FinTech Global FS Regulatory Round-up - w/e 17 January 2025

ICYMI

• UK Government's Latest Counter-Ransomware Proposals: Implications for Public Bodies, Businesses and Individuals
• December Data Wrap: A snapshopt of key regulatory developments
• EDPB issues Opinion on personal data in AI models

Global

BIS Innovation Hub: 2025-26 work programme

The Bank for International Settlements (BIS) Innovation Hub has published an update which provides details of its 2025-26 work programme. The work programme will focus on strengthening horizon scanning activities to track new technological developments and identify gaps for further central bank innovation. The BIS will also deepen collaboration on technological innovation among its network of central bank experts. The first two new projects of 2025 will explore AI-based tools supporting supervision and green finance.

At the start of 2025, the BIS Innovation Hub's project portfolio consisted of 26 active projects and 31 projects completed since its establishment in 2019. 16 new projects were started in 2024. [14 Jan 2025] #Tech #AI #CBDC #Quantum #Crypto #Payments #Cyber

UK

FCA: Letter to Prime Minister regarding growth objectives

The FCA has published a letter to the Prime Minister, in response to the Prime Minister's December 2024 letter, and Chancellor's recommendations, on growth.

The letter asks for the Prime Minister's backing of the FCA's approach to achieving growth over the next five years, and sets out areas where further Government action could enhance this. Among others, these include accelerating digital innovation to enhance productivity. In pursuance of its 'digital first' ambition, the FCA seeks a UK financial services digital infrastructure plan which will align with the Government's AI plan. The FCA considers that accelerating T+1 adoption and moving to an electronic form of securities will make markets more efficient. In addition to its planned work on open banking and open finance with the Payment Systems Regulator (PSR), the FCA is also considering removing the £100 contactless limit and setting new digital service standards. The FCA believes that Government action on digital identity, enhancing the quality of the Companies House database, and digitisation of court systems could facilitate some of its work. [17 Jan 2025] #AI #T+1 #Payments #DigitalID

PSR: Updated strategy to deliver competition, innovation, and growth

The Payment Systems Regulator (PSR) has published its commitments for the next two years following the mid-term review of its five-year Strategy. These commitments set out the PSR's programme of delivery as the regulator seeks to 'achieve world-leading payment systems'.

The review reflects extensive engagement with stakeholders, trends in payments – both in the UK and abroad, the Government’s growth mission, and the impact of the National Payments Vision (NPV). [16 Jan 2025] #Payments #OpenBanking #APPScams

Pensions Dashboard: Updated draft reporting standards

The Pensions Dashboards Programme (PDP) has published a blog which discusses its updated draft reporting standards. The standards set out the requirements on pension providers and schemes for generating and recording operational information and reporting it to the Money and Pensions Service (MaPS).

The PDP does not expect to make significant changes to the reporting standards before seeking formal approval from the Secretary of State for Work and Pensions, with a view to publish the final standards in Q1 2025. [15 Jan 2025] #Pensions

BoE publishes progress report and design note on digital pound

The Bank of England (BoE) has published a progress report on its work over the past year on a digital pound, including how it relates to developments in the payments landscape, including the National Payments Vision (NPV). The BoE confirmed that no decision has been made on whether to proceed with a digital pound. After completing the design phase over the next couple of years, including taking account of developments in the wider payments landscape, the BoE and HM Government (HMG) will determine whether or not to proceed.

Alongside this progress report, the BoE has published a design note outlining its initial thinking on the potential aims, scope and focus areas of a digital pound blueprint.

The blueprint is one of four workstreams in the digital pound design phase. Its purpose is to provide a comprehensive proposition for a digital pound, including technology, operational, ecosystem, commercial, regulatory and financial considerations, and the roles that both the BoE and the private sector could play in delivering it. While the design note is not the blueprint, it identifies the key components the BoE and HM Treasury (HMT) will explore in developing the blueprint.

The BoE welcomes feedback on the considerations set out in this design note, and in particular whether the components proposed provide a suitable set of topics for the blueprint.

The BoE expects to publish regular future progress updates, supplemented also by design notes on specific topics related to a digital pound. [14 Jan 2025] #CBDC

Europe

ESAs: Joint report on feasibility for further centralisation of reporting of major ICT incidents

The European Supervisory Authorities (ESMA, EBA and EIOPA – the ESAs) have published a report on the feasibility of further centralisation in the reporting of major ICT-related incidents by financial entities according to Article 21 of the Digital Operational Resilience Act (DORA).

In line with the DORA mandate, the ESAs’ joint report explores the potential for further centralisation regarding financial entities’ reporting of major ICT-related incidents to National Competent Authorities (NCAs).

The report assesses the feasibility of three different models: the baseline model; a model with enhanced data sharing arrangements; and a fully centralised model. It considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.

The joint report has been submitted to the European Parliament, the Council and the Commission, which will consider its findings for potential future developments in relation to the further centralisation of major ICT-related incident reporting in the financial sector. [17 Jan 2025] #DORA

EBA repeals guidelines on major incident reporting under the revised PSD

The European Banking Authority (EBA) has announced that it has repealed its guidelines on major incidents reporting under the Payment Services Directive 2 (PSD 2) due to the application of harmonised incident reporting under the Digital Operational Resilience Act (DORA), which comes into effect on 17 January 2025. The repeal of the guidelines is intended to simplify the reporting of major incidents by payment service providers (PSPs) and provide legal certainty to the market.

DORA introduces harmonised incident reporting requirements that apply to financial entities across the banking, securities/markets, insurance and pensions sectors. While DORA disapplies the incident reporting requirements under PSD 2 for most PSPs, namely credit institutions, payment institutions, e-money institutions and account information service providers, incident reporting requirements under PSD 2 still apply for other types of PSPs e.g. post-office giro institutions and credit unions) that are not covered by DORA. [17 Jan 2025] #DORA

EBA Q&As

The EBA has published the following Q&As:

• payment Initiation Service Provider (PISP) payment order cancellation for fraud prevention reasons;
• an Electronic Money Institution's (EMI's) application of negative interest rates to its clients; and
• definition of electronic money [17 Jan 2025] #Payments #EMI #ElectronicMoney

ESMA/EBA: Joint report on recent developments in cryptoassets

The European Securities and Markets Authority (ESMA) and the EBA have published a joint report on recent developments in cryptoassets, analysing decentralised finance (DeFi) and crypto lending, borrowing and staking. The report constitutes the regulators'  contribution to the European Commission’s (EC's) report to the European Parliament (EP) and Council under Article 142 of the Markets in Cryptoassets Regulation (MiCAR).

The regulators observations include:

• DeFi remains a niche phenomenon, with value locked in DeFi protocols representing 4% of all cryptoasset market value at the global level. EU adoption of DeFi, while above the global average, is lower than other developed economies (eg, the US, South Korea);
• the number of DeFi hacks and the value of stolen cryptoassets has generally evolved in correlation with the DeFi market size. Since flows on decentralised exchanges represent 10% of spot crypto trading volumes globally, DeFi protocols present significant risks of money laundering and terrorist financing (ML/TF); and
• the implications of maximal extractable value (MEV) on DeFi markets are widespread in DeFi and negative externalities of MEV would require technical solutions.

On the lending, borrowing and staking of cryptoassets, the report contains an analysis of the main types and typical features of the business models observed in the market, in both centralised and decentralised forms. These services are offered by a number of cryptoasset service providers (CASPs) in EU jurisdictions which, in some cases, also offer regulated cryptoasset services.

Based on the existing (limited) evidence, there appears to be limited engagement of EU consumers and financial institutions with crypto lending, borrowing and staking services. The report sets out and assesses the specific risks associated with each of them. [16 Jan 2025] #Crypto #DeFi

EBA Staff Paper: Predicting bank distress in Europe using machine learning

The EBA has published a Staff Paper: Predicting Bank Distress in Europe Using Machine Learning and a Novel Definition of Distress.  This paper develops an early warning system for predicting distress for large European banks. The authors investigate the performance of three machine learning techniques against the traditional logistic model using a novel definition of distress derived from banks’ headroom above regulatory requirements. The research reveals that the random forest model shows superior performance both out-of-sample and out-of-time. The authors also employ a series of sampling techniques showing that they significantly improve the ability to identify distress events irrespective of the model used. Moreover, the authors contend that ensemble techniques can help improve performance relative to the single best performing model. Finally, using the latest machine learning interpretability tools, the authors show that the variables closely tied to bank profitability and solvency are important drivers for predicting bank distress.

EBA Staff Papers Series describe research in progress by the author(s) and are published to elicit comments and to further debate. Any views expressed cannot be taken to represent those of the EBA or to state EBA policy. [15 Jan 2025] #MachineLearning #AI

ECB: Navigating the risk landscape 2025-27

The European Central Bank (ECB) has published a blog post: Navigating the risk landscape: supervisory priorities 2025-27. In the post, authors Sharon Donnery (member of the ECB Supervisory Board) and Mario Quagliariello (Director of Supervisory Strategy and Risk) discuss the key priorities that the ECB Supervisory Board has determined will guide the ECB's supervisory work over the next three years. These priorities include:

• remediating persistent and material shortcomings in areas subject to intense supervisory scrutiny – to achieve this, banks need to have adequate and effective risk data aggregation and risk reporting (RDARR) frameworks in place; and
• addressing challenges arising from digitalisation and the use of new technologies – the evolving cyber threat landscape plays a crucial role here, as digital advances might compromise banks’ operational resilience. [14 Jan 2025] #DataAggregation #Cyber #Digitalisation #OpRes

EACH: Policy paper on the scope of ICT services under DORA

The European Association of Central Counterparty Clearing Houses (EACH) has published its joint position paper with the Federation of European Securities Exchanges (FESE) and the Futures Industry Association (FIA) regarding the potential treatment of EU and non-EU regulated financial services under DORA. The paper raises concerns about the potential impacts to implementation and compliance, supervision and oversight, and broader anticompetitive impacts to the market. It urges the European Commission (EC) to clarify that financial services provided by EU and non-EU firms to financial entities are not considered ‘ICT services’ under DORA. It also urges the EC to adopt an expansive approach to any exemption granted to regulated financial services that includes encompassing non-EU regulated financial services. [13 Jan 2025] #DORA

Hong Kong

SFC extends swift licensing process to new VATP applicants and shares expected standards of conduct for VATP operators and findings from on-site inspections

The SFC has announced that all new virtual asset trading platform (VATP) applicants can seek licences under its swift licensing process.  The extension of the process to new VATP applicants is made in light of the effectiveness of the SFC’s direct engagement and communication with deemed-to-be-licensed VATP applicants on the regulatory standards during its risk-based on-site inspections of such applicants (see our previous update).

In a circular, the SFC explains that under the enhanced licensing process, VATP applicants will be required to engage an external assessor to perform an external assessment after deploying all relevant systems and controls.  VATPs will no longer be required to conduct the first-phase and second-phase assessments – there will only be one external assessment throughout the licensing application process.  The SFC will become a party to the engagement for the external assessment to be conducted by VATP applicants and will supervise the overall external assessment process. 

The SFC has also revamped the external assessment to enhance its effectiveness.  It will focus on ensuring that a VATP applicant’s policies, procedures, systems and controls (P&P) are suitably designed and implemented.  The VATP applicant must notify the SFC and the external assessor of any subsequent material changes to its P&P as soon as practicable.  To ensure robustness, the SFC requires the assessment to be performed as a direct assurance engagement and signed off by a practising certified public accountant. 

The circular sets out the application procedures and includes a flowchart in an Appendix to illustrate the process.

To provide further guidance to new VATP applicants, the SFC has issued a circular to share its findings from the inspections of deemed-to-be-licensed VATP applicants and the expected standards of conduct for VATP operators on areas including cybersecurity, protection of client virtual assets, and know your client process.  [16 Jan 2025] #VirtualAssets #Crypto #Cyber

HKMA launches industry consultation on proposals for implementation of prudential treatment of cryptoasset exposures, seeking feedback by 20 February 2025

The HKMA has issued letters to The Hong Kong Association of Banks and The DTC Association to consult the industry on amendments to the Banking (Capital) Rules (BCR) and the Banking (Disclosure) Rules (BDR) for the implementation of the prudential treatment of cryptoasset exposures held by authorised institutions.  This follows a preliminary consultation which closed on 6 May 2024 (see our previous update).  Feedback on the proposals is required to be submitted by 20 February 2025.

The proposed amendments to the BCR relate to the introduction of the new capital framework for cryptoasset exposures by the Basel Committee on Banking Supervision (BCBS) in its 'Prudential treatment of cryptoasset exposures' standard issued in December 2022 and the subsequent amendments set out in its 'Cryptoasset standard amendments' issued in July 2024.  These standards have been integrated into the consolidated Basel Framework under the chapter of SCO60, which will take effect on 1 January 2026.

The proposed amendments to the BDR mainly implement the new disclosure requirements relevant to AIs’ exposures to cryptoassets, as set out in the BCBS's 'Disclosure of cryptoasset exposures' issued in July 2024, which have been incorporated into the consolidated Basel Framework by way of a new chapter DIS55 that takes effect on 1 January 2026.

The HKMA intends to put the amended BCR and BDR into effect on 1 January 2026, in line with the Basel timeline.  Where necessary, supplementary guidance (such as those in the form of frequently asked questions or Supervisory Policy Manual modules) will be issued to facilitate the operation of the amended rules.  [13 Jan 2025] #Crypto

SFC warns public of unlicensed VATP

The SFC has warned the public of an unlicensed virtual asset trading platform (VATP) operating in the name of 'International Standard Carbon Assets Technology Co., Limited', which is also known as 'iSCAT' or 'iSCAT Exchange'.

'iSCAT' and/or 'iSCAT Exchange' has not been licensed by the SFC but has purported to be a VATP operating in Hong Kong.  It claimed to provide cryptocurrency trading services and used social media platforms to refer investors to its website and mobile application for investment in cryptocurrencies.  The SFC has posted the entity's names and website on its Suspicious Virtual Asset Trading Platforms Alert List. 

Under the Securities and Futures Ordinance and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, it is an offence to carry on a business in a regulated activity and a business of providing a virtual asset service in Hong Kong, and/or actively market such services to Hong Kong investors, without a licence.  The SFC states that it will not hesitate to take enforcement action against fraudulent or unlicensed VATPs in Hong Kong where appropriate.  [10 Jan 2025] #VirtualAssets #Crypto

Malaysia

SCM statement on crypto policy

The Securities Commission Malaysia (SCM) has issued a statement welcoming Prime Minister Anwar Ibrahim’s announcement to explore a digital finance policy that recognises cryptocurrency and blockchain technology.  [16 Jan] 2025 #Crypto

Thailand

SECT amends regulations on digital asset investment of mutual funds and private funds

The Securities and Exchange Commission Thailand (SECT) has amended the regulations concerning investment in digital assets by mutual funds and private funds. The amendments seek to ensure fairness in the provision of foreign investment to high net worth (HNW) investors through securities companies and asset management companies and to support asset allocation by fund managers. [16 Jan 2025] #DigitalAssets

SECT consults on amendments regarding the advertising of digital asset business operators

The SECT has published a consultation on proposed amendments to the regulations regarding the advertising of digital asset business operators. The proposals are aimed at building investors’ awareness of the risks associated with digital asset investments and enhancing digital asset business operators’ responsible advertising practices. Responses to the consultation are requested by 29 January 2025.  [15 Jan 2025] #DigitalAssets

Vietnam

SBV: Vietnam and Laos launch framework for local currency settlement and cross-border QR code payment connectivity

The State Bank of Vietnam (SBV) has announced the launch of a framework for local currency settlement and a bilateral retail payment connectivity service using QR codes between Vietnam and Laos.  [10 Jan 2025] #Payments #QRCodes

US

CFPB: Request for information on privacy of consumer payment data and other financial transactions and proposed interpretive rule on the applicability of the Electronic Fund Transfer Act

The Consumer Financial Protection Bureau (CFPB) has announced that it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing. Responses to the Request for Information are requested by April 11, 2025.

Additionally, the CFPB is requesting comment on a proposed interpretive rule outlining how the Electronic Fund Transfer Act, which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used in consumer transactions. Comments in response to the proposed interpretive rule are requested by March 31, 2025.  [10 Jan 2025] #Payments #DigitalCurrencies