In this regular post, we round-up FinTech-related financial services regulatory developments for the week ending 10 November 2023.
ICYMI
- APP Fraud: Prevention is surely better than paying out
- Insights on outsourcing and other lessons from a data breach – the UK FCA perspective
- SEC sues SolarWinds and CIO Timothy Brown for federal securities laws violations based on failure to maintain adequate cybersecurity protections
Global
FATF report on illicit financial flows from cyber-enabled fraud
The Financial Action Task Force (FATF) has published a report analysing how the cyber-enabled fraud landscape has evolved, its links to other crimes, and how criminals may exploit vulnerabilities in new technologies. The report highlights examples of national operational responses and strategies that have proven successful in tackling cyber-enabled fraud. This includes the need to break down siloes and accelerate and enhance collaboration across various sectors and on both the domestic and international levels. [9 Nov 2023]
#CyberFraud
BIS Paper: Will the real stablecoin please stand up?
The Bank for International Settlements (BIS) has published a paper which provides an overview of the evolution of the stablecoin market over the past decade and examines whether stablecoins have stayed true to their name in terms of being 'stable'. The study looked at 68 stablecoins and found that none have been able to maintain parity with their peg at all times. For these reasons, the paper concludes that the stablecoins in circulation today do not meet the key criteria for being a safe store of value and a trustworthy means of payment in the real economy. [8 Nov 2023]
#Stablecoins
UK
HMT: International joint statement on the Crypto-Asset Reporting Framework
HM Treasury has announced that the UK has agreed a joint statement with 48 countries on their intention to implement the Organisation for Economic Co-operation and Development’s (OECD's) latest tax transparency standard, the Crypto-Asset Reporting Framework (CARF).
CARF will provide for the automatic exchange of information between tax authorities on crypto exchanges for the purpose of combating offshore tax avoidance and evasion. The statement announces the signatory jurisdictions’ intention to implement CARF in time to commence exchanges by 2027.
The statement also commits applicable jurisdictions, including the UK, to implement amendments to the Common Reporting Standard (CRS), an existing tax transparency standard for the exchange of financial account information, to the same timeline. [10 Nov 2023]
#Cryptoassets
FCA review of anti-fraud and complaints handling with a focus on APP fraud
The FCA has published the findings of its multi-firm review of firms' anti-fraud controls and complaint handling, with a focus on authorised push payment (APP) fraud. The FCA sets out the key findings from the review and includes examples of good practice and areas for improvement.
Although some examples of effective control frameworks and good practice were observed, the FCA did find several common weaknesses in firms’ fraud risk management frameworks and customer treatment. Key findings include:
- an insufficient focus on delivering good consumer outcomes in many of the firms reviewed;
- management information and actions often focused on commercial risk appetite, rather than customer impact and treatment;
- significant scope in many firms to improve the support provided to victims of fraud including from the first point of contact and, in many cases, firms needed to do more to enable customers to report fraud easily and promptly;
- poor complaint handling including firms often taking too long to respond to customer complaints;
- customers provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language; and
- limited evidence that firms are appropriately taking account of characteristics of customer vulnerability when making decisions about fraud claims and complaints.
The review will be of interest to UK payment service providers (PSPs) including banks, building societies and other businesses that provide payment accounts. Firms are also encouraged to consider the findings from the FCA's recent publication Proceeds of fraud – Detecting and preventing money mules, which reviewed payment account providers’ systems and controls around money mules accounts. [7 Nov 2023]
#APPfraud
FCA and BoE publish proposals for regulating stablecoins
The FCA and the Bank of England (BoE) are requesting feedback on their proposed approach to regulating stablecoins:
- The FCA has published Discussion Paper 23/4 – Regulating cryptoassets Phase 1: Stablecoins (DP23/4) which explores the proposed regulation around issuing and holding stablecoins that claim to maintain a stable value relative to a fiat currency by holding assets denominated in that currency.
- The BoE has published a discussion paper outlining how it would regulate operators of systemic payment systems using stablecoins – payments systems which, if widely used for retail payments in the UK, could otherwise pose risks to financial stability. The BoE would also regulate other entities providing services to these payment systems, such as stablecoin issuers and wallet providers, where they could otherwise pose financial stability risks.
Responses to both discussion papers are requested by 6 February 2024. The BoE and FCA expect to consult on more detailed policy proposals and enforceable rules over the course of 2024. New rules are expected to be implemented in 2025.
The FCA, BoE and PRA have also published a cross-authority roadmap paper on innovation in payments and money, which explains how UK authorities’ current and proposed regulatory regimes for issuers of different forms of digital money or money-like instruments will interact.
Additionally, the PRA has published a 'Dear CEO' letter on how it expects deposit-takers to address the risks that arise from issuing multiple forms of digital money. The letter also sets out the PRA’s broader expectations for banks regarding their use of digital money for retail or wholesale innovations, in areas such as operational resilience, anti-money laundering and counter-terrorism financing (AML/CTF), and liquidity and funding risks. [6 Nov 2023]
#Stablecoin #Cryptoassets #AML/CTF #DigitalMoney
Europe
ESMA adds cyber risk as a new USSP
The European Securities and Markets Authority (ESMA) has announced that it is adding cyber risk and digital resilience to its Union Strategic Supervisory Priorities (USSPs). With this new USSP, EU supervisors will put greater emphasis on reinforcing firms’ information and communication technology (ICT) risk management through close monitoring and supervisory actions, building new supervisory capacity and expertise. The aim is to keep pace with market and technological developments, and closely monitor potential contagion effects of attacks and disruptions across markets and firms.
The new USSP will come into force in 2025, at the same time as the Digital Operational Resilience Act (DORA). This timeline is intended to provide supervisors and firms in Member States with sufficient time to prepare for compliance with the new regulatory requirements. Meanwhile, ESMA and national competent authorities (NCAs) will carry out preparatory work planning and shaping the supervisory activities to undertake under the cyber risk USSP.
The new USSP on cyber risk and digital resilience will replace the USSP on market data quality. [9 Nov 2023]
#CyberRisk #DigitalResilience #DORA
EBA consults on own funds requirements, liquidity requirements, stress testing of issuers, recovery plans under MiCAR
The European Banking Authority (EBA) has published the following consultations under the Markets in Crypto Assets Regulation (MiCAR) :
- draft regulatory technical standards (RTS) to specify the highly liquid financial instruments with minimal market risk, credit risk and concentration risk;
- draft RTS to further specify the liquidity requirements of the reserve of assets;
- draft RTS to specify the minimum contents of the liquidity management policy and procedures;
- draft RTS to specify the adjustment of own funds requirements and stress testing of issuers of asset-referenced tokens (ARTs) and of e-money tokens (EMTs) subject to the requirements in MiCAR;
- draft RTS to specify the procedure and timeframe to adjust its own funds requirements for issuers of significant ARTs or of EMTs subject to the requirements set out in MiCAR;
- draft Guidelines on recovery plans to be drafted by issuers of ARTs and EMTs; and
- draft Guidelines establishing the common reference parameters of the stress test scenarios for the liquidity stress tests referred in MiCAR.
These consultations form part of the prudential package of MiCAR deliverables and make up the third batch of MiCAR policy products.
Responses to the consultations are requested by 8 February 2024. The EBA will hold a hybrid public hearing on the different consultation papers on 30 January 2024. [8 Nov 2023]
#MiCAR
EBA consults on reporting of transactions and supervisory colleges under MiCAR
The EBA has published a number of consultations on draft RTS under MiCAR:
- draft RTS on the methodology to estimate the number and value of transactions associated to uses of ARTs as a means of exchange under MiCAR and of EMTs denominated in a currency that is not an official currency of a Member State;
- draft implementing technical standards (ITS) on the reporting on ARTs under MiCAR and on EMTs denominated in a currency that is not an official currency of a Member State; and
- draft RTS specifying the criteria for determining the composition of supervisory colleges for each issuer of a significant ART or of a significant EMT.
Responses to the consultations are requested by 8 February 2024. The EBA will hold a virtual public hearing on these consultation papers on 17 January 2024. [8 Nov 2023]
#MiCAR
ECB Working Paper: Global and local drivers of Bitcoin trading vis-à-vis fiat currencies
The European Central Bank (ECB) has published a working paper which analyses the drivers of Bitcoin transactions against 44 fiat currencies in the largest peer-to-peer (P2P) crypto exchanges.
The paper found that, despite an extremely volatile price and various crashes in the cryptoasset market, Bitcoin remains very popular. The results reinforce the hypothesis that Bitcoin trading is driven by speculative motives. However, Bitcoin seems to also offer specific transactional benefits, particularly in emerging and developing economies (EMDEs).
The results also point to potential financial stability risks from 'cryptoisation' in EMDEs with low levels of financial development and unstable fiat currencies. [8 Nov 2023]
#Bitcoin #Cryptoassets
EC requests feedback on supervision of cryptoassets
The European Commission (EC) has published the draft act on the supervision of cryptoassets for comment. This initiative:
- specifies criteria for an ART or EMT to be classified as significant;
- introduces supervisory measures on product intervention powers (ie the ability of a body/authority to restrict or ban the sale of cryptoassets or related activities);
- lays down procedural rules for the EBA to impose fines; and
- introduces rules on the supervisory fees charged by the EBA.
Feedback is requested by 6 December 2023. [8 Nov 2023]
#Cryptoassets
Council and EP reach provisional agreement on instant payments
The Council of the EU (Council) and European Parliament (EP) have reached a provisional agreement on the instant payments proposal, which will improve the availability of instant payment options in euros to consumers and businesses in the EU and in EEA countries.
Under the provisionally agreed rules, payment service providers such as banks, which provide standard credit transfers in euro, will also be required to offer the service of sending and receiving instant payments in euros. The charges that apply (if any) must not be higher than the charges that apply for standard credit transfers.
The provisional agreement will need to be approved by the Economic and Monetary Affairs Committee, followed by a plenary vote. The new rules will come into force after a transition period (this will be a shorter period for the euro area and a longer period for the non-euro area, reflecting adjustment times). [8 Nov 2023]
#Payments
EIOPA Insurance Risk Dashboard: Macro, markets and digitalisation risks are insurers’ top concern
The European Insurance and Occupational Pensions Authority (EIOPA) has published its November 2023 Insurance Risk Dashboard, which reports that insurers’ exposures to macro, market and digitalisation risks are currently at a 'High' level. Risk levels for the remaining risk categories, including ESG risk, are constant at 'Medium' levels.
The Risk Dashboard, based on Solvency II data, summarises the main risks and vulnerabilities in the EU’s insurance sector through a set of risk indicators. Risk Levels are based on a 4-level scale from 'Low' to 'Very high'. Risk trend reports the quarter on quarter variation of the risk based on a 5-level scale from 'Substantial Decrease' to 'Large Increase'. [6 Nov 2023]
#Digitalisation
SRB podcast: Conversation with Chair of the Supervisory Board of ECB
The Single Resolution Board (SRB) has published a podcast featuring Andrea Enria, Chair of the Supervisory Board of the European Central Bank (ECB), about his experience as the chief banking supervisor in the EU. Mr Enria shared his insights on the lessons learned from the global pandemic, and the banking crises in the US, the UK and Switzerland.
He also discussed the areas of cooperation between the ECB and the SRB, the challenges and opportunities of artificial intelligence (AI) for the banking industry and supervision, and his future plans after his mandate ends. [6 Nov 2023]
#AI
Australia
Treasury releases joint statement to implement the Crypto-Asset Reporting Framework
The Treasury has released a joint statement agreed by over 30 countries which host crypto markets welcoming the new international standard on automatic exchange of information relating to crypto-assets between tax authorities. The countries in question commit to transposing the Crypto-Asset Reporting Framework into domestic law and invite other countries to do the same. [10 Nov 2023]
#Cryptoassets
Hong Kong
HKMA publishes presentation materials for upcoming briefing to LegCo Panel on Financial Affairs on 17 November 2023
The HKMA has published presentation materials for its upcoming briefing to the Legislative Council (LegCo) Panel on Financial Affairs on 17 November 2023. Updates are provided in various areas, among others:
Banking Stability
- Basel III final reforms – Working on implementing the revised Basel standards effective between 1 July 2024 and 1 January 2025 as well as consequential amendments to the Banking (Exposure Limits) Rules and Banking (Liquidity) Rules, to be submitted to LegCo within 2023 (slide 56);
- Anti-money laundering (AML) and counter-financing of terrorism (CFT) – Launched bank-to-bank information sharing platform to increase ability to detect and disrupt fraud, 28 retail banks implemented real time fraud monitoring systems to strengthen identification of suspicious payments and reduce potential losses, and published updated AML/CFT guidance to incorporate latest legal requirements (slide 57);
- Investor protection – Commenced supervision of trust business of banks, consulting the industry on guidance for banks providing custody of clients' digital assets, consulting the industry on expected standards of banks in the sale and distribution of green and sustainable investment products, and consulting the industry on revisions to HKMA Supervisory Policy Manual module SB-1 'Supervision of Regulated Activities of SFC-Registered Authorised Institutions' (slides 65 & 66);
Financial Infrastructure
- Fintech – Continuing work on initiatives relating to (among others) the Central Bank Digital Currency, and Commercial Data Interchange (slide 74);
Hong Kong as an International Financial Centre
- Cryptoassets and stablecoins – Issuing consultation conclusions to discussion paper on cryptoassets and stablecoins (confirming that the HKMA will bring certain activities relating to stablecoins into the regulatory perimeter), and preparing for a further consultation on details of the proposed regulatory parameters, with the aim of introducing the Bill into LegCo in 2024. [10 Nov 2023]
#DigitalAssets #AML/CFT #Stablecoins #Cryptoassets #CBDC
HKMA signs MOU with PBoC and AMCM to deepen fintech innovation supervisory cooperation
The HKMA has signed a memorandum of understanding (MOU) with the People’s Bank of China (PBoC) and the Monetary Authority of Macao (AMCM) to deepen fintech innovation supervisory cooperation.
Under the MOU, the three authorities agree to establish a network by linking the PBoC’s Fintech Innovation Regulatory Facility, the HKMA’s Fintech Supervisory Sandbox and the AMCM’s Regulatory Requirements for Innovative Fintech Trials. The network will serve as a one-stop platform to facilitate pilot trials of cross-boundary fintech initiatives and strengthen the synergy of fintech supervisory co-operation across the three regions.
In October 2021, the HKMA and the PBoC signed the 'Memorandum of Understanding on Fintech Innovation Supervisory Cooperation in the Guangdong-Hong Kong-Macao Greater Bay Area' to provide a one-stop platform for pilot trials of cross-boundary fintech initiatives in Hong Kong and Mainland Greater Bay Area cities (see our previous update). This platform was subsequently launched in February 2022. [9 Nov 2023]
#Fintech #Sandbox
FSTB publishes further details of three initiatives previously announced at Hong Kong Fintech Week 2023
The Financial Services and the Treasury Bureau (FSTB) has published further details to the three initiatives previously announced at the Hong Kong FinTech Week 2023 (see our previous update). These initiatives are aimed at fostering the co-development of fintech and the real economy, reinforcing Hong Kong's position as a global asset and wealth management center, and enhancing connectivity within the Greater Bay Area (GBA).
- Launch of a new integrated fund platform to be developed and operated by the HKEX: The platform will target the retail fund sector with a view to better serve investors, fund managers, distributors and other stakeholders. Subject to industry engagement, system development and testing, the first phase of the platform will be ready for launch by the end of 2024. The platform will comprise of a communication hub, business platform and an information portal. One of the key objectives is to facilitate fund managers and intermediaries (including small to medium sized market participants) to join the Hong Kong retail fund market.
- Cross-boundary e-CNY applications to benefit inbound and outbound visitors between the Mainland and Hong Kong: Octopus Cards Limited (OCL) and Bank of China (Hong Kong) (BOCHK) will seek to explore new e-CNY application scenarios. BOCHK has launched e-CNY services facilitating inbound Mainland visitors to use e-CNY wallets in Hong Kong. These innovations facilitate cross-border consumption and interconnectivity within the GBA. Subject to regulatory approval and technical readiness, OCL will provide an inbound solution to facilitate Mainland tourists’ use of e-CNY in Hong Kong.
- Promoting real economy related applications and innovations by the virtual assets (VAs) and Web3.0 sector and further development of the regulatory framework: The Government is committed to establishing an environment for the development of the VA and Web3.0 sector, with guardrails to mitigate actual and potential risks. Market participants are encouraged to explore the potential of underlying technologies of Web3.0 to empower and enable real economy related applications and innovations. On the regulatory front, among other things, the Government intends to expand the regulatory remit to cover the buying and selling of VAs beyond trades taking place on VA trading platforms. The FSTB and the HKMA will also issue a joint consultation on the legislative proposal for implementing a regulatory regime for stablecoins in due course. Furthermore, the HKMA will continue to consult the industry on its guidance on banks’ provision of digital asset custodial services, to ensure client assets are adequately safeguarded and that the risks involved are properly managed. [6 Nov 2023]
#Fintech #Stablecoins #VirtualAssets
Singapore
MAS Chair: Accelerating the value of insurance – transition to net zero, technology and talent
MAS has published the keynote address by its Chair and Deputy Prime Minister, Lawrence Wong, on unlocking and accelerating the value of insurance at the 2023 Global Insurance Forum. Mr Wong shared how the insurance industry can further deepen its value to society by supporting: (i) the transition to net-zero; (ii) harnessing technology, particularly artificial intelligence (AI); and (iii) developing the talent needed to make these possible. [7 Nov 2023]
#AI
MAS: Response to Parliamentary questions on the Shared Responsibility Framework
MAS has published a response to Parliamentary questions around the proposed framework for equitable sharing of losses between scam victims and financial institutions (FIs). The response states that the proposed Shared Responsibility Framework (SRF) prescribes a set of anti-scam duties for FIs and telecommunication companies (Telcos), and provides for payouts to victims of phishing scams when these duties are breached.
The response further explains that, under the SRF, the FI stands at the top of the 'waterfall'; this means that if the FI does not fulfil any of its four anti-scam duties, it will compensate the scam victim fully for the loss suffered, regardless of whether the Telco has discharged its duties or the victim has taken the necessary precautions. Likewise, if the FI has fulfilled its duties but the Telco has not, then the Telco is expected to bear full responsibility for the loss. Only if both the FI and Telco have discharged their duties fully, will the customer, who stands at the bottom of the 'waterfall', bear the loss. [7 Nov 2023]
#PhishingScams
MAS: Response to Parliamentary question on hardware tokens
MAS has published the written response to a Parliamentary question on hardware tokens. The response advises that most retail banks in Singapore already offer hardware tokens for customers. MAS explains that hardware tokens, which generate one-time passwords (OTPs) are resistant to malware-enabled scams, are still susceptible to phishing tactics with token users tricked into sharing OTPs with scammers. [7 Nov 2023]
#Phishing #HardwareTokens
Malaysia
SCM: Speech by ED on responsible use of AI
The Securities Commission Malaysia (SCM) has published the keynote address by its Executive Director of Digital Strategy & Innovation, Wong Huei Ching, at the Malaysian Financial Planning Council (MFPC) Professional & Ethics Forum 2023. Ms Ching discussed the potential of artificial intelligence (AI) and its sub-branch of machine learning (ML) as well as their responsible and ethical use.
She suggested four guiding principles that should be implemented in proportionality when considering the ethical design, development, and deployment of AI and ML in the financial planning industry: (i) accountability; (ii) transparency and explainability; (iii) fairness and non-discrimination; and (iv) practical accuracy and reliability. [8 Nov 2023]
#AI #MachineLearning
Thailand
BoT: Meeting on cybersecurity and the future of AI
BoT has published a report of a conference held on the topic of 'embracing the future of artificial intelligence (AI) and cybersecurity'. The event, attended by more than 250 directors and senior executives from organisations in the financial sector, aimed to raise awareness of risk management guidelines from AI business use as well as guidelines to assist with the supervision of cyber risks. [8 Nov 2023]
#AI #CyberSecurity
India
RBI issues master direction on IT governance, risk, controls
The Reserve Bank of India (RBI) has issued a master direction which incorporates, consolidates and updates the guidelines, instructions and circulars on IT governance, risk controls, assurance practices and business continuity/disaster recovery management. The provisions of the master direction will come into force on 1 April 2024. [7 Nov 2023]
#IT
US
CFTC Releases FY 2023 Enforcement Results
The Commodity Futures Trading Commission (CFTC) has published its enforcement results for Fiscal Year 2023. These include a record setting number of digital asset cases, actions to hold registrants to their regulatory obligations, manipulation and spoofing actions, and precedent-setting court decisions in complex litigations. In FY 2023, the CFTC’s Division of Enforcement (DOE) filed 96 enforcement actions charging fraud, manipulation, and other significant violations in diverse markets, including digital assets and swaps markets, resulting in over $4.3 billion in penalties, restitution and disgorgement.
The CFTC's Whistleblower Program continued to demonstrate its importance as, in FY 2023, the seven applications for whistleblower awards, totaling approximately $16 million, where granted for individuals who voluntarily provided original information that led to successful enforcement actions. Since the inception of the Whistleblower Program through FY 2023, the CFTC has issued 41 orders granting awards totaling almost $350 million. The total sanctions ordered in all whistleblower-related enforcement actions has surpassed the $3 billion milestone.
The DOE established two new task forces in FY 2023:
- the Cybersecurity and Emerging Technologies Task Force addresses cybersecurity issues and other concerns related to emerging technologies, including artificial intelligence (AI); and
- the Environmental Fraud Task Force combats environmental fraud and misconduct in derivatives and relevant spot markets.
These new task forces augment the work of seven other DOE task forces that focus on the following substantive areas: spoofing and manipulative trading; digital assets; insider trading and protection of confidential information; bank secrecy act; swaps; foreign corruption; and romance scams. [7 Nov 2023]
#DigitalAssets #AI #DigitalAssets
CFPB proposes new federal oversight of big tech companies and other providers of digital wallets and payment apps
The Consumer Financial Protection Bureau (CFPB) has proposed a rule for the supervision of larger nonbank companies that offer services like digital wallets and payment apps. The rule would ensure that these nonbank financial companies – specifically those larger companies handling more than 5 million transactions per year – adhere to the same rules as large banks, credit unions, and other financial institutions already supervised by the CFPB. Specifically, the proposed rule would help ensure these large nonbank companies:
- Adhere to applicable funds transfer, privacy, and other consumer protection laws: The CFPB would be able to supervise larger participants for compliance with applicable federal consumer financial protection laws, which includes applicable protections against unfair, deceptive, and abusive acts and practices, rights of consumers transferring money, and privacy rights.
- Play by the same rules as banks and credit unions: The CFPB’s supervision of these large companies can foster a level playing field with depository institutions. Greater supervision of nonbanks in this market would ensure federal consumer financial protection law is enforced consistently between non-depository and depository institutions in order to promote fair competition.
Comments on the proposal are requested by January 8, 2024, or 30 days after publication of the proposed rule in the Federal Register, whichever is later. [7 Nov 2023]
#DigitalWallets #Payments
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.