Compliance terms, briefly explained.

AML / AMLA

• AMLR — the EU AML Single Rulebook

  The “Single Rulebook” refers chiefly to the AMLR — the Anti-Money-Laundering Regulation (EU) 2024/1624 — a directly applicable, EU-wide uniform AML/CFT rulebook that replaces the patchwork of nationally transposed AML directives. It is part of the 2024 EU AML package alongside the AMLA Regulation (EU) 2024/1620 (the new EU authority, seated in Frankfurt) and the sixth AML Directive (EU) 2024/1640. The AMLR applies from 10 July 2027.

  Read→

DORA

• DORA Art. 28 — ICT third-party register

  The ICT third-party register under Art. 28 of DORA (Regulation (EU) 2022/2554) is a mandatory inventory of every ICT service provider that each in-scope financial institution must maintain and submit to the competent authority annually by 31 March. It documents, per provider, at minimum: identification, service type, criticality assessment, contract date, sub-outsourcing chain and data-processing location.

  Read→

• Register of Information (DORA)

  The Register of Information is the inventory that financial entities must maintain under DORA (Regulation (EU) 2022/2554, Art. 28(3)) of all contractual arrangements for the use of ICT services provided by ICT third-party service providers — kept at entity, sub-consolidated and consolidated level. The reporting templates are set out in Implementing Regulation (EU) 2024/2956; a first supervisory collection of the registers took place in spring 2025.

  Read→

• TLPT — Threat-Led Penetration Testing (DORA)

  TLPT is the advanced, threat-led penetration-testing duty under DORA (Regulation (EU) 2022/2554, Arts. 26–27): financial entities identified by their supervisor must, at least every three years, have a realistic attack test run against their critical live systems. The method is based on the TIBER-EU framework; the detailed rules sit in Delegated Regulation (EU) 2025/1190.

  Read→

Sustainability / CSRD

• Double Materiality

  Double materiality is the core principle of CSRD reporting: a sustainability matter must be reported if it is material from the impact perspective (the company's effects on people and the environment, inside-out) or from the financial perspective (how the matter affects the company's position and performance, outside-in) — either view suffices. Its legal basis is the CSRD (Directive (EU) 2022/2464), operationalised in ESRS 1.

  Read→

• ESRS — European Sustainability Reporting Standards

  The ESRS are the standards companies use to report on sustainability under the CSRD. The first set was enacted as Delegated Regulation (EU) 2023/2772 (adopted 31 July 2023) and contains twelve standards: two cross-cutting (ESRS 1, ESRS 2), five environmental (E1–E5), four social (S1–S4) and one governance standard (G1). They build on double materiality. After the Omnibus package a slimmed-down, revised set is being developed — still in draft as of 2 June 2026.

  Read→

Governance

• Fit and Proper

  Fit and proper requirements ensure that persons who run a regulated firm or hold a key function are suitable: 'fit' means professional qualification, knowledge and experience; 'proper' means integrity and good repute. For insurers the basis is Art. 42 of Solvency II (Directive 2009/138/EC), for banks Art. 91 CRD (Directive 2013/36/EU); the joint ESMA/EBA guidelines on suitability (EBA/GL/2021/06) flesh out the assessment.

  Read→

EU AI Act

• FRIA — Fundamental Rights Impact Assessment

  The FRIA (Fundamental Rights Impact Assessment) is a fundamental-rights impact assessment prescribed in Art. 27 of Regulation (EU) 2024/1689. Certain deployers — including, expressly, insurers within the meaning of Annex III item 5 — must perform it before putting a high-risk AI system into service. It complements, but does not replace, the GDPR DPIA: the FRIA examines fundamental rights more broadly (non-discrimination, dignity, freedom of movement) and its results must be notified to the national market-surveillance authority; the EU AI Office is to develop a template for this under Art. 27(5) (not yet published as of mid-2026).

  Read→

Sustainability

• Greenwashing (EU sustainable finance)

  Greenwashing means misleading sustainability claims about a company, product or service. There is no single anti-greenwashing law; it is enforced through the SFDR, MiFID II, IDD, UCITS/AIFMD and the Unfair Commercial Practices Directive. The three EU supervisory authorities (EBA, EIOPA, ESMA) published their final reports on 4 June 2024; the ESMA guidelines on fund names require, among other things, an 80% threshold and have applied since 21 November 2024.

  Read→

Banking / Prudential

• ICAAP — Internal Capital Adequacy Assessment Process

  The ICAAP is a bank’s own internal process for determining, on an ongoing basis, that its internal capital is adequate to cover all the material risks to which it is, or might be, exposed. Its legal basis is Art. 73 of the Capital Requirements Directive (CRD, Directive 2013/36/EU). The ECB expects two perspectives — a normative (multi-year, regulatory) and an economic one — and the ICAAP feeds directly into the SREP and thereby into the setting of P2R and P2G.

  Read→

• Output Floor (CRR III / Basel III)

  The output floor is the centrepiece of the EU's implementation of the Basel III finalisation. It caps the capital benefit of internal models by lifting a bank's risk-weighted assets to at least 72.5% of the figure produced by the standardised approaches. Its legal basis is CRR III (Regulation (EU) 2024/1623); the floor phases in from 1 January 2025 (starting at 50%) and reaches the full 72.5% in 2030.

  Read→

• P2R & P2G — Pillar 2 Requirement and Guidance

  P2R and P2G are the capital-related outcomes of the supervisory SREP for banks. The Pillar 2 Requirement (P2R) is a binding, institution-specific own-funds add-on above the Pillar 1 minimums (Art. 104a CRD). The Pillar 2 Guidance (P2G) is a non-binding supervisory expectation of an additional buffer above the binding requirements (Art. 104b CRD). Breaching P2R can trigger distribution restrictions (MDA) via the combined buffer requirement; falling below P2G does not do so automatically.

  Read→

• SREP — Supervisory Review and Evaluation Process

  The SREP is the process by which banking supervisors regularly assess each bank’s business model, governance, capital and liquidity, and decide whether to impose additional own funds or other measures. Its legal basis is Arts. 97 and 104 of the Capital Requirements Directive (CRD, Directive 2013/36/EU); the methodology is harmonised by the EBA Guidelines EBA/GL/2022/03. Its key outputs are the Pillar 2 Requirement (P2R, binding) and Pillar 2 Guidance (P2G, non-binding).

  Read→

Markets / MAR

• MAR — Market Abuse Regulation

  The Market Abuse Regulation (MAR) — Regulation (EU) No 596/2014, applicable since 3 July 2016 — prohibits market abuse: insider dealing, unlawful disclosure of inside information, and market manipulation in respect of financial instruments. For issuers the core duties are ad-hoc disclosure (Art. 17), insider lists (Art. 18) and managers’ transaction notifications (Art. 19). Crypto-assets do not fall under MAR but under the separate market-abuse regime in Title VI of MiCA.

  Read→

MiCA

• MiCA CASP authorisation

  The CASP authorisation under Art. 60 et seq. of Regulation (EU) 2023/1114 (MiCA) is the EU-wide authorisation for crypto-asset service providers. It supersedes national crypto permissions and confers EU passporting (Art. 65) — an authorisation granted in one member state allows operation across the EU after written notification. The activity catalogue (Art. 3(16)) comprises seven service types, including custody, exchange, brokerage, advice and portfolio management.

  Read→

Solvency II

• ORSA — Own Risk and Solvency Assessment

  The ORSA (Own Risk and Solvency Assessment) is the undertaking-internal risk and solvency assessment prescribed in Art. 45 of the Solvency II Directive 2009/138/EC. Insurers must assess at least annually whether their own funds cover their own overall solvency needs — beyond the regulatory SCR, across the entire business-planning horizon, and under their own stress scenarios. Directive (EU) 2025/2 extends the ORSA from 30 Jan 2027 with explicit liquidity, sustainability and systemic-risk scenarios.

  Read→

SFDR / ESG

• PAI — Principal Adverse Impacts (SFDR Art. 4)

  Principal Adverse Impacts (PAI) are the material negative effects of investment decisions and advice on sustainability factors — environmental, social and employee matters, human rights, and anti-corruption and anti-bribery matters. Art. 4 of the SFDR disclosure regulation (EU) 2019/2088 requires an entity-level statement on these on a “comply-or-explain” basis — mandatory for financial market participants with more than 500 employees. The concrete indicators sit in the RTS, Delegated Regulation (EU) 2022/1288.

  Read→

PRIIPs / Investor protection

• PRIIPs KID — Key Information Document

  The PRIIPs KID (Key Information Document) is a standardised, at-most-three-page pre-contractual document that gives retail investors the key features, risks and costs of a packaged retail and insurance-based investment product (PRIIP) in a clear, comparable form. Its legal basis is the PRIIPs Regulation (EU) No 1286/2014 (applicable since 1 Jan 2018); the revised technical standards apply from 1 Jan 2023. Since then, UCITS funds also need a KID instead of the former UCITS KIID.

  Read→

Methodology

• RegTech

  RegTech (regulatory technology) is the umbrella term for software that supports financial institutions in meeting regulatory requirements — by automating monitoring, classification, reporting and audit documentation. Unlike FinTech, RegTech does not address the end customer; it addresses the compliance, risk and legal function of the bank, insurer or CASP.

  Read→

Insurance / Prudential

• SCR — Solvency Capital Requirement

  The SCR is the risk-sensitive capital requirement under Solvency II (Directive 2009/138/EC, Arts. 100–127). It is calibrated so that an insurer's eligible own funds can absorb a loss that statistically occurs once in 200 years — a Value-at-Risk at the 99.5% confidence level over a one-year horizon (Art. 101(3)). It is computed via the standard formula or an approved internal model.

  Read→

Sustainability / SFDR

• SFDR Article 8 & Article 9 (products)

  Under the disclosure regulation SFDR (Regulation (EU) 2019/2088), Article 8 products promote environmental and/or social characteristics, while Article 9 products pursue sustainable investment as their objective. They are disclosure categories, not formal labels — the market terms 'light green' and 'dark green' do not appear in the legal text. The templates are governed by the RTS (Delegated Regulation (EU) 2022/1288). As of 2 June 2026 this scheme is binding; a reform (SFDR 2.0) is proposed but not adopted.

  Read→

Payment services / PSD2

• SCA — Strong Customer Authentication

  Strong Customer Authentication (SCA) is the multi-factor authentication that PSD2 (Article 97 of Directive (EU) 2015/2366) requires for electronic payments and online access to payment accounts. It relies on at least two of three independent elements — knowledge (something only the user knows), possession (something only the user has) and inherence (something the user is). The technical detail — dynamic linking, exemptions and secure communication with third-party providers — sits in the SCA-RTS (Commission Delegated Regulation (EU) 2018/389), applicable since 14 September 2019.

  Read→

• Open Banking / XS2A

  Open banking is the regulated third-party access to payment accounts created by PSD2 (Directive (EU) 2015/2366) — “access to the account” (XS2A). With the customer's consent, account-servicing banks (ASPSPs) must grant access to authorised payment-initiation services (PISPs, Art. 66) and account-information services (AISPs, Art. 67). The secure interface (a dedicated API plus a fallback) and strong customer authentication are governed by the SCA-RTS (Commission Delegated Regulation (EU) 2018/389). The proposed PSD3/PSR would improve API access; the proposed FIDA Regulation would extend the principle beyond payment accounts to “open finance” — neither is yet law.

  Read→

Conduct / Distribution

• Suitability & sustainability preferences (MiFID II / IDD)

  When giving investment advice, firms must assess suitability: that a product matches the client's knowledge and experience, financial situation and investment objectives. The basis is Art. 25(2) MiFID II (Directive 2014/65/EU). Since 2 August 2022 the assessment must additionally capture the client's sustainability preferences — introduced by Delegated Regulation (EU) 2021/1253 (MiFID II) and (EU) 2021/1257 (IDD).

  Read→

AML / Crypto

• Travel Rule (TFR) for crypto-asset transfers

  The Travel Rule requires that identifying information on the originator and the beneficiary “travels” with every crypto-asset transfer, so transfers stay traceable for AML/CFT purposes. In the EU it lives in the recast Transfer of Funds Regulation — Regulation (EU) 2023/1113 (TFR) — which extends FATF Recommendation 16 to crypto-asset service providers (CASPs) and applies from 30 December 2024. Critically, and unlike funds transfers, crypto-asset transfers have no de-minimis threshold — the data is required regardless of amount.

  Read→

AML

• UBO — Ultimate Beneficial Owner

  The ultimate beneficial owner (UBO) is the natural person who ultimately owns or controls a legal entity. Under the new EU anti-money-laundering regulation (AMLR, Regulation (EU) 2024/1624, Art. 52) the ownership indicator is holding 25% or more of shares or voting rights — a deliberate shift away from the earlier AMLD test of more than 25%. The AMLR applies from 10 July 2027.

  Read→