Guidelines amending Guidelines on equivalence of confidentiality regimes

EBA/GL/2025/05 22/12/2025 Final Report Guidelines amending Guidelines EBA/GL/2022/04 on the equivalence of confidentiality regimes

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 2 Contents 1.Executive Summary 3 2.Background and rationale 4 3.Guidelines 7 4.Accompanying documents 22 4.1 Views of the Banking Stakeholder Group (BSG) 22

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 3

1. Executive Summary The EBA is mandated under Regulation (EU) No 1093/2010 and related sectoral legislation1 to en￾sure that third-country confidentiality and professional secrecy frameworks meet EU standards be￾fore confidential information can be shared. These guidelines provide principles for assessing equiv￾alence and reflect recently completed evaluations. They now extend to include confidentiality and professional secrecy provisions under Regulation (EU) 2023/1114 (MiCAR), clarifying definitions and scope for competent authorities when engaging with third-country authorities. The amending Guidelines incorporate recent EBA assessments of third-country regimes. The guide￾lines confirm that the framework applicable to the Australian Transaction Reports and Analysis Cen￾tre (AUSTRAC), the National Financial Regulatory Administration (NFRA) of China, the Central Bank of Montenegro, the Superintendency of Bank, Insurance and Pension Fund Administrators (SBS) of Peru, the National Bank of Serbia, the Financial Conduct Authority (FCA) and the Prudential Regu￾lation Authority (PRA) of UK is equivalent. They also update references to MiCAR requirements and reflect changes in legal frameworks in some third countries. While these guidelines inform opinions on equivalence, they do not address the need for cooperation arrangements or participation in supervisory colleges. No public consultation or cost-benefit analysis was conducted, as the changes affect only inter￾authority practices without direct impact on financial institutions Next steps 1 CRD - Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176 27.6.2013, p. 338, ELI : http://data.eu￾ropa.eu/eli/dir/2013/36/oj); PSD2 - Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment ser￾vices in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 23.12.2015, p. 35, ELI: http://data.eu￾ropa.eu/eli/dir/2015/2366/2025-01-17); AMLD - Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Par￾liament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.eu￾ropa.eu/eli/dir/2015/849/2024-12-30); BBRD - Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190, ELI: http://data.europa.eu/eli/dir/2014/59/2025-01-17); MiCAR - Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/2024-01-09).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 4 These amending Guidelines will be translated into the official EU languages and published on the EBA website. The deadline for competent authorities to report whether they comply with the amending Guidelines will be two months after the publication of the translations. The amending Guidelines will apply two months after the publication date at the latest.

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 5 2. Background and rationale 2.1 Background

1. Regulation (EU) No 1093/2010 mandates that the European Banking Authority (EBA) sup￾port Member States in ensuring third-country confidentiality and professional secrecy frameworks meet EU standards. Similarly, some of the sectoral legislation like Di￾rective 2013/36/EU (CRD) 2 , Directive (EU) 2015/2366 (PSD2) 3 , Di￾rective (EU) 2015/849 (AMLD) 4 , Directive 2014/59/EU (BRRD) 5 and Regula￾tion (EU) 2023/1114 (MiCAR)6 require that EU authorities cooperate with authorities from third countries either on a bi-lateral basis or via supervisory colleges. The confidentiality and professional secrecy regime that is equivalent to that in the EU is often a precondition under EU law for sharing confidential information with third-country supervisory authori￾ties.
2. These amending Guidelines reflect assessments conducted by the EBA in recent years un￾der CRD, PSD2, AMLD, BRRD and MiCAR. The table in the Annex to these guidelines sets out the specific provisions in the third-country framework applicable to the third-country authorities which were assessed as equivalent to the relevant provisions in the EU legisla￾tion. Furthermore, the Guidelines outline common principles for determining third-country equivalence with provisions in in MiCAR. However no such assessments have been per￾formed yet. 2 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Di￾rective 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176 27.6.2013, p. 338, ELI : http://data.europa.eu/eli/dir/2013/36/oj). 3 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regula￾tion (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 23.12.2015, p. 35, ELI: http://data.eu￾ropa.eu/eli/dir/2015/2366/oj 4 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regula￾tion (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.europa.eu/eli/dir/2015/849/oj). 5 Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a frame￾work for the recovery and resolution of credit institutions and investment firms and amending Council Di￾rective 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190, ELI: http://data.eu￾ropa.eu/eli/dir/2014/59/oj). 6 Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 6 3. The Guidelines provide guidance that should inform the opinions of competent authorities, and by extension that of the EBA, about the equivalence of the confidentiality and profes￾sional secrecy framework in third countries before engaging with authorities in these juris￾dictions. Regarding the assessments under the AMLD, these Guidelines will continue to ap￾ply until such time that they are replaced with a similar legal instrument published by the EU single AML Supervisor7 (AMLA). 4. These Guidelines do not include guidance on whether there is a need for a cooperation arrangement between competent authorities or the EBA and a third-country authority or on whether a third-country authority should participate in a supervisory or resolution col￾lege. 2.2 Rationale 5. Upon the publication of MiCAR, the EBA performed an analysis of confidentiality and pro￾fessional secrecy requirements under that Regulation. As a result, the EBA concluded that the existing guidelines (EBA/GL/2022/04) should be amended to reflect the new require￾ments and how they are embedded in the EBA’s equivalence assessment methodology. 6. The EBA decided to amend the section on the subject matter in the guidelines. It explains that the EBA’s assessments now also cover confidentiality and professional secrecy provi￾sions in Article 100 of MiCAR. 7. The section on the scope of application in the guidelines was also amended. It explains that the equivalence assessments of third-country authorities listed in the Annex to the amended Guidelines should also be considered by competent authorities in the context of Article 107 of MiCAR. 8. Furthermore, the amended Guidelines clarify that the definitions set out in MiCAR apply to these Guidelines. 9. The Annex to the amended Guidelines lists, in an alphabetical order, recent EBA assess￾ments of third-country frameworks: a) Australia, Montenegro, Serbia: The assessment of regimes applicable to the Australian Transaction Reports and Analysis Centre (AUSTRAC), the Central Bank of Montenegro, and the National Bank of Serbia focused on the equivalence with the confidentiality 7 Article 54(5) of Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amend￾ing Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620, 19.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1620/oj) provides that: ‘[…] Provided that they are still relevant, the guidelines and recommendations issued by the EBA, or by supervisors and FIUs pursuant to Di￾rective (EU) 2015/849 of the European Parliament and of the Council ( 40) and Regulation (EU) 2023/1113 shall remain applicable until such time as the new guidelines and recommendations issued by the Authority on the same subject start to apply […].’

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 7 and professional secrecy rules under AMLD. All three regimes were deemed equiva￾lent. For the Central Bank of Montenegro and the National Bank of Serbia, the assess￾ment was supplementary to the previous assessment of confidentiality and profes￾sional secrecy performed by the EBA under the CRD. For Serbia, this supplementary assessment recognisesthat Articles 102a, 109, and 117 of the Law on Banks have been replaced by different legal provisions and this change has been reflected in the amended Guidelines. b) United Kingdom and Peru: The frameworks of the Financial Conduct Authority and Prudential Regulation Authority of UK and the Superintendency of Banks, Insurance and Pension Fund Administrators of Peru were assessed as equivalent with CRD, PSD, BRRD and AMLD. c) China: The National Financial Regulatory Administration (successor to the China Bank￾ing and Insurance Regulatory Commission8) maintains equivalence with CRD, PSD, BRRD and AMLD. 10. Under Article 16(2) of Regulation (EU) No 1093/2010, the EBA must, where appropriate, conduct public consultation, cost-benefit analysis (CBA), and seek advice of the Banking Stakeholder Group (BSG). In this case, no public consultation or CBA was carried out by the EBA as these guidelines apply only to competent authorities, concern inter-authority prac￾tices, and have no direct impact on financial institutions. the EBA consulted the BSG on 26 November 2025 via written procedure and received no comments on the amended Guidelines. 8 The EBA communication on the National Financial Regulatory Administration (NFRA) of China, available here

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 8 3. Guidelines amending Guidelines EBA/GL/2022/04 on the equivalence of confi￾dentiality regimes

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 9

1. Compliance and reporting obliga￾tions Status of these guidelines
2. This document contains guidelines issued pursuant to Article 16 of Regula￾tion (EU) No 1093/20109 . In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities and financial institutions must make every effort to comply with the guidelines.
3. Guidelines set the EBA view of appropriate supervisory practices within the European System of Financial Supervision or of how Union law should be applied in a particular area. Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom guidelines ap￾ply should comply by incorporating them into their practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where guidelines are directed primarily at institutions. Reporting requirements
4. According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must no￾tify the EBA as to whether they comply or intend to comply with these guidelines, or other￾wise reasons for non-compliance, by 04.05.206. In the absence of any notification by this deadline, competent authorities will be considered by the EBA to be non-compliant. Notifica￾tions should be sent by submitting the form available on the EBA website with the reference ‘EBA/GL/2025/05’. Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities. Any change in the status of compliance must also be reported to the EBA.
5. Notifications will be published on the EBA website, in line with Article 16(3). 9 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 No￾vember 2010 establishing a European Supervisory Authority (European Banking Author￾ity), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p.12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 10 2. Addresses 5. These guidelines are addressed to (i) competent authorities as defined in point (2) of Article 4 of Regulation (EU) No 1093/2010 and (ii) competent authorities as defined in point (35) of Article 3(1) of Regulation (EU) 2023/111410. 3. Implementation Date of application 6. These Guidelines apply from 04.05.2026. 10 Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 11 4. Amendments 7. Guideline EBA/GL/2022/04 is amended as follows: 8. Paragraph 2 is replaced as follows: ‘5. These Guidelines concern the assessment by competent authorities of whether the confidentiality and professional secrecy regime to which the third-country authorities mentioned in the Annex are subject is equivalent to the conditions set out in Title VII,

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 12 Chapter 1, Section II of Directive 2013/36/EU 11 ; in Article 24 of Di￾rective (EU) 2015/2366 12 ; in Chapter VI, Section 3, Subsection IIIa of Di￾rective (EU)2015/84913; in Article 84 and 98 of Directive 2014/59/EU14 and in Article 100 of Regulation (EU) 2023/111415.’ 9. Paragraph 3 is replaced as follows: ‘6. These guidelines apply to competent authorities’ assessment of the equivalence of the confidentiality regime to which the third-country supervisory authorities listed in the An￾nex are subject to for the following purposes: 11 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institu￾tions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176 27.6.2013, p. 338, ELI : http://data.eu￾ropa.eu/eli/dir/2013/36/oj). 12 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj). 13 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.eu￾ropa.eu/eli/dir/2015/849/oj). 14 Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and invest￾ment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190, ELI: http://data.eu￾ropa.eu/eli/dir/2014/59/oj). 15 Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, ELI: http://data.europa.eu/eli/reg/2023/1114/oj).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 13 a. in order to conclude cooperation arrangements with the third-country authority in ac￾cordance with Article 55 of Directive 2013/36/EU and Article 107(5) of Regula￾tion (EU) 2023/114 also for the purposes of Article 24 of Directive (EU) 2015/2366 and Article 57a (5) of Directive (EU) 2015/849, or in accordance with Article 97 and 98 (1) of Directive 2014/59/EU; and b. in order to enable the participation of the third-country authority in supervisory and resolution colleges in accordance with Article 116 (6) of Directive 2013/36/EU and Ar￾ticles 88 and 89 of Directive 2014/59/EU; and in AML/CFT colleges in accordance with Chapter VI, Section 3, Subsection IIIa of Directive (EU) 2015/849 and the AML/CFT Col￾leges Guidelines16.’ 10. Paragraph 4 is replaced by the following: ‘7. These guidelines are addressed to (i) competent authorities as defined in point (2) of Article 4 of Regulation (EU) No 1093/2010 and (ii) competent authorities as defined in point (35) of Article 3(1) of Regulation (EU) 2023/1114.’ 11. Paragraph 5 is replaced by the following ‘8. Unless otherwise specified, terms used and defined in Directive 2013/36/EU, Di￾rective (EU) 2015/2366, Directive 2014/59/EU, Directive (EU) 2015/849 and Regula￾tion (EU) 2023/1114 have the same meaning in the Guidelines.’ 12. Paragraphs 6 and 7 are renumbered as paragraphs 9 and 10 respectively. 13. Paragraph 9 is replaced by the following: ‘9. For the purposes of applying Article 55 of Directive 2013/36/EU also in accordance with Article 24 of Directive (EU) 2015/2366) and 57a (5) of Directive (EU) 2015/849, Article 97 and 98 (1) of Directive 2014/59/EU, Article 116 (6) of CRD and Articles 88 and 89 of Di￾rective 2014/59/EU, the AML/CFT Colleges Guidelines and Article 107(5) of Regula￾tion (EU) 2023/1114, competent authorities should consider the professional secrecy and confidentiality regime of the third-country authorities referred to in the Annex as equiva￾lent to that set out in: a. Title VII, Chapter 1, Section II of Directive 2013/36/EU, b. Article 24 of Directive (EU) 2015/2366, c. Article 84 and 98 of Directive 2014/59/EU, d. Chapter VI, Section 3, Subsection IIIa of Directive (EU) 2015/849, 16 Joint guidelines on cooperation and information exchange for the purpose of Directive (EU) 2015/849 be￾tween competent authorities supervising credit and financial institutions (the AML/CFT Colleges Guidelines) of 16 December 2019, (JC 2019/81).

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 14 e. Article 100 of Regulation (EU) 2023/1114, where relevant depending on the competences of the third-country authority’. 14. The Annex is amended as follows: a. The footnote 12 is replaced by the following: ‘This column indicates whether the provisions applicable to a third-country authority have been assessed with respect to relevant provisions in Directive 2013/36/EU (1), Di￾rective (EU) 2015/2366 (2), Directive (EU) 2015/849 (3), Directive 2014/59/EU (4), and Regulation (EU) 2023/1114 (5).’

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 15 b. The following table is inserted after the table concerning the Australian Prudential Regulation Authority: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS OVERALL ASSESSMENT AUSTRALIA Australian Trans￾action Reports and Analysis Cen￾tre (AUSTRAC) https://www.aus￾trac.gov.au/ (3) Part 1, section 5 and Part 11, section 212 of the Anti-Money Laundering and Coun￾ter-Terrorism Financ￾ing Act 2006 (AML Act) Part 11, sections 121, 184 and 224 of the AML Act Part 11, sections 125 to 129, section 134 and section 212(3) of the AML Act Part 11 of the AML Act Part 11, sections 121 and Part 15, Sec￾tion 198 of the AML Act Section 15 of the Aus￾tralian Public Services Code of Conduct (Sec￾tion 13 of the Public Service Act 1999) Equivalent c. The table concerning the China Banking and Insurance Regulatory Commission is replaced by the following: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS Overall Assess￾ment

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 16 CHINA National Financial Regulatory Ad￾ministration (NFRA) (1) (4) Administrative Rules on Professional Se￾crecy and Confidenti￾ality (ARPSC), Chap￾ter 10 Civil Servant Law of the People’s Republic of China (CSL, the Or￾der of the PRC Presi￾dent, 2003) Article 11 of the Law of the People’s Republic of China on Banking Regu￾lation and Supervision (LBRS, the Order of the PRC President, 2006) Article 14 and Article 59 of CSL Article 63, Chapter 10 and Article 32 of ARPSC NFRA Interim Measures of the Administration of Seconded Personnel NFRA Interim Measures of the Administration of Contract Personnel Rules on Confidentiality Management for Se￾conded and Contract Personnel of NFRA Head￾quarters Article 11 of LBRS Article 59 of ARPSC Article 14 and 15 Regu￾lation of the People's Republic of China on the Disclosure of Gov￾ernment Information (RDGI, issued by the State Council in 2007) Article 63, Article 77 of ARPSC Articles 6, 11 and 14 of LBRS Civil Servant Law of the People's Republic of China (CSL, 2018) Regulation on the Pun￾ishment of Civil Serv￾ants of Administrative Agencies (2007) Civil Procedure Law of the People’s Republic of China, Article 67 and 68 Article 43 of LBRS Articles 77 – 78 of ARPSC Civil Servant Law of the People's Republic of China (CSL, 2018) Regulation on the Pun￾ishment of Civil Serv￾ants of Administrative Agencies (2007) Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 17 Banking Supervision Law of the People’s Republic of China, Article 43 State Compensation Law of the People’s Republic of China, Article 4 Criminal Procedure Law of the People’s Re￾public of China, Arti￾cle 54 Tax Collection Admin￾istration Law of the People’s Republic of China, Article 6 d. The table concerning the Central Bank of Montenegro is replaced by the following: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS Overall Assess￾ment MONTENEGRO Central Bank of Montenegro www.cbcg.me (1), (3) Article 84, para￾graph 1 of the Central Bank of Mon￾tenegro Law (CBML) Article 203 and Arti￾cle 344 of the Law on Credit Institutions (LCI) Article 84 paragraphs 1-2 of the Central Bank of Montenegro Law Articles 203, 204, 344, 353 and 354 of the LCI Articles 237, 245 and 344 of the LCI Article 84, paragraph 3; Article 76 and 76a of the CBML Banking Law Arti￾cle 107 Articles 6 and 9 of the Law on The Financial Stability Council Article 280 of the Crim￾inal Code Article 84 of the CBML Article 26 of the Rule￾book on Secrecy Article 126 of the AML Law Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 18 Article 3 of the Law on Data Secrecy (LDS) Article 54 of the Pay￾ment System Law Article 2 of the Rule￾book on Secrecy (0101-4014/14-2- 2010 of 30 May 2011, 0101-4014/84-3 of 25 March 2016, 0101- 8380-4/2018 of 6 No￾vember 2018) Article 112 of Law on the prevention of money laundering and terrorist financ￾ing (OGM 110/23, 65/24) (AML Law) Article 29 paragraph 2, 3 and 35 of the Deposit Protection Law Articles 336 and 347 of the LCI Articles 10 and 11 of the Law Governing the State Audit Article 134 of the AML Law e. The following table is inserted after the table concerning the Central Bank of Montenegro: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS Overall Assess￾ment

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 19 PERU Superintendency of Bank, Insur￾ance and Pension Fund Administra￾tors (SBS) https://www.sbs.g ob.pe/ (1), (2), (3), (4) Article 140 of the Law 26702 – General Law of the Financial and Insurance Sys￾tems and Organic Law of the SBS Article 41 of the Cen￾tral Bank Law, DL. 26123 Article 17 of the Law of the Transparency and Access of Public Information – Law 27806 Article 6 of the Rules to Protect Confidential In￾formation Exchanged with Regulators and In￾ternational Organisa￾tions (SBS-DIR-SBS-653- 02) Articles 17, 140, 142, 143, 143A, 376 of the Law 26702 – General Law of the Financial and Insurance Systems and Organic Law of the SBS Articles 144, 152, 153, 182, 359, 376, 381 of Law 26702 – General Law of the Financial and Insurance Systems and Organic Law of the SBS Articles 17 and 18 of Law 27806 (TUO D.S. 021-2019-JUS) Article 97 of the Politi￾cal Constitution of Peru Article 376 of Law 26702 – General Law of the Financial and Insur￾ance Systems and Or￾ganic Law of the SBS Article 17, 18 of Law 27806 – TUO D.S. 021- 2019-JUS, Law of the Transparency and Ac￾cess of Public Infor￾mation Article 87 of Law 27444 – TUO D.S. 004-2019- JUS (General Adminis￾trative Procedure Law) Article 8.4 of the Rules to Protect Confidential Information Exchanged with Regulators and In￾Article 165 of the Peru￾vian Criminal Code Articles 1, 4 Law 27588 – Law Establishing Pro￾hibitions and Incom￾patibilities of Officials and Public Servants, as well as Persons Who Provide Services to the State under any Con￾tractual Modality Article 6 of the SBS Di￾rective SBS-DIR-SBS￾653-02 (Rules to Pro￾tect Confidential Infor￾mation Exchanged with Regulators and Interna￾tional Organisations) Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 20 ternational Organisa￾tions (SBS-DIR-SBS-653- 02) Article 36 of Legislative Decree 1141 on the National Intelligence System (SINA) and the National Directorate of Intelligence (DINI) Article 87 of Law 27444 – TUO D.S. No. 004- 2019- JUS Law on Gen￾eral Administrative Procedure (LPAG) f. The table concerning the National Bank of Serbia is replaced by the following: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS Overall Assess￾ment SERBIA National Bank of Serbia (1), (3) Article 86a para￾graphs 1 and 2 of the Law on the National Article 86a paragraphs 3 and 4 of the Law on the National Bank of Serbia (RS Official Gazette, Articles 65 and 70 of the Law on the Na￾tional Bank of Serbia (RS Official Gazette, Article 65 of the Law on the National Bank of Serbia (RS Official Ga￾zette, No 72/2003, Article 240 of the Crim￾inal Code Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 21 www.nbs.rs Bank of Serbia (RS Of￾ficial Gazette, No 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012 14/2015, 40/2015 and Consti￾tutional Court deci￾sion, 44/2018 and 19/2025) Article 9b and Arti￾cle 46 of the Law on Banks (RS Official Ga￾zette, No 107/2005, 91/2010 and 14/2015) Article 112a of the Law on the Preven￾tion of Money Laun￾dering and the Fi￾nancing of Terrorism (RS Official Gazette, Nos 113/2017, 91/2019, 153/2020, 92/2023, 94/2024 and 19/2025) No 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 and Constitu￾tional Court decision, 44/2018 and 19/2025) Article 9b, Article 46, Ar￾ticle 47, paragraphs 1 and 2; Article 48; and Ar￾ticle 103, paragraph 2 of the Law on Banks (RS Of￾ficial Gazette, No 107/2005, 91/2010 and 14/2015) Law on Auditing, Arti￾cle 29, paragraphs 1 and 2; and Article 38 No 72/2003, 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 and Constitu￾tional Court decision, 44/2018 and 19/2025) Article 8, Article 9b, Ar￾ticle 49, Arti￾cle 103, paragraph 2 and Article 112 of the Law on Banks (RS Offi￾cial Gazette, No 107/2005, 91/2010 and 14/2015) Article 94 of the Law on the Prevention of Money Laundering and the Financing of Terror￾ism (RS Official Ga￾zette, Nos 113/2017, 91/2019, 153/2020, 92/2023, 94/2024 and 19/2025) 55/2004, 85/2005 – other law, 44/2010, 76/2012, 106/2012, 14/2015, 40/2015 and Constitutional Court decision, 44/2018 and 19/2025) Article 8, Article 9b, Ar￾ticle 47; Article 49 and Article 51b of the Law on Banks (RS Official Gazette, No 107/2005, 91/2010 and 14/2015); Article 112a of the Law on the Prevention of Money Laundering and the Financing of Terror￾ism (RS Official Ga￾zette, Nos 113/2017, 91/2019, 153/2020, 92/2023, 94/2024 and 19/2025) Article 98 of the Law on Data Secrecy Articles 120 and Arti￾cle 118, item 51 of the Law on the Prevention of Money Laundering and the Financing of Terrorism (RS Official Gazette, Nos 113/2017, 91/2019, 153/2020, 92/2023, 94/2024 and 19/2025)

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 22 g. The following tables are inserted after the table concerning the American Securities and Exchange Commission: AUTHORITY AS￾SESSED SCOPE OF AS￾SESSMENT PRINCIPLE 1 NOTION OF CONFI￾DENTIAL INFOR￾MATION PRINCIPLE 2 OBLIGATION OF PRO￾FESSIONAL SECRECY PRINCIPLE 3 USE OF CONFIDENTIAL INFORMATION PRINCIPLE 4 RESTRICTIONS ON THE DISCLOSURE OF CONFI￾DENTIAL INFOR￾MATION ADDITIONAL INFOR￾MATION SANCTIONS IN CASES OF BREACHES OF OBLI￾GATIONS Overall Assess￾ment UNITED KINGDOM Financial Conduct Authority (FCA) https://www.fca.o rg.uk/ (1), (2), (3), (4) Section 348, subsec￾tions (2) and (4) of the Financial Services and Markets Act 2000 (FSMA) Section 89L of the Banking Act 2009 Section 348, subsec￾tions (1), (5), (6) and (8) of the FSMA Schedule 17A, para￾graph 23 of the FSMA Section 89L of the Bank￾ing Act 2009 Section 349 of the FSMA Part II, Section 7 of the Financial Services and Markets Act 2000 (Dis￾closure of Confidential Information) Regula￾tion 2001 (The Disclo￾sure Regulation) The Public Record, Dis￾closure of Information and Co-operation (Fi￾nancial Services) (Amendment) (EU Exit) Regulations 2019 Section 348(1) of the FSMA Part II and section 4; Subsections 5 and 6 of section 5; and section 7 of the Disclosure Regu￾lation The financial conduct Authority – staff hand￾book Section 352 of the FSMA Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 23 UNITED KINGDOM Prudential Regula￾tion Authority (part of Bank of England) (PRA) https://www.bank ofengland.co.uk/ (1), (2), (3), (4) Section 348 subsec￾tions (2) and (4) of the Financial Services and Markets Act 2000 (FSMA) Section 89L of the Banking Act 2009 Section 348, subsec￾tions (1), (5), (6) and (8) of the FSMA Schedule 17A, para￾graph 23 of the FSMA Section 89L of the Bank￾ing Act 2009 Section 349 of the FSMA Part II, Section 7 of the Financial Services and Markets Act 2000 (Dis￾closure of Confidential Information) Regula￾tion 2001 (The Disclo￾sure Regulation) The Public Record, Dis￾closure of Information and Co-operation (Fi￾nancial Services) (Amendment) (EU Exit) Regulations 2019 Section 348(1) of FSMA Part II and section 4; Subsections 5 and 6 of section 5; and section 7 of the Disclosure Regu￾lation The Bank of England Code of Conduct Section 352 of the FSMA Equivalent

FINAL REPORT GUIDELINES AMENDING GUIDELINES ON EQUIVALENCE OF CONFIDENTIALITY REGIMES 24 5. Accompanying documents 2.1 Views of the Banking Stakeholder Group The Banking Stakeholder Group (BSG) was consulted on the draft amending Guidelines on 26 No￾vember 2025 via written procedure. the EBA received no comments from the BSG on the amended Guidelines.