Open search form Open menu
Search for a lawyer
Search
Financial Services
  • 17 Jan 2025
  • 3 min read

ESMA consults on draft guidelines on the internal control systems framework for some of its supervised entities

Written by

Dr. Michael Huertas

RegCORE Client Alert | Capital Markets Union

QuickTake

On 19 December 2024 the European Securities and Markets Aut hority (ESMA) published a consultation paper on draft guidelinesAvailable here.Show Footnote related to the internal control systems (ICS) framework of some of its supervised entities – specifically for benchmark administrators (BAs) and market transparency infrastructure provider (MTIPs) the latter being comprised of trade repositories (TRs), data reporting services providers (DRSPs) and securitisation repositories (SRs).

The proposed draft guidelines build on ESMA’s existing Internal Control Guidelines currently in place for credit rating agencies (CRAs) and propose to extend those regulatory principles and supervisory expectations to the aforementioned body of BAs and MTIPs when operating in the EU. This extension means that the existing guideline would be replaced by this new comprehensive guideline proposed in the consultation paper and the draft guidelines to form one central set of rules applicable to all BAs, CRAs and MTIPs with respect to their ICS frameworks.

As assessed in this Client Alert, the draft guidelines outline ESMA’s expectations for the components and characteristics of an effective ICS framework ensuring (i) a strong framework, detailing the internal control environment and informational aspects; and (ii) effective internal control functions, including compliance, risk management and internal audit (each an ICF). The draft guidelines equally reflect ESMA’s supervisory expectations on how supervised entities reflect the impact and risk of information and communications technology (ICT) on business operations and the ICS framework. Welcomingly, the draft guidelines also explain in greater detail how ESMA applies proportionality in its expectations regarding the internal controls of a supervised entity.

The consultation is primarily addressed to national competent authorities (NCAs) as well as the body of CRAs, BAs and MTIPs within the scope of ESMA supervision as well as financial groups with a controlling participation in such persons. ESMA will review the stakeholder feedback received to this consultation by 18 March 2025 and expects to publish a final report containing the final version of the guidelines by fourth quarter of 2025. Following the publication of the final report, ESMA will translate the guidelines into the official languages of the EU and request clarifications from the NCAs, whether they will apply the guidelines.As explored in other Client Alerts the term “should” in the context of a drafting of EU legislative but also other rulemaking instruments including supervisory guidance instruments such as guidelines, carries a specific connotation that is important to understand and how it differs to the use of the term “must”. To recap: … (please see PDF file of this article to read on)Show Footnote This process takes up to three months so that the new guidelines in final form are likely to become applicable by early 2026 at the earliest.

Key takeaways from the draft guidelines

ESMA currently directly supervises all EU CRAs, SRs and TRs as well as certain BAs and DRSPs. The EU Regulations granting ESMA the mandate for direct supervision each contain a number of requirements relating to the ICS framework that supervised entities must maintain. There are slight differences between those requirements. Equally, as ESMA notes, these EU Regulations provide limited details on how the various components and characteristics of the ICS should integrate and function together as complementary parts of a unified framework.

In an effort to centralise and upgrade those requirements ESMA is using the consultation paper and proposed draft guidelines to build off but equally replace the existing ESMA-published Guidelines on Internal Control for CRAs. The proposed draft guidelines once finally approved will serve as a central, comprehensive and consistent set of rules on ICS frameworks applicable to all the entities ESMA directly supervises (except for non-EU i.e., third country central counterparties. As ESMA equally notes, the outcomes in the draft guidelines also aim to embed a number of its expectations that have been communicated bilaterally with certain entities during supervisory engagements. ESMA further notes that such an approach can help ESMA take a consistent approach to its supervisory assessment of ICS practices across all entities it supervises.

The harmonisation that ESMA is looking to achieve also extends to rolling out supervisory expectations on the use of artificial intelligence (AI) as well as ICT risk management for entities subject to the EU’s Regulation known as the Digital Operational Resilience Act (DORA). This, in particular, concerns the mapping and managing of technology risk from external and internal sources and the integration of ICT solutions into supervised entities’ ICS frameworks.

ESMA’s proposed guidelines are structured in two key parts, namely: …

Read more

Contact us

Dr. Michael Huertas

Partner Frankfurt am Main
Financial Services

Tel.  +49 160 97375760

Email  E-Mail

Show profile

Other Expert Articles and Blogs

Financial Services
ESMA consults on Technical Advice on Listing Act implications
  • 17 Jan 2025
  • 12 min read
Financial Services
ECJ ruling on the independence of national resolution authorities – strengthening of shareholder and bondholder rights
  • 16 Jan 2025
  • 11 min read
IP/IT
India: Draft Digital Personal Data Protection Rules, 2025 released – open to public comments
  • 14 Jan 2025
  • 1 min read
All Expert Articles and Blogs