In this regular post, we round-up FinTech-related financial services regulatory developments for the week ending 8 December 2023.
ICYMI
- APP Fraud – the UK is increasingly looking out of step
- Predictions for UK developments in 2024 from our Competition, Regulation and Trade team (Part 1)
- Terraform not on Terra Firma – Singapore court refuses to stay crypto claims in favour of arbitration
- Hong Kong lays out comprehensive guidance on crypto and tokenised securities-related activities by intermediaries, along with guidance on tokenisation of investment products
Global
BCBS: Outcome of December meeting on policy and supervisory initiatives
Following its December meeting, the Basel Committee on Banking Supervision (BCBS) has announced a series of actions, including plans to consult on targeted revisions to the standard on cryptoassets. A consultation will be published in December. [8 Dec 2023]
#Cryptoasset
IAIS: Thematic review: Regulation and supervision of AI and ML in insurance
The International Association of Insurance Supervisors (IAIS) has published a summary of its ongoing efforts in the area of the adoption of artificial intelligence and machine learning (AI/ML) in the insurance sector, following its thematic review of existing guidance on AI/ML and model risk management (MRM) from 12 supervisory authorities and international organisations. The key findings include:
- at the international level, the existing IAIS Insurance Core Principles (ICPs) which, by design, address the management of risk-related outcomes (rather than specific causes), continue to be applicable and appropriate for supervisors overseeing the use of AI/ML models;
- that AI/ML-specific policy responses are at different stages of maturity – both in terms of scope and applicability; and
- work to develop AI/ML specific policy responses across the interviewed jurisdictions typically involves significant collaborative efforts between prudential and conduct supervisors with insurers, AI/ML-related firms and other domestic stakeholders (such as government agencies and academics). [7 Dec 2023]
#AI #ML
FSB publishes toolkit for enhancing third-party risk management and oversight
The Financial Stability Board (FSB) has published a toolkit for financial authorities and financial institutions (FIs) for their third-party risk management and oversight. The toolkit promotes comparability and interoperability of regulatory and supervisory approaches across sectors and jurisdictions. It comprises:
- a list of common terms and definitions to improve clarity and consistency regarding third-party risk management across FIs;
- tools to help FIs identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship; and
- tools for supervising how FIs manage third-party risks, and for identifying, monitoring, and managing systemic third-party dependencies and potential systemic risks.
The toolkit is designed to complement and build on, and not replace, relevant existing standards and guidance by international standard-setting bodies and financial authorities. [4 Dec 2023]
#Outsourcing #Cyber #OpRes
UK
NAO: Report – Time delay between FCA identification of an issue and regulatory action
The National Audit Office (NAO) has published a report of its review of the FCA’s efforts to respond to the changes in its regulatory powers and remit, as well as to the pace of change in the market. Findings from the report include:
- that there can be a significant delay between the FCA identifying an issue and taking action;
- the FCA is carrying out significant work adapting to the changes, and has spent £317m on its change programme between 2020 and 2023; and
- that a shortage of crypto skills meant the FCA took longer than planned to register crypto-asset firms under money laundering regulations in 2021, and it still finds it difficult to recruit and retain staff with these skills.
As a result of its review, the NAO has made a number of recommendations, including that the FCA should:
- put in place operational processes to manage the scale of change that it has in motion;
- work with HMT and other stakeholders to review the effectiveness of new accountability arrangements required under FSMA 2023;
- by Autumn 2024, plan changes to provide greater clarity about its performance to stakeholders; and
- build on its current work in developing a long-term workforce plan to ensure it can maintain necessary expertise. [8 Dec 2023]
#Crypto
FCA, PRA, BoE: CP – Operational resilience: Critical third parties to the UK financial sector
The FCA, PRA and Bank of England (BoE) have issued Consultation Paper 26/23 – Operational resilience: Critical third parties to the UK financial sector (CP26/23) with proposals to oversee and strengthen the resilience of services provided by critical third parties (CTPs) to UK regulated financial services firms and financial market infrastructure entities (FMIs). The proposals include:
- how the regulators may identify potential CTPs and recommend them for designation to HM Treasury (HMT);
- a set of fundamental rules that would apply to all the services CTPs provide to UK firms and FMIs, and act as a general statement of their obligations under the proposed regime;
- a set of more granular operational risk and resilience requirements, to apply only to CTPs’ material services to firms and FMIs, such as requirements on technology and cyber resilience, as well as on supply chain risk, change and incident management;
- requirements for CTPs to provide certain information and assurance to the regulators, including submitting an annual self-assessment, and conducting regular testing of their ability to provide material services in severe but plausible disruption (‘scenario testing’); and
- requirements for CTPs to notify the regulators, the firms and FMIs to which they provide services, of specific disruptions which may adversely impact the services provided.
The statutory obligations of a CTP would apply from the point it is designated by HMT. The regulators propose that the proposed requirements in their draft rules and the expectations in their joint supervisory statement would also apply from the point of designation.
Responses are requested by 15 March 2024. The PRA and the BoE intend to publish a further CP containing a draft statement of policy on their approach to the use of disciplinary powers. This will be published in due course ahead of the final policy statement that will follow this CP and contain the final rules and expectations for CTPs. To maintain a joint approach to the regime, the FCA plans to consult on their statement of policy on the use of disciplinary powers over CTPs around the same time.
The regulators also intend to publish a ‘CTP approach document’ setting out how they will carry out their oversight roles in relation to CTPs in due course. [7 Dec 2023]
#OpRes #Outsourcing #Cyber
PSR: Reporting guidance for APP scams data
The Payment Systems Regulator (PSR) has published reporting guidance for payment service providers (PSPs) who are required to report and publish authorised push payment (APP) scams data, under Specific Direction 18 for cycle 2 of the reporting cycle (January – December 2023). The guidance will ensure that PSPs provide the PSR with the correct data and information that is relevant, accurate, and consistent in the reporting of the data – both between PSPs and across the reporting periods. The guidance notes that data will be collected for the following three metrics:
- Metric A: The proportion of reported APP scam losses that are reimbursed;
- Metric B: Sending PSPs’ APP scam rates, as a measure of scam incidence at the PSP; and
- Metric C: Receiving PSPs’ APP scam rates (not including any money that has been returned to the victims).
Alongside the guidance, the PSR has published a response document, which discusses its decisions on key issues raised in its consultations in August (CP23/5) and September (CP23/8) and changes that it has made to the reporting guidance following cycle 1. The PSR may issue updated reporting guidance for each reporting cycle. [7 Dec 2023]
#APPScams
PSR MD discusses transformation in combating APP fraud
The Payment Systems Regulator (PSR) has published a speech by its Managing Director, Chris Hemsley, on the changes set to be implemented next year in respect of tackling authorised push payment (APP) fraud. The Managing Director touched on the scale of the challenge and highlighted some of the changes that will be put in place.
To prepare for the changes, the Managing Director advised firms to be engaged in the development and deployment of the new systems and processes, and to improve fraud prevention and detection. Mr Hemsley concluded the speech with a brief look ahead at the PSR's work in this area. [6 Dec 2023]
#APPScams
TSC report on digital pound
The Treasury Select Committee (TSC) has published a report on the development of a digital pound. The report follows the February 2023 consultation by HMT and the Bank of England (BoE) on the potential design of a retail central bank digital currency (CBDC).
This report summarises the TSC's views on the need for a retail (as opposed to wholesale) CBDC in the UK and on some of the specific issues it gives rise to, drawing on evidence received through the TSC's inquiry into the cryptoasset industry. It also includes recommendations in relation to potential risks and challenges arising from a digital pound. [4 Dec 2023]
#DigitalPound #CBDC #Cryptoasset
Europe
ESAs: DORA – CPs on second batch of policy products
The European Supervisory Authorities (ESAs: the European Securities and Markets Authority (ESMA), European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA)) have published consultation papers (CPs) on the second batch of policy products in relation to the Digital Operational Resilience Act (DORA). The CPs relate to the following draft regulatory technical standards (RTS) and implementing technical standards (ITS):
- RTS and ITS on content, timelines and templates on information and communication technology (ICT)-related incident reporting;
- Guidelines on aggregated costs and losses from major ICT-related incidents;
- RTS on threat-led penetration testing;
- RTS on subcontracting of critical or important functions.
- Guidelines on oversight cooperation between the ESAs and competent authorities; and
- RTS on oversight harmonisation.
Responses are requested by 4 March 2024. The ESAs will hold an online public hearing on 23 January 2024 to discuss and explain the consultations. The legal instruments are expected to be finalised by 17 July 2024. [8 Dec 2023]
#DORA #OpRes
EBA: MiCAR CP – Draft RTS regarding conflicts of interest for ART issuers
The European Banking Authority (EBA) has issued a consultation paper (CP) specifying the requirements for policies and procedures on conflicts of interest for issuers of asset-referenced tokens (ARTs) under Article 32(5) of the Markets in Crypto-Assets Regulation (MiCAR). These draft regulatory technical standards (RTS) are aimed at strengthening the management of conflicts of interest by issuers of ARTs and ensure convergence of requirements across the EU.
The EBA will hold a virtual public hearing on the CP on 11 January 2024.
Reponses to the CP are requested by 7 March 2024. [7 Dec 2023]
#MiCAR #Crypto
EPC: Payment Threats and Fraud Trends Report annual update
The European Payments Council (EPC) has published it annual update to its Payment Threats and Fraud Trends Report. The update provides a focus on recent attacks and an overview of the most important threats and other “fraud enablers” in the payments landscape, including:
- social engineering;
- malware;
- advanced persistent threats (APTs);
- distributed denial of service (DDoS);
- botnets;
- third-party compromise;
- monetisation channels; and
- liability for social engineering fraud.
Among the key findings, the EPC notes that one of the most sophisticated and lucrative types of payment fraud now and for the future seems to be Advanced Persistent Threat (APT). The EPC flags this APT must be considered as a potential high risk for payment infrastructures and all network related payment ecosystems. In addition, social engineering attacks and phishing attempts continue to increase, and are often used in combination with malware. [7 Dec 2023]
#Payments
Australia
ASIC clarifies regulatory expectations for online trading providers
The Australian Securities and Investments Commission (ASIC) has published a review of online trading providers highlighting its observations from its recent surveillance and demonstrating the continued focus on the practices, business structures and product offerings of online trading providers. The report follows ASIC’s warning to online trading providers last year against high-risk offerings to retail investors such as securities lending and provision of crypto-asset trading. [6 Dec 2023]
#Cryptoasset
Hong Kong
SFC publishes quarterly report for July to September 2023
The SFC has published its quarterly report summarising its work and key developments from July to September 2023. Among the areas covered in the report are intermediaries-related developments. The SFC notes the issuance of a statement to warn virtual asset trading platforms (VATPs) of the legal and regulatory consequences of misrepresenting their SFC licence application statuses and launching non-compliant services and products, and a stepping up of information dissemination in relation to VATPs. [7 Dec 2023]
#VirtualAsset #VATP
SFC warns public of suspected VA-related frauds
The SFC has warned the public of suspected virtual asset (VA)-related frauds involving entities operating under the names of 'Hong Kong Digital Research Institute' or 'HongKongDAO' and 'BitCuped'. The names have been placed on the SFC's Suspicious Virtual Asset Trading Platforms Alert List.
At the SFC’s request, the Hong Kong Police Force has taken steps to block access to the websites of HongKongDAO and BitCuped. The SFC has also issued cease and desist letters to website operators requesting them to cease offering for purchase a token known as 'HKD' or 'HongKongDAO' (HKD Token) issued by HongKongDAO.
The SFC suspects that HongKongDAO and BitCuped may be disseminating false and misleading information about itself and its business through online channels:
- An online article falsely claims (among other things) that HongKongDAO has applied for SFC licences to conduct regulated activities, and is bidding for the 'Hong Kong Digital Currency Exchange Licence'.
- BitCuped falsely claims on its website that 'Laura Cha' (HKEX Chairman) and 'Nicolas Aguzin' (HKEX Executive Director and Chief Executive Officer) serve as its Chairman and Chief Executive Officer respectively.
In addition, HongKongDAO appears to operate at least two Telegram groups, one in Chinese with over 10,000 members and the other in English with over 1,700 members. In the Telegram groups, the increase in the purported 'market' price and future market value of the HKD Token appears to be touted to lure investors to purchase the HKD Token.
The SFC warns the public to be cautious about too-good-to-be-true investment opportunities and advice posted on social media platforms and via instant messaging apps. It also reminds investors to stay vigilant and beware of fraud when making investment decisions. [6 Dec 2023]
#VirtualAsset #VATP
FPS x PromptPay Link between Hong Kong and Thailand launched on 4 December 2023 as scheduled
The FPS x PromptPay Link for cross-border QR payment between Hong Kong and Thailand was launched on 4 December 2023 as scheduled.
The initiative, announced in early November 2023 during the Hong Kong Fintech Week (see our previous update) enables travellers from Hong Kong and Thailand to make retail payments by scanning the Hong Kong FPS QR code or Thai PromptPay QR Code displayed by merchants using their mobile payment applications. The service aims to provide a fast, secure, and easily accessible cross-border payment solution, benefiting users with an additional payment option and allowing merchants to receive funds immediately.
The initiative is made possible with collaboration from various stakeholders from both jurisdictions under the joint stewardship of the HKMA and the Bank of Thailand. Participating institutions, including the banks providing QR codes to the merchants supporting this service, can be found here. The authorities believe that this cross-border QR payment service will enhance convenience for travellers and therefore support tourism and economic activities in Hong Kong and Thailand. It will also serve as a catalyst for more collaborations on financial innovations in this region in the coming years. [4 Dec 2023]
#Payments
Singapore
MAS: New digital finance and capital markets initiatives with China
The Monetary Authority of Singapore (MAS) has announced new digital finance and capital markets initiatives to expand its financial cooperation with China. The initiatives comprise of:
- cross-border E-CNY pilot between China and Singapore;
- launch of the Exchange Traded Funds (ETF) product link between the Singapore Exchange (SGX) and Shanghai Stock Exchange (SSE); and
- signing of a memorandum of understanding (MoU) between SGX and Guangzhou Futures Exchange (GFEX). [7 Dec 2023]
#DigitalFinance
Thailand
BoT and HKMA launch QR cross-border payment service
The Bank of Thailand (BoT) and the Hong Kong Monetary Authority (HKMA) have announced the launch of a cross-border QR payment service between Hong Kong and Thailand. The payment service aims to make it easier for people travelling between the two countries to make payments with merchants. [4 Dec 2023]
#QR #Payments
India
RBI Statement on Developmental and Regulatory Policies
The Reserve Bank of India (RBI) has published its Statement setting out various developmental and regulatory policy measures relating to (i) Financial Markets; (ii) Regulations; and (iii) Payment Systems and Fintech. Topics covered in this edition include:
- the regulatory framework for web-aggregation of loan products;
- enhancing unified payments interface (UPI) transaction limits for specified categories;
- e-mandates for recurring online transactions;
- establishment of a cloud facility for the financial sector in India; and
- the set up of the Fintech repository. [8 Dec 2023]
#Cloud #eMandates #aggregation #UPI #FinTechRepository
Vietnam
SBV: Cross-border QR payment between Vietnam and Cambodia
The State Bank of Vietnam (SBV) has announced that the pilot project on cross-border QR payment between Vietnam and Cambodia has been accomplished. The cross-border QR payment is expected to create favourable conditions for better leveraging the potentials for tourist development between the two countries, as well as to contribute to enhance the economic ties between Vietnam and Cambodia by promoting the use of the domestic currencies for the cross-border retail payments. [5 Dec 2023]
#Payments
US
OCC report identifies key risks facing federal banking system
The Office of the Comptroller of the Currency (OCC) has published its Semiannual Risk Perspective for Fall 2023. The OCC highlighted credit, market, operational, and compliance risks, as the key risk themes in the report. Highlights from the report include:
- Operational risk is elevated and cyber threats continue. Banks continue to leverage new technology to further digitalization efforts, offering innovative products and services to meet customer demands. Increasing digitalization efforts can also heighten risk of fraud and error.
- Compliance risk remains elevated. This is due to the heightened focus on ensuring equal access to credit and fair treatment of consumers, the expanded use of innovative technologies for product and service delivery, and expanded partnerships with third parties, such as financial technology firms, and increases in Bank Secrecy Act/Anti-Money Laundering risk.
The report highlights artificial intelligence (AI) in banking as an emerging risk. The potential for further benefits as AI gains more widespread adoption could be significant. Developments in the technology may reduce costs and increase efficiencies; improve products, services, and performance; strengthen risk management and controls; and expand access to credit and other banking services. Widespread adoption of AI, however, may also present significant challenges relating to compliance risk, credit risk, reputation risk, and operational risk. [7 Dec 2023]
#AI #Digitalisation #CyberRisk
OCC Acting Deputy Comptroller's testimony on fintech
The OCC has published the testimony of Deputy Comptroller for Compliance Policy and Acting Deputy Comptroller for the Office of Fintech Donna Murphy before the Subcommittee on Digital Assets, Financial Technology and Inclusion, Committee on Financial Services of the U.S. House of Representatives. Ms Murphy testified on the activities and initiatives of the Office of Fintech. In her written testimony, she highlighted the following areas of supervisory focus: bank-fintech partnerships; AI; digital assets and tokenization; and other new and changing technologies and business models the affect OCC-supervised banks. [5 Dec 2023]
#Fintech #AI #DigitalAsset #Tokenisation
Fed Director of Supervision and Regulation testimony on fintech
The Federal Reserve (Fed) has published the testimony of Michael S. Gibson, Director, Division of Supervision and Regulation before the Subcommittee on Digital Assets, Financial Technology and Inclusion, Committee on Financial Services, U.S. House of Representatives. Mr Gibson spoke about the Fed's approach to supervision and regulating innovation in banking, highlighting the following overarching principles its basis:
- activities that present fundamentally the same risks should be regulated in the same way, regardless of where or how the activity occurs or the terms used to describe the activity;
- not taking a position on who banks can offer services to, so long as they remain within the confines of the law;
- being transparent about expectations and approaches to novel activity supervision and regulation to provide a pathway for responsible innovation; and
- recognizing that the Fed also must continue to learn. [5 Dec 2023]
#Fintech
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.