Karl Payeur

🌍 Urgency in Clarifying ESG Regulations The CSSF warns that the clock is ticking for the EU to clear up ambiguities in its new green regulations. Without unified guidance from ESMA, inconsistent application across Europe could undermine confidence in green bonds and sustainable investments. 📢 The call for clear definitions, especially around key terms like "sustainable" and "meaningful," is crucial for maintaining market integrity and preventing fragmentation. 💡 What’s your take on how this might shape ESG investments? Read the full article:

1

🔐 Is your firm’s operational resilience ready to face regulatory scrutiny? With just over 100 days left until the DORA compliance deadline, the clock is ticking for firms to meet the rule's requirements or face potential fines. The latest updates from the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) have clarified critical elements of DORA like incident reporting, penetration testing, and third-party risk management. Now is the time to ensure your firm is ready. Learn how to meet the DORA requirements before time runs out: https://hubs.ly/Q02SfJH20 #DORA #cybersecurity #riskmanagement #ESA #CybersecurityAwarenessMonth

8

APRA has today released the finalised Prudential Practice Guide CPG 230 Operational Risk Management #CPS230 #CPG230 https://lnkd.in/gP_bh9Xh APRA also released its response to submissions on the draft guide, addressing industry concerns with some important changes and clarifications: https://lnkd.in/gC7bRNsP ⭐ Limited 12 month extension⭐ With the deadline of 1 July 2025 to meet CPS230 rapidly approaching, APRA will allow smaller institutions (ie non-SFIs), a 12 month extension to business continuity and scenario analysis obligations. ⭐A baseline, not best practice – and proportionality⭐ Industry was unclear on exactly what in the guide was regulatory expectation, and what was better practice (particularly for small and mid-sized entities). APRA clarified CPG 230 to focus on minimum “baseline” compliance - but organisations will be expected to do more, proportionate to their size, business risk and complexity. ⭐A "top down" approach focused on critical operations recommended⭐ Industry said it takes time and resource effort to assess the materiality of service providers and update key arrangements.  APRA said a traditional “bottom up” compliance approach can be slow, and recommended a “top down” approach focusing on critical operations and the material service providers that support them. ⭐Moderated supply chain expectations ("fourth parties")⭐ Steps to manage indirect suppliers in supply chains were considered commercially difficult to achieve and expensive to maintain - APRA has moderated its expectations - entities will need to take reasonable steps to identify "fourth parties" in critical supply chains, and deal with their approach to them in service provider management policies. The already significant task of meeting CPS 230 is complicated by a broader ongoing, intensive and deliberately disruptive regulatory reform agenda – designed to change the way Australia does business and change practices. Multiple regulators are expecting transformational change at the same time. And with this reform agenda comes growing confusion between regulatory expectations and attempts to promote better practices and uplift capabilities, and growing gaps between regulatory expectations and organisational capabilities. To navigate this environment, organisations need strong internal coordination and prioritisation, and a structured approach to identifying, understanding and implementing controls for current and emerging regulatory requirements - Ashurst's combined legal, risk advisory and digital products capabilities can help. Ashurst #fsi #finregulation #techlaw

28

1 commentaire

JSA Prism (Data Privacy) | Edition 4 | September 2024 General obligations of data fiduciaries and significant data fiduciaries   In the fourth instalment of the Prism series on the Digital Personal Data Protection Act, 2023, we analyse the general obligations of data fiduciaries and significant data fiduciaries. These obligations encompass principles like accountability, fairness, storage limitation, preserving the integrity and confidentiality of personal data, etc. In the latter part of the Prism, we compare these obligations with data protection laws around the world to identify obligations of data fiduciaries under the General Data Protection Regulation, California Consumers Privacy Act and the Singapore’s Personal Data Protection Act.   To read further details, please click here: https://lnkd.in/gvWBjU45 Akshaya Suresh | Aravindini Uma Magesh #jsa #leadinglawfirm #leadinglawyers #legalupdates #dpdpact #dataprivacy #prism

21

[EU/GDPR] (1 of 2) My key takeaways from the recent EDPB opinion on 'consent or pay' model - Obtaining consent does not absolve the controller from ensuring compliance with data protection principles - The offering of (only) a paid alternative to the service should not be the default way forward for controllers and should consider an ‘equivalent alternative’ that does not entail the payment of a fee (Free Alternative Without Behavioral Advertising - FAWBA) - Alternative service must not use behavioral advertising, such as utilizing generic advertising and using less or no personal data at all. If the Alternative Version differs from the Version With Behavioural Advertising (VWBA) only to the extent necessary as a consequence of the controller not being able to process personal data for behavioural advertising purposes, it can be in principle regarded as equivalent. - If the Alternative Version was of a lower quality or is less rich in functionalities than the Version With Behavioural Advertising, users would not be presented with a real choice. - Not utilizing a FAWBA may have challenges on the consent being 'freely given' and also consent cannot be considered freely given if a controller argues that a choice exists between its service (including consenting to the use of personal data for additional purposes) and an equivalent service offered by a different controller - It is important to consider the detriment to Data Subjects, in particular when such service is part of their daily lives or plays a prominent role (dissemination of information, participation in social life, access to access to professional or employment-oriented platforms) - Detriment may be more likely to occur in large online platforms as a result of lock-in or network effects (e.g. service did not introduce consent or pay but subsequently rolled out such feature in the future) - As to whether there is an 'imbalance of power' factors such as market dominance and when the target audience involves vulnerable data subjects are key considerations - As to the issue on conditionality, where data processing operations are not strictly necessary for the performance of the contract, users must be free to refuse to consent to such processing operations without being obliged to refrain entirely from using the service - When offering a paid alternative to a service entailing behavioural advertising, controllers should ensure that the fee does not hinder data subjects to withhold consent, nor make them feel compelled to consent. - Large scale online platform controllers cannot present data subjects with blanket consent for a number of different purposes. In the context of behavioural advertising, it is important to provide information that is sufficiently granular, so that data subjects can understand which aspects of the service they consent to, while retaining the possibility not to consent to others.

11

1 commentaire

The European Supervisory Authorities (ESAs) have just published an updated version of the Consolidated Q&A on the #SFDR and the SFDR Delegated Regulation. The 15 new Q&As address topics such as disclosures on principal adverse impacts, methods for calculating #Taxonomy-aligned and sustainable investments, the treatment of investments in other financial products, managing investments used for hedging and liquidity, and the requirement to establish websites. The new Q&As are contained in sections I (Scope issues), IV (#PAI disclosures) and V (Financial product disclosures) of the Consolidated Q&As. Stay informed with the latest updates and read the Consolidated Q&As in full: https://lnkd.in/eSnYXzr2

9

Blake Oliver, CPA’s piece “Inadequate penalties incentivize malpractice in auditing” sheds light on the systemic failures and their profound impact on the auditing profession. The cases of Gries and Associates and BF Borgers CPA PC underscore the startling lack of oversight and accountability, allowing substandard practices to persist, ultimately eroding public trust. The glaring inadequacies in the oversight mechanisms within the auditing profession raise critical questions: Who is watching the watchmen? And do the penalties serve as effective deterrents for bad actors? The generally light fines and lenient disciplinary actions reveal a dangerous message, hinting at a lack of meaningful consequences for substandard practices. The U.S. Securities and Exchange Commission’s recent disciplinary order against BF Borgers and its owner signify a step in the right direction towards accountability, albeit falling short of the necessary measures to deter auditor misconduct and restore trust in the profession. Chris Vanover, CPA’s recommendations highlight the need for transparency and accountability, emphasizing the urgency to prioritize audit quality and hold auditors accountable for their actions. The article's insightful case analyses prompt us to re-evaluate the current system of regulation and demand a fundamental shift in increasing penalties for malpractice, enhancing the frequency and scope of Public Company Accounting Oversight Board (PCAOB) inspections, and fostering greater transparency for buyer's of audit services. These actions are crucial to restore public trust and uphold the integrity of the auditing profession. Read the full article here: https://lnkd.in/gem7vAyv #CPAClubLive #CPAClubMembership #CPAClub #CPAClubPasses #FinancialSuccess #Accounting #Auditing #CPA #Audit #AccountingServices #CPALeaders #QualityManagement #cpafirms #pcaob #aicpa #auditquality #auditmanagers #auditseniors #advisory #advisoryseniors #advisorymanagers #cfos #controllers Accounting Today

4

1 commentaire

As we continue to see an uptick in #sanctions enforcement by agencies around the world, companies are increasingly faced with the challenge of coordinating case resolutions with several #regulators across multiple jurisdictions. In this blog post, my colleagues Alexandre ("Alex") Lamy, Geoff Martin, Derk Christiaans and Courtney Mackness discuss key considerations for effectively resolving these complex cases. https://lnkd.in/gvqrMaXH #SanctionsInvestigations #SanctionsEnforcement #BakerGSIG #bakermckenzie

5

1 commentaire

On September 23, 2024 the AICPA's Accounting & Review Services Committee proposed SSARS Applicability of AR-C Section 70 to Financial Statements Prepared as Part of a Consulting Services Engagement, would amend the applicability of AR-C section 70, Preparation of Financial Statements, in AICPA Professional Standards to explicitly exclude financial statements prepared as part of a consulting services engagement performed in accordance with CS section 100, Consulting Services: Definitions and Standards, in AICPA Professional Standards from those engagements in which AR-C section 70 is required to be applied. The comment period ends December 20. The proposed SSARS would become effective for the preparation of financial statements for period ending on or after December 15, 2026. Early implementation would be permitted. #CAS #ARC70 #AICPA #ARSC

1

1 commentaire

The AICPA's Digital Assets Working Group has updated the Digital Assets Practice Aid. The AICPA updated this practice aid by adding two new chapters on auditing the valuation of digital assets, and auditing procedures regarding a digital asset's existence, rights, & obligations, as well as the addition of a new appendix. The practice aid's format has also changed, switching from a narrative structure to a Q&A format. #DigitalAssets #AICPA #PracticeAid

3

The AICPA’s latest SOC 2 Audit Guide revises the SOC 2 Description Criteria requirements and the Points of Focus for the #SOC 2 Trust Services Criteria. It also incorporated requirements from new attestation standards and clarified applicable standards. Forvis Mazars outlines the updates and what impact these may have on your organization in the second part of our 2024 SOC series. https://bit.ly/3Rgo8yZ

5

NFRA Recommends LLP Auditing Standards NFRA, in its 19th meeting, proposed applying 40 SAs and SQMs to LLP audits under Section 34A of the LLP Act 2021. Supported by most members and ICAI, the standards are set to take effect from 1 April 2026, pending government approval. https://lnkd.in/g3Ngvwue

7

Final DORA Level 2 Regulation Published: Act Now to Ensure Compliance On 17th July 2024, the three European Supervisory Authorities (EBA, EIOPA, and ESMA) published the second batch of level 2 rules under the Digital Operational Resilience Act (DORA). This marks a significant milestone in the legislative process, providing much-needed clarity for businesses working to implement the required changes before the compliance deadline of January 17, 2025. The Challenges and the Need for Immediate Action The recent publication includes several finalized guidelines and regulatory technical standards (RTS) that businesses must follow. However, the final draft level 2 rules on subcontracting are still pending, which adds a layer of complexity for financial entities and IT suppliers who must navigate these changes. The delay in the subcontracting rules, among the most challenging aspects of DORA, emphasizes the importance of immediate action to ensure all other areas are compliant. Why Should Clients Act Now? 1. Imminent Deadline: Financial entities must comply with DORA by January 17, 2025. The window to implement these extensive changes is closing rapidly.    2. Complex Compliance Requirements: DORA imposes significant obligations on ICT governance, risk management, security practices, and vendor arrangements. Waiting for all rules to be finalized could leave insufficient time for thorough implementation. 3. Operational Risk: Failure to comply not only risks regulatory penalties but also leaves organisations vulnerable to operational disruptions and cyber threats. Why our Services? Navigating DORA's comprehensive requirements demands specialized legal expertise. Here’s how we can assist: 1. Expert Guidance: We provide detailed insights into the final level 2 rules, helping your organisation understand and prioritise necessary changes.    2. Strategic Implementation: From ICT governance to risk management and security practices, we offer strategic advice to streamline compliance efforts.    3. Contractual Remediation: With the pending subcontracting rules, we can assist in reviewing and amending IT service agreements to meet DORA’s standards, ensuring your contracts are robust and compliant. By acting now and leveraging specialized legal services, you can navigate these regulatory changes effectively, mitigating risks and ensuring operational resilience. #DORA #EU #ICT #FinancialServices #WeAreSpencerWest

9

On 2 July, the Luxembourg law transposing the EU's Digital Operational Resilience Act (DORA) was officially published. DORA, which takes effect on 17 January 2025, establishes a standardized framework for managing digital risks across the European financial landscape. This new law designates the CSSF and CAA as the responsible authorities for overseeing DORA compliance within Luxembourg. It also empowers them to enforce regulations and impose sanctions for non-compliance. If you operate in Luxembourg's financial sector, it's time to start preparing for DORA! Discover the key implications and features of this new legislation in our latest client alert : https://lnkd.in/g5qNu3tq For further information on what these developments mean for your organization, please get in touch with Jean-Francois Trapp and Ana Vazquez. Baker McKenzie Baker McKenzie Luxembourg #DigitalResilience #FinancialSector #DORA #LuxembourgLaw #ClientAlert #BakerMcKenzieLuxembourg #BakerMcKenzie #LegalUpdate 

9

As the digital landscape evolves, so do the risks. Our counsel Pierre Affagard from the #Paris office will be joining Control Risks to discuss the topic at IPEM Paris 2024, a major international #PrivateEquity event 📅 On 10 September, the breakfast roundtable entitled “When things go wrong: Cyber Risks Impacting Investors in 2025” will provide an overview of how cyber risks affect investors and their portfolio companies. The speakers will cover the current threat landscape, portfolio management risks, pre-deal cybersecurity due diligence and incident response for investors. Looking forward to seeing you there! We have extensive experience in large-scale cyber-attacks and provide an end-to-end cyber risk solution to clients. Learn more 💡 https://bit.ly/3ZbiToL #CyberRisk #DigitalSecurity #CyberSecurity #Data

1