In this weekly post, we round-up FinTech-related financial services regulatory developments for the week ending 16 June 2023.
ICYMI
- Talking Shop: A consumer sector podcast series – EP3: Confronting cybersecurity complexity
- Cyber security: A month in retrospect (Australia)
- May Data Wrap: A snapshot of key regulatory developments
- Following Meta, what next for international data transfers?
- Key takeaways as MiCA reaches the finishing line
- Momentum is building (again) for AI regulation in Australia
- Exploring the promise and perils of generative AI in the enterprise: AI series
Global
BIS: Project Rosalind: building API prototypes for retail CBDC ecosystem innovation
The Bank for International Settlements (BIS) Innovation Hub has published two reports in relation to Project Rosalind on: building API prototypes for retail CBDC ecosystem innovation; and developing prototypes for an application programming interface to distribute retail CBDC. Project Rosalind explored how a universal and extensible application programming interface (API) layer could connect central bank and private sector infrastructures to facilitate retail central bank digital currency (CBDC) payments. The completed initiative, a joint experiment run by the BIS Innovation Hub London Centre and the Bank of England, developed 33 API functionalities and explored more than 30 retail CBDC use cases. [16 June 2023]
#CBDC #Payments
FSI publishes paper on evolution of bank cyber security regulation
The Financial Stability Institute (FSI) at the Bank for International Settlements (BIS) has published a paper on regulation of banks' cyber security in a range of jurisdictions – Hong Kong, Singapore, the UK, the US, Australia, Brazil, the EU, Israel, Kenya, Mexico, Peru, the Philippines, Rwanda, Saudi Arabia and South Africa. The paper is an update from one issued in 2017, which examined the first four of the listed jurisdictions. The authors find that there remain two predominant approaches to regulating banks' cyber resilience: (1) building on existing related regulations, such as operational risk and information security; and (2) issuing comprehensive regulations covering all aspects of cybersecurity from governance through to operational procedures. However, under either approach, the authors observe that approaches have evolved so far as to be termed 'second generation' cyber regulation as they 'have a more "assume breach" mentality'.
The paper includes (at Section 2) a catalogue of international regulatory initiatives on cyber resilience, including those initiated by the G7 Cyber Expert Group and other international standard setting bodies such as the International Organisation of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS). [12 June 2023]
#CyberResilience
UK
TSC publishes PSR’s response regarding concerns on arrangements for reimbursing victims of APP scams
The Treasury Committee (TSC) has published the Payment Systems Regulator’s (PSR's) to the Committee's February 2023 report: Scam reimbursement: pushing for a better solution which set out the TSC's concerns about how the PSR planned to approach the reimbursement of victims of authorised push payment (APP) fraud. The PSR's response - which has been added as an addendum to the report - confirms that the regulator plans to introduce a new requirement for payment service providers (PSPs) to reimburse qualifying customers who are the victims of APP fraud. The PSR comments that its approach will also:
- incentivise the payment industry to invest further in end-to-end fraud prevention by splitting the costs of reimbursement between payment-sending and payment receiving PSPs in qualifying APP fraud cases;
- increase customer protections, so that most victims of APP fraud will be swiftly reimbursed to drive confidence in the UK payment system; and
- pursue the PSR's long-term ambition for Pay.UK to take on a broader role and actively improve the rules governing Faster Payments to tackle fraud. [14 June 2023]
#Payments #APPFraud
FCA note on the roundtable on synthetic data
The FCA has published a note on the discussion which took place at the roundtable which it co-hosted with the Information Commissioner's Office (ICO) and the Alan Turing Institute. The note presents a high level summary, outlines the context of the discussion and the background to the event, and provides an overview of the day. It also sets out key insights from the day on validating utility and fidelity, validating privacy, and approaches to advancing synthetic data. The FCA comments that alongside the insights, the roundtable highlighted a number of remaining challenges; addressing some of these will be taken forward by the FCA's recently established Synthetic Data Expert Group. Further work will also be undertaken under the auspices of the ICO and the Alan Turing Institute. [12 June 2023]
#SyntheticData
EU
ESMA launches Data Strategy for the next five years
The European Securities and Markets Authority (ESMA) has published its Data Strategy for 2023-2028. Over the next five years ESMA aims to:
- Become an enhanced data hub – bolster ESMA as EU securities markets data hub, focusing on improved data and information accessibility, interoperability and usability, and achieving synergies and economies of scale;
- Ensure access to data of public interest – contribute to providing easily accessible and usable information to the market participants, including to retail investors, in machine readable formats and via user-friendly search and analytical interfaces;
- Promote data-driven supervision – enable cutting-edge, smart and effective data-driven supervision by joint developments and use of novel technologies;
- Increase data collaboration – achieve better data standardisation, quality and reusability, and to promote the adoption of innovative technologies;
- Produce efficient data policy output – reduce the compliance burden for reporting entities by reducing duplicative and inconsistent requirements, optimising reporting flows, effective and efficient data sharing, and exploiting emerging technologies; and
- Facilitate systematic data use – establish processes, methodologies and tools enabling systematic use of data for evidence-based policy development, supervision and risk assessment. [15 June 2023]
#Data #SyntheticData #SupTech
EBA issues opinion in response to the EC’s proposed amendments to the draft RTS on crowdfunding service providers
The European Banking Authority (EBA) has published a letter to the European Commission (EC) and an Opinion on the amendments proposed by the EBA to the EBA final draft Regulatory Technical Standards (RTS) on requirements on credit scoring of crowdfunding projects, pricing of crowdfunding offers, and risk management policies and procedures. In the Opinion, while accepting the change proposed by the EC with respect to the treatment of personal data, the EBA notes the importance of ensuring that crowdfunding providers can access historical data to improve the assessment of creditworthiness and the performance of their scoring models. [14 June 2023]
#Crowdfunding #Data
EBA Annual Report 2022 sets out strategic priorities for 2023
The European Banking Authority (EBA) has published its Annual Report that sets out its activities and achievements in 2022. The Annual Report also presents the strategic priorities for 2023, which include finalising Basel III implementation in the EU, performing an enhanced EU-wide stress test, working on digital finance and delivering on the Markets in Cryptoassets (MiCA) Regulation and Digital Operational Resilience Act (DORA) mandates, enhancing capacity to fight money laundering and the financing of terrorism in the EU, and executing the environmental, social and governance (ESG) roadmap. [12 June 2023]
#Cryptoassets #MiCA #DORA
Australia
ASIC: Survey of cyber-resilience of ASIC-regulated entities
Entities regulated by the Australian Securities and Investment Commission (ASIC), including publicly listed companies and other entities holding licences and authorisations, are being invited to take part in a survey to measure cyber resilience in Australia’s corporate and financial markets. The ASIC cyber pulse survey will be one of the largest conducted into Australia’s cyber resilience, and will measure entities’ current cyber security and controls, governance arrangements, and incident preparedness. Participation in the survey is voluntary and all responses will be anonymised. Participants who elect to receive an individual report will receive insights into how they have assessed their current cyber resilience capability compared to those of industry peers after the survey closes. ASIC plans to publish a report with key findings from the survey later this year. [13 June 2023]
#CyberResilience
Singapore
MAS launches AI in Finance Challenge for the 2023 Global FinTech Hackcelerator
MAS has launched the AI in Finance Challenge for the 2023 Global FinTech Hackcelerator. The competition aims to produce innovative and market-ready AI solutions to transform the financial services industry. The competition is conducted in partnership with AI Singapore (AISG) and powered by Oliver Wyman. The innovative solutions must respond to 16 problem statements which focus on (1) elevating customer experience, (2) enhancing operational efficiency, (3) strengthening risk, compliance and fraud monitoring and (4) enabling environmental, social and governance (ESG) solutions.
Up to 20 finalists will be shortlisted, each receiving a S$20,000 cash stipend. Three winners will be selected, each receiving S$50,000 in prize money. The winners can also apply for the exclusive AISG start up grant to vie for a further S$500,000 in prize money. [12 June 2023]
#AI #FinTechHackcelerator
India
IFSCA consults on proposed Payment Services Regulations
The International Financial Services Centres Authority (IFSCA) had published its consultation paper on proposed IFSCA (Payment Services) Regulations. The Regulations will cover:
- the procedure for applying to provide a payment service;
- the types of authorisations, namely licensing and registration;
- the required capital for a payment service provider (PSP);
- how a PSP documents its compliance with governance arrangements;
- any exemptions for authorisation to be a PSP; and
- how a PSP safeguards the funds of its users.
The consultation closes on 5 July 2023. [13 June 2023]
#Payments
Philippines
BSP receives the Cyber Resilience Initiative Award in the FinTech & RegTech Global Awards 2023
Bangko Sentral ng Pilipinas (BSP) has been awarded the Cyber Resilience Initiative Award for the implementation of the Advanced SupTech Engine for Risk-based Compliance (ASTERISC). The Award recognises innovative programs and/or solutions by a central bank in improving cyber resilience in the areas of improved detection, contingency management and overall system security.
ASTERISC is a cloud-based solution which automates BSP's cybersecurity supervision. It enables deeper analyses and correlation capabilities to help BSP implement risk-based and proactive supervisory decisions on cybersecurity. [14 June 2023]
#SupTech #CyberResilience
USA
DOJ Announces that Russian Nationals Charged With Hacking One Cryptocurrency Exchange and Illicitly Operating Another
The Department of Justice (DOJ) has announced that it has unsealed charges related to the 2011 hack of a cryptocurrency exchange and the operation of an illicit cryptocurrency exchange. According to court documents, the defendants, both Russian nationals, are charged with conspiring to launder approximately 647,000 bitcoins from their hack of a cryptocurrency exchange. One defendant is also charged with conspiring with another individual to operate a different cryptocurrency exchange from 2011 to 2017.
Court documents unsealed in the Southern District of New York allege that in or about September 2011, the defendants, and their co-conspirators gained unauthorized access to the server holding the cryptocurrency wallets for the cryptocurrency exchange. At the time, it was the largest Bitcoin exchange in existence, servicing thousands of users worldwide. The cryptocurrency exchange stored the cryptocurrency wallets containing its customers’ bitcoin, and the corresponding private keys used to authorize bitcoin transfers from those wallets, on a computer server in Japan.
Court documents unsealed in the Northern District of California allege that one defendant worked with others to operate a second cryptocurrency exchange from 2011 until it was shut down by law enforcement in July 2017. During that time period, it was one of the world’s largest cryptocurrency exchanges and was one of the primary ways by which cyber criminals around the world transferred, laundered, and stored the criminal proceeds of their illegal activities. [9 June 2023]
#Cryptocurrency #CryptoExchange
Key contacts
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.