy has been supported by scholars.
Banking secrecy is intended to protect the legitimate interests of a customer in maintaining the confidentiality of facts that become known to the bank in the course of the business relationship. This includes all secrets that are exclusively entrusted, disclosed or made accessible within the scope of a business relationship; such secrets may not be disclosed or exploited. This is necessary to maintain the basis of trust between credit institutions and customers. Furthermore, the access of third parties to these secret facts – of the federal state in particular, but also of private persons interested in receiving information – is to be excluded or limited to the extent that the customer only has to accept exceptions from banking secrecy under certain conditions.
Exceptions to banking secrecy are stipulated in Section 38 paragraph 2 of the BWG – eg, in criminal proceedings vis-à-vis public prosecutors and criminal courts.
Banking Secrecy and Non-performing Loans
Banking secrecy plays a key role in the sale of non-performing loans. Section 38 paragraph 2 of the BWG does not contain any express exception for the sale of non-performing loans. On the basis of the BWG, only an exception based on the customer’s express consent is possible. However, the Austrian Supreme Court has decided that a breach of banking secrecy is permissible if special requirements are met; in particular if the bank’s interest in a sale outweighs the customer’s interest in confidentiality.
A breach of banking secrecy generally results in the nullity of the legal transaction under civil law and also can lead to administrative and criminal law consequences.
Capital Requirements
Article 92 of the CRR sets out the specific capital requirements for the types of risk to be covered in accordance with Article 92 (3). Article 92 (2) of the CRR defines the capital ratio as a percentage of the total risk amount – the so-called solvency ratio (Solvabilitätskoeffizienten). The total risk amount is the sum of the institutions’ credit risk, operational risk, market price risks and the risk of a credit valuation adjustment. This total risk amount is to be compared to the own funds of the credit institution, resulting in the capital ratio of the institution.
Accordingly, credit institutions must maintain at least the following own funds requirements at all times:
In addition to these minimum capital requirements, an institution must meet certain capital buffer requirements.
As the capital buffers contained in the CRD have been transposed into Austrian law by Sections 23 to 23f of the BWG, the capital conservation buffer of 2.5% of risk-weighted assets (RWA) therefore applies by virtue of Austrian law and is applicable to every credit institution licensed in Austria.
However, the FMA may set additional capital buffers on an individual basis, including:
Liquidity Requirements
The CRR (CRR II) requires entities to hold enough liquid assets to deal with any possible imbalance between liquidity inflows and outflows under gravely stressed conditions during a period of 30 days (Liquidity Coverage Ratio – LCR) and to ensure their ongoing ability to meet short-term obligations. The LCR as a short-term liquidity business ratio was fully introduced in 2018; amendments made by the CRR II have applied since June 2021. The new rules impose a binding leverage ratio requiring institutions to maintain Tier 1 capital of at least 3% of their non-risk-weighted assets. An additional leverage ratio buffer will apply to G-SIIs. In addition, the European Commission has proposed that credit institutions should also ensure that their long-term obligations will be adequately met with a diversity of stable funding instruments under both normal and stressed conditions (Net Stable Funding Ratio – NSFR – as a long-term liquidity business ratio). Furthermore, entities are required by the BWG to ensure that they are able to meet their payment obligations at any time – eg, by establishing company-specific financial and liquidity planning based on banking experience pursuant to Section 39 paragraph 3 of the BWG.
According to Section 82 of the BWG, insolvency proceedings cannot be opened in the form of reorganisation proceedings (Sanierungsverfahren); business supervision proceedings (Geschäftsaufsichtsverfahren) or bankruptcy proceedings (Konkursverfahren) can, however, be instituted. In addition, the conclusion of a reorganisation plan is not possible in bankruptcy proceedings.
In addition to the BWG, the BRRD provides central provisions in the area of insolvency, recovery and resolution.
Austria has implemented the BRRD by adopting the BaSAG, thereby creating a national legal framework for dealing with banks that are failing or likely to fail. The BaSAG contains provisions covering the following:
The following resolution tools are at the FMA’s disposal:
The bail-in is one of the core elements of the BRRD. It provides the resolution authority with the possibility to write down the eligible liabilities in a cascading contribution to absorb the losses of an institution, or to convert them into equity capital.
If insolvency proceedings are opened over the assets of a credit institution or a legal entity pursuant to Section 1 of the BaSAG, it must continue to provide services or support if the resolution authority has issued a corresponding order.
The amendments made by CRR II and CRD V regarding the capital requirements of credit institutions and investment firms shall strengthen the resilience of the banking sector by introducing more risk-sensitive capital requirements. Challenges arise in particular from the fact that these concepts designed for large institutions (“big players” and G-SIIs) – eg, total loss-absorbing capacity (TLAC) and minimum requirement for own funds and eligible liabilities (MREL) – may not be applied to small institutions without making adaptations, as Austria has a particularly large number of small and medium-sized banks.
The financial sector has faced recent challenges created by new ways of digitalisation and data processing technology within the field of banking operations and investment service providers (fintech). Traditional financial institutions in particular have to be aware of their new digital competitors. Other important issues include the rising standards of regulation, complexity and the increasing costs for the institutes. With regard to the current interest rates, the “compliance tool” proposed by the European Commission aimed at facilitating institutions’ compliance with their Regulations and Directives may enable each institution to rapidly identify the relevant provisions with which they have to comply and improve the cost-to-income ratio.
The EU Sustainability Taxonomy
Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088, places sustainability at the centre of the financial system. This is intended – in accordance with Regulation (EU) 2020/852 – to direct capital flows into “sustainable” investments. Regulation (EU) 2020/852 is addressed to companies engaged in capital markets and thus also to financial institutions that provide investment advice or portfolio management to retail clients or professionals who are therefore called upon to act responsibly.
Regulation (EU) 2020/852 sets out considerable disclosure obligations for entrepreneurs as of 1 January 2022 in order to provide (potential) investors with “clear and not misleading” information about the respective company and financial instrument. To this end, the regulation contains the criteria for determining whether an economic activity is to be classified as environmentally sustainable in order to be able to determine the degree of environmental sustainability of an investment. For this purpose, the regulation defines the following six environmental objectives:
For an economic activity to be considered environmentally sustainable under the EU taxonomy, the following conditions must be met:
Transparency Obligations
The rules for financial market participants and financial advisers on transparency with regard to the integration of sustainability risks and the consideration of adverse sustainability impacts in their processes and the provision of sustainability‐related information with respect to financial products are laid down in Regulation (EU) 2020/852 and Regulation (EU) 2019/2088, which provide for the following transparency obligations:
Schottenring 12
A-1010 Vienna
Austria
+43 1 53770 0
office@fwp.at www.fwp.atKey Updates
The banking regulatory landscape in the European Union (EU) is complex and constantly developing towards a secure, harmonised market, fostering financial stability. The Austrian banking law largely aligns with the standards set by the European legislator. Some of the most interesting developments include the forthcoming final implementation of the Basel III framework, which addresses liquidity requirements, capital adequacy, and stress testing standards. Alongside the prudential capital requirements regime, the EU has placed growing emphasis on enhancing the cybersecurity and operational resilience of the banking sector. Initiatives like the Digital Operational Resilience Act (DORA) outline specific requirements for financial institutions to manage their digital operational risks. National regulations have seen minimal changes, including an additional exemption from banking secrecy, for example. This article highlights key trends and developments in banking regulation within the EU and Austria for 2023.
Implementation of the Basel III Reforms
On 26 June 2023, the European Parliament and the Council agreed on the European Commission’s proposal of 2021 on a review of EU banking rules. Thus, the EU is implementing the remaining reforms agreed in the Basel III framework, which aim to strengthen the capital and liquidity requirements for credit institutions. This process is scheduled to commence next year and gradually unfold between 2025 and 2026.
The upcoming reforms will bring about a new way of measuring the risk of bank assets, known as risk-weighted assets (RWA). The asset groups that will be affected most include real estate and corporate loans. For instance, projects seeking funding for commercial real estate will need to have at least 150 percent of their value backed in equity. The banking package will also set an output floor for the internal models used by credit institutions for the assessment of risk and determination of how much capital they require. Credit institutions may deviate from the standard models and use their own (internal) statistical models to calculate their capital requirements. These internal models must be regularly updated and monitored by supervising authorities. According to the new rules, the capital computed through internal models should amount to no less than 50 percent, with a gradual increase to 72.5 percent by 2030, of capital calculated using the standardised approach.
The output floor will limit deviations between different institutions using internal models. The goal is to make sure that different credit institutions do not have wildly different ways of calculating risk. On average, the European Banking Authority (EBA) expects that these changes will require credit institutions to increase their capital by about 15%. Larger credit institutions, which tend to rely more on their customary methods, will be more affected by the projected output floor because they tend to have a greater difference between their internal approach and the standard one.
The banking package will also introduce changes to the way credit institutions can be resolved if they face financial troubles (ie, the resolution regime) by introducing changes to the Capital Requirements Regulation (CRR) to remove inconsistencies with the Bank Recovery and Resolution Directive (BRRD). The changes will adjust the treatment of regulatory treatment of global systematically important institution groups (G-SII – ie, large EU credit institution groups with third-country subsidiaries) with a multiple point of entry resolution strategy. Such G-SII groups are required to hold sufficient amounts of highly loss-absorbing (ie, bail-inable) liabilities in accordance with the Total Loss-Absorbing Capacity (TLAC) standard adopted by the Financial Stability Board. However, the current CRR does not make it clear whether the TLAC standard’s adjustments for these large credit institution groups also apply to their subsidiaries in other countries.
Furthermore, the banking package will introduce a dedicated prudential treatment of the so-called daisy chain approach and incorporate directly into the CRR the indirect subscription of instruments eligible for internal minimum requirement for own funds and eligible liabilities (internal MREL) within resolution groups with several layers of ownership. The deduction regime developed by the EBA envisages that internal MREL-eligible instruments issued by subsidiaries to the entity under resolution via an intermediate parent would have to be fully deducted from the amount of the intermediate parent’s own internal MREL capacity resulting in the application of an appropriate risk weight of zero percent in all the relevant resolution cases. Similar issues were identified in the CRR leverage ratio requirement. This is not yet possible under the CRR, resulting in inconsistencies between the prudential (capital requirement) treatment and resolution framework under the BRRD.
Enhanced EU-side Stress Testing
The EU is developing a new EU-side stress testing framework that is more comprehensive and forward-looking than the current one. Stress tests are used to assess the resilience of the EU banking sector to a range of shocks. In summer 2023, the EBA and the European Central Bank published the results of its 2023 EU-wide stress test, which involved 111 EU-/EEA-credit institutions, covering 75% of the EU banking sector assets. The stress test allowed supervisors to assess the resilience of EU-/EEA-credit institutions over a three-year horizon under both a baseline and an adverse scenario.
The findings demonstrate the enduring strength of EU-/EEA-credit institutions when subjected to a challenging scenario marked by a severe recession in the EU and worldwide, escalating interest rates, and widened credit spreads. The robustness of EU-/EEA-credit institutions can be attributed, in part, to their sound capital positions at the inception of the assessment, boasting an average fully loaded CET1 ratio of 15% (common equity tier 1 – ie, the highest quality of regulatory capital consisting of liquid bank holdings such as cash and stock). This substantial ratio empowers credit institutions to weather the erosion of capital reserves in the face of adverse circumstances. On an EU-wide basis, the Common Equity Tier 1 ratio in the adverse scenario falls by 4.6 percentage points to 10.4%. With the average fall in the capital ratio in the adverse scenario by 3.7 percentage points to 11.1%, Austria falls within the European middle field.
Furthermore, improved earnings and enhanced asset quality at the outset of 2023 serve to mitigate the depletion of capital reserves when confronted with the adverse scenario. Even in the event of combined losses amounting to EUR498 billion in the adverse scenario, EU-/EEA-credit institutions maintain capital adequacy that allows them to continue providing essential financial support to both households and businesses, even during periods of severe economic strain. Nonetheless, the current high level of macroeconomic uncertainty underscores the imperative need for vigilance, requiring both regulatory authorities and financial institutions to prepare for the possibility of a further deterioration in economic conditions.
Banking Secrecy Exemption
Under Section 38 of the Austrian Banking Act (Bankwesengesetz – BWG), credit institutions have a strict rule of keeping customer information confidential. This means they cannot share any information they receive from their customers unless it is required by law. This banking secrecy rule is taken very seriously and covers all the information they learn while doing business with customers.
Payment service providers must provide certain information to their home EU member state or host EU member state to enable the said EU member states to comply with their collection obligations set out in Regulation (EU) No 904/2010 on administrative cooperation and combating fraud in the field of value added tax. These records may include, among others, information subject to banking secrecy, which is why the introduction of a new exemption provision in Section 38(2) of the BWG is also necessary. Because the rule on changing the banking secrecy provision of the Banking Act is a constitutional provision, this amendment required the presence of at least half of the deputies in the National Council, the main legislative body in Austria, and a majority of two-thirds of the votes cast.
Cybersecurity and Operational Resilience
Following the 2008 crisis, the Union has looked to primarily strengthen the financial resilience and safeguard the competitiveness and stability of the financial sector from economic, prudential and market conduct perspectives.
Information and communication technology (ICT) plays a pivotal role in the financial services sector. Financial entities use ICT in almost every aspect of business operations, and the technology has become a core feature in the financial sector. But with great power comes great responsibility. Increased digitalisation and connectivity enhance functionality but also amplify the risk of cyber threats or ICT disruptions.
The following legislative measures regulate the IT security in the EU:
The NIS-Directive was transposed into Austrian law by means of the Network and Information Systems Act (Netz- und Informationssystemsicherheitsgesetz – NISG) and laid the groundwork for cybersecurity harmonisation in the EU. The NISG designated the responsibility for the strategic agenda to the chancellor’s office and the operational agenda to the Ministry of the Interior. The Republic also set up Computer Emergency Response Teams (CERTs) and adopted national NIS strategies and national NIS co-operation plans. The NIS2 Directive and CER Directive must be adopted into national law by 17 October 2024.
The Austrian financial supervisor, the Austrian Financial Market Authority (FMA), serves as the competent authority for handling serious operational or safety incident reports submitted by payment service providers in accordance with the Austrian Payment Services Act, transposing the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD II). PSD II also contains provisions on outsourcing. For credit institutions, except for the EBA guidelines on outsourcing arrangements, a harmonised framework for outsourcing is still missing. Section 25 of BWG is only applicable to the outsourcing of critical and important banking functions. The outsourcing as per the PSD II constitutes a lex specialis and supplements the BWG outsourcing provision.
Furthermore, the EBA has published guidelines on the management of ICT and security risk management and guidelines on internal governance.
Regrettably, the EU’s previous approach to digital operational resilience in the financial sector lacked coherence, and the provisions tackling digital operational resilience were not fully or consistently harmonised to meet the sector’s needs. The EU is increasingly focused on strengthening the cybersecurity and operational resilience of the banking sector. This includes initiatives such as the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (ie, the Digital Operational Resilience Act (DORA)), which sets out requirements for financial institutions to manage their digital operational risks.
Digital Operational Resilience Act (DORA)
DORA is a new regulation that came into force on 16 January 2023 and sets out requirements for financial institutions to manage their digital operational risks to further bolster the resilience of the financial systems of EU member states and the EU as a whole. The addressees of DORA have a two-year grace period and will be required to fully comply on 17 January 2025. However, as the regulatory and implementing technical standards are expected to be published in early 2024, the period for implementation is effectively shortened to one year.
The regulation provides for a single, no longer fragmented, set of rules for the entire financial sector and is intended to ensure that all participants in the financial system have the necessary safeguards in place to prevent or at least mitigate cyberattacks and other risks. DORA deals with five major topics:
The addressees of the regulation are companies and institutions operating in the EU financial and insurance sector (financial entities), such as credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories and central counterparties, trading venues, securitisation repositories, managers of alternative investment funds and management companies, insurance and reinsurance undertakings and intermediary institutions for occupational retirement provision, credit rating agencies and crowdfunding service providers.
Additionally, DORA applies to companies that are not financial entities themselves but provide IT services to financial entities (ICT third-party service providers) – ie, cloud services providers, software providers, data analysts, and server services providers. Microenterprises (ie, financial entities that employ fewer than ten people and whose annual turnover or balance sheet total does not exceed EUR2 million) are exempted from the scope of many DORA provisions or are only subject to the regulation in a limited manner.
The principle of proportionality plays a decisive role in the application of DORA. While implementing the rules and obligations, financial entities must consider their size, risk level, and the nature of their services. Supervisory authorities should also consider the proportionality principle when assessing compliance. This flexible approach maintains a balance for DORA’s broad application.
DORA is a specific regulation that complements the NIS2 Directive. It ensures co-operation between the EU’s general cybersecurity framework and the security of the financial system. DORA replaces the ICT risk management and reporting requirements of the CER Directive for certain financial entities. Additionally, payment service providers under PSD II will now report all payment-related incidents under DORA, even if they are not ICT-related. This streamlines reporting and avoids duplicate obligations.
ICT Risk Management and Reporting
DORA is designed to help financial institutions manage their digital operational risks that could disrupt or impair their ability to deliver essential services. It sets clear requirements for this ICT risk management framework and for financial entities to identify, assess, and manage their digital operational risks, as well as to develop and implement incident response plans. Financial entities are required to establish and conduct annual assessments (with microenterprises doing so on a “regular” basis) of a comprehensive internal governance and control system to efficiently handle ICT risks.
The management body of the financial entity plays a central role in meeting these requirements. It is responsible for defining, approving, supervising, and executing all arrangements pertaining to ICT risk management. Additionally, financial entities, excluding microenterprises, must also establish an autonomous control function for managing ICT risks.
DORA establishes a robust ICT-related incident reporting regime aiming to enable competent supervisory authorities to fulfil their roles by acquiring a complete overview. Financial entities are required to create protocols and workflows to detect, manage, and report ICT incidents. In cases of severe ICT-related incidents, these must be reported to the relevant regulatory authority. Furthermore, financial entities must promptly inform their clients when they become aware of a significant ICT-related incident that affects their financial interests.
Digital Operational Resilience Testing
DORA will introduce a harmonised framework for ICT testing to reveal vulnerabilities and risks. The co-ordinated testing regime and mutual recognition of the results will require financial entities to conduct tests by independent internal or external parties, which shall occur at least annually for ICT systems or applications that support critical or important functions. Furthermore, some financial entities, among others, system-relevant credit institutions, central counterparties, and trading venues, will be required to carry out advanced testing of ICT tools, systems and processes based on the Threat-Led Penetration Testing (TLPT) method at least every three years.
ICT Third-Party Risk
DORA will further regulate the provision of ICT services through third parties, whether within the same group or externally outsourced. Financial entities will be ultimately responsible for ensuring that ICT third-party providers comply with DORA as a matter of principle.
Financial entities are required to create and periodically assess a strategy for the handling of ICT third-party risk. Prior to every outsourcing arrangement, the financial entity will be required to perform a selection procedure including an ICT risk assessment of the third-party provider and the envisaged arrangement. Additionally, financial entities must maintain an updated record of all contractual agreements involving third-party ICT services and annually report these arrangements to the relevant supervisory authority. Furthermore, they must assess the risk associated with relying on a single third-party ICT provider to prevent overreliance.
Like the EBA guidelines on outsourcing arrangements, DORA contains provisions on the outsourcing agreements. These provisions encompass various aspects and considerations for agreements with ICT third-party providers, such as:
The provisions will be applicable to existing agreements as well. Financial entities will need to update their outsourcing arrangements to align with the new regulation.
Apart from the provisions for financial entities, there is a plan for a consistent European monitoring framework aimed at specific ICT third-party service providers classified as “critical” and is intended to ensure that they are adequately and effectively monitored at Union level. The rules, jointly referred to as the Oversight Framework, shall establish the necessary oversight and monitoring entities and processes while remaining complementary to the sectoral law applicable to outsourcing. The Joint Committee of the European Supervisory Authorities shall establish the Oversight Forum and together they appoint a Lead Overseer for each critical ICT third-party services provider.
In the run-up to the oversight regime for such critical ICT third-party service providers, the assessment by the Lead Overseer will include:
Following the assessment, the Lead Overseer will create an individual oversight plan outlining the annual goals and key actions for each critical ICT third-party service provider. The compliance of these providers will be rigorously evaluated from both technical and legal perspectives.
Should the critical ICT third-party service provider decide not to comply with the oversight plan, the competent authority will inform the financial entities concerned and may require them to temporarily suspend the use of the respective ICT third-party service provider services in whole or in part or to terminate the relevant contractual relationship. In cases of non-compliance and infringements, the Lead Overseer can impose a periodic administrative penalty payment of up to 1% of the provider’s average daily global turnover from the previous business year.
Information Sharing
DORA provides rules for sharing intelligence and cyber threat information among financial entities. Previously, concerns about data protection, antitrust, and liability rules (eg, in Austria, the highly relevant banking secrecy rules) limited such communication. Financial entities are encouraged to exchange among themselves, and with non-supervision authorities such as Europol, cyber threat information, and intelligence. Such information sharing is compliant with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) due to the relevant exemptions.
The mechanism of information-sharing between financial entities shall be implemented through an information-sharing arrangement that protects the potentially sensitive nature of the information shared, respects business confidentiality, ensures the protection of personal data and contains guidelines on competition policy. These agreements should define the rights of the parties involved, and participation in the information-sharing arrangements requires notification to the supervisory authority.
Additionally, financial entities can voluntarily report significant cyber threats to the relevant competent authority when they believe these threats are relevant to the financial system, service users, or clients.
Practical Recommendations for Implementation
Gap analysis
Financial entities are already subject to rigorous supervisory scrutiny regarding their IT security. It is crucial for them to conduct a thorough gap analysis to identify what IT security measures are currently in place internally and prioritise the implementation of any necessary measures to close these gaps as soon as possible.
Risk management
Financial entities need to evaluate their existing ICT risk strategies, policies, procedures in light of the new regulation. This evaluation should encompass the entire organisational structure, including risk management, controlling, internal audit, and extending to the competencies and responsibilities of the management. They also need to evaluate the services provided by third-party ICT providers to identify concentration risks and, if necessary, implement additional regulatory and monitoring measures.
Third-party ICT service providers
For existing contracts, a review is necessary to ensure that key contractual provisions meet the new requirements. When engaging new providers (ie, entering new contracts), financial entities should conduct a more detailed pre-contractual risk assessment to ensure compliance. Additionally, they should perform regular audits after the outsourcing arrangement begins.
Conclusion
Market participants need to consider a further set of regulatory rules, and this requires legal assistance. The legal rules underlying these frameworks can be complex and difficult to navigate. It is crucial for credit institutions and other financial entities as well as third-party ICT service providers to seek professional legal assistance to properly interpret and ensure full compliance. By doing so, the parties can mitigate the risk of non-compliance and contribute to the overall stability of the financial system.
DLA Piper Weiss-Tessbach Rechtsanwälte GmbH
Schottenring 2-6
1010 Vienna
Austria
+43 1 53178 1042
+43 1 53178 52 52
jasna.zwitter-tehovnik@dlapiper.com www.dlapiper.com/en/austria/locations/vienna/