ICYMI
- Cyber Monthly Wrap-up (UK, EMEA and the US) – December 2024 - January 2025
- January Data Wrap: A snapshot of key regulatory developments
- EU AI Act: The first obligations are now applicable
Global
FSB consults on thematic review of global regulatory framework for cryptoasset activities
The Financial Stability Board (FSB) has announced that it is seeking feedback from stakeholders as part of its thematic peer review of the implementation of the FSB's global regulatory framework for cryptoasset activities (including stablecoins).
Feedback is sought in relation to the following issues:
- the impact of jurisdictional regulatory frameworks where cryptoasset issuers and service providers decide to locate and structure their business;
- experiences and challenges faced by cryptoasset market participants in meeting relevant regulatory and supervisory requirements;
- how financial stability vulnerabilities of cryptoasset activities differ across jurisdictions and how vulnerabilities are evolving as jurisdictions implement regulatory and supervisory frameworks; and
- whether there are specific market practices and/or trends in certain geographies and/or segments that may pose a threat to financial stability.
The objective of the thematic peer review is to examine progress made by FSB member and select non-member jurisdictions in implementing the framework, including any lessons learnt. A summary terms of reference document accompanies the review and provides further details on its objectives, scope, and process. The FSB has already distributed a questionnaire to the jurisdictions.
Responses to the feedback request on the four issues noted above are requested by 28 March 2025. The thematic peer review report is expected to be published in October 2025. [21 Feb 2025] #Crypto
Wolfsberg Group: Guidance on payment transparency - roles and responsibilities
The Wolfsberg Group has published guidance on payment transparency. The guidance provides an overview of the roles played by key actors in a payment chain. It also sets out their respective responsibilities to adhere to payment transparency standards across a sample of commonly observed payment flows and serves as a reference guide that can be used by all payment service providers, regulators, and standard setters.
The guidance supplements, and should be read in conjunction with, the Wolfsberg Group Payment Transparency Standards, published in October 2023. [21 Feb 2025] #Payments
Wolfsberg Group: FAQs on defining digital assets
The Wolfsberg Group has published a set of FAQs on defining digital assets in an emerging financial crime compliance risk environment. The FAQs capture how the group's members conceive of, and conceptualise, key terms associated with digital assets in their engagement with policymakers, supervisors, regulators, and other financial institutions, as well as in developing their own policies and designing appropriate controls. [21 Feb 2025] #Crypto
BIS: AI and relationship lending
The Bank for International Settlements (BIS) has published a research paper on the interaction between banks' adoption of AI in credit scoring and relationship lending.
The findings show that, for a given duration of the lending relationship with a firm, using AI techniques for screening and monitoring mitigates the rent extraction of relationship lending in normal times. However, during the Covid crisis using AI did not provide additional credit or interest rate protection. The paper concludes that AI helps banks to reduce the typical countercyclical effects of relationship lending on firms' credit supply, as well as on their investment and employment decisions. [20 Feb 2025] #AI
CPMI: Acta non verba – interlinking fast payment systems to enhance cross-border payments
The Committee on Payments and Market Infrastructures (CPMI) has published a brief on interlinking fast payment systems to enhance cross-border payments. Highlights include:
- the G7 supports responsible innovation that enables interoperability among new and existing cross-border payment systems, a level playing field for private sector competition and innovation, and the observance of relevant international standards;
- emerging markets and developing economies have made considerable progress in fast payment adoption, laying the foundation for interlinking at the regional and international levels – thus enhancing cross-border payments; and
- the CPMI is committed to delivering on its roadmap actions, focusing on those that support end users that are most disproportionately affected by inefficient cross-border payments and redoubling its efforts to promote implementation at the jurisdictional level. [20 Feb 2025] #Payments
UK
FCA/PSR Feedback Statement: Big Tech and digital wallets
The FCA and Payment Systems Regulator (PSR) have jointly published Feedback Statement 25/1: Big tech and digital wallets (FS25/1), following their July 2024 Call for Information (CfI), which sought to assess the opportunities and risks created by the increasing popularity of digital wallets.
FS25/1 sets out the key opportunities which were identified by stakeholders, including greater convenience, enhanced security measures, and, for some, greater financial inclusion. Respondents also highlighted some areas which could further bolster innovation. [19 Feb 2025] #DigitalWallets #Payments
Europe
EIOPA Q&As under DORA
The European Insurance and Occupational Pensions Authority (EIOPA) has published the following rejected Q&As in relation to the Digital Operational Resilience Act (DORA), with explanations for the rejection:
- DORA037 (rejected because it seeks confirmation of a requirement already clearly set out in the regulation)
- ICT third-party risk management (rejected because some of the issues it deals with are already explained or addressed in DORA (Regulation (EU) 2022/2554) which became applicable on 17 January 2025)
- Oversight framework of CTPPs (rejected because it is out of the scope of this Q&A process)
- ICT risk management (rejected because the issue it deals with is already explained or addressed in Article 3 (Definitions) (19) of Regulation (EU) 2022/2554)
- ICT-related incidents (rejected because the answer can be found in the regulatory text: Article 21 provides details about the joint report assessing the feasibility of further centralisation of ICT-related incident reporting through a single EU HUB) [21 Feb 2025] #DORA #ICT
ECB: Eurosystem expands initiative to settle DLT-based transactions in central bank money
The European Central Bank (ECB) has announced that it has decided to expand its initiative to settle transactions recorded on distributed ledger technology (DLT) in central bank money.
The initiative will follow a two-track approach. First, as soon as feasible, the Eurosystem will develop and implement a safe and efficient platform for such settlements in central bank money through an interoperability link with TARGET Services. A timeline will be announced in due course. Second, the Eurosystem will look into a more integrated, long-term solution for settling DLT-based transactions in central bank money. This will also include international operations, such as foreign exchange settlement.
The aim is to support the use of innovative solutions in market infrastructures while maintaining the safety and efficiency of TARGET Services. The ECB will continue to further analyse new technologies and engage actively with public and private stakeholders. [20 Feb 2025] #DLT
OJ: Regulations supplementing DORA – notification of major ICT incidents
The following regulations relating to the Digital Operational Resilience Act (DORA) have been published in the Official Journal of the European Union (OJ):
- Commission Delegated Regulation supplementing DORA with RTS specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and
- Commission Implementing Regulation laying down implementing technical standards (ITS) for the application of DORA with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
Both regulations enter into force on the 20th day following publication in the OJ. [20 Feb 2025] #DORA #Cyber #ICT
OJ: Regulations supplementing MiCAR – notification of intention to provide cryptoasset services
The following regulations relating to the Markets in Cryptoassets Regulation (MiCAR) have been published in the OJ:
- Commission Delegated Regulation supplementing MiCAR with regard to RTS specifying the information to be included by certain financial entities in the notification of their intention to provide cryptoasset services; and
- Commission Implementing Regulation laying down ITS for the application of MiCAR with regard to standard forms, templates and procedures for the notification by certain financial entities of their intention to provide cryptoasset services.
Both regulations enter into force on the 20th day following publication in the OJ. [20 Feb 2025] #MiCAR #Crypto
ESAs: Roadmap towards the designation of CTPPs under DORA
The European Supervisory Authorities (ESMA, EBA and EIOPA – the ESAs) have published a roadmap to advance the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs). The objective is to designate the CTPPs under DORA and to start the oversight engagement this year.
To designate the CTPPs in 2025, the ESAs will perform the following steps:
- Collection of the Registers of Information: NCAs are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements received from financial entities.
- Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
- Final designation: After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.
ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published. The ESAs will provide details on how to request this in due course.
To provide clarity to the market on preparatory activities, the designation process and on the ESAs’ oversight approach, the ESAs plan to organise an online workshop with ICT third-party providers in the second quarter of 2025. [18 Feb 2025] #DORA #ICT
EIOPA: Consultative Expert Group on Data Use in Insurance
EIOPA has announced that it has established a Consultative Expert Group on Data Use in Insurance, following a call for candidates launched in December 2024. The findings of the Consultative Expert Group will support EIOPA’s future work on data sharing and its efforts to address emerging challenges and opportunities in the context of digitalisation.
The Consultative Expert Group is expected to finalise its work within 12 months, starting in March 2025. [18 Feb 2025] #Data
ESMA consults on CASP assessment criteria under MiCAR
ESMA has launched a consultation on the criteria for the assessment of knowledge and competence of cryptoasset service providers’ (CASPs') staff giving information or advice on cryptoassets or cryptoasset services under MiCAR.
In particular, ESMA is seeking views on:
- the minimum requirements regarding knowledge and competence of staff providing information or advice on cryptoassets or cryptoasset services; and
- organisational requirements of CASPs for the assessment, maintenance and updating of knowledge and competence of the staff providing information or advice.
Responses to the consultation are requested by 22 April 2025. ESMA expects to publish a final report in Q3 2025. [17 Feb 2025] #MiCAR #Crypto
Australia
APRA rescinds information paper on cloud outsourcing and ceases ad hoc credit reporting collection
APRA has announced that it has withdrawn its information paper titled 'Outsourcing Involving Cloud Computing Services', released in 2018, in light of CPS 230, an operational risk management standard which comes into effect on 1 July 2025.
It has also ceased the collection of 'ARF 923.0 Covid-19 Capital and Credit', a collection which was initiated in 2020 as part of measures to assist banks with supporting customers impacted by COVID-19. [19 Feb 2025] #Cloud
Hong Kong
SFC makes available materials from cybersecurity webinar sessions held on 17 and 19 February 2025
The SFC has issued a circular to inform licensed corporations, licensed virtual asset service providers, and associated entities that it has attached to the circular (see appendix) the presentation materials from cybersecurity webinar sessions held on 17 and 19 February 2025 (see our previous update).
In addition, information on the Cyber Defender and the Scameter, as mentioned by the Hong Kong Police Force during the webinar sessions, has been made available.
Licensed corporations, licensed virtual asset service providers, and associated entities are encouraged to utilise these resources to stay updated on the latest cybersecurity information. [20 Feb 2025] #Cyber #VirtualAsset
SFC announces 'ASPIRe', a new regulatory roadmap to develop Hong Kong as a global virtual asset hub
The SFC has announced 12 major initiatives to enhance the security, innovation and growth of Hong Kong’s virtual asset market under a five-pillar 'ASPIRe' roadmap, which stands for Access, Safeguards, Products, Infrastructure, and Relationships.
The roadmap is not the final destination but a living blueprint that invites collective efforts to advance Hong Kong’s vision as a global hub where innovation thrives within guardrails. The initiatives will streamline access for global liquidity, enable adaptive compliance and product frameworks focusing on security, and drive infrastructure upgrades for traditional finance to tap into blockchain efficiency.
Pillar A (Access) – Streamline market entry through regulatory clarity
The key objectives of Pillar A are to expand market accessibility, encourage responsible participation, and enhance investor opportunities. The initiatives include:
- Establishing licensing regimes for over-the-counter trading and custody services; and
- Attracting global platforms, order flows and liquidity providers to Hong Kong.
Pillar S (Safeguards) – Optimising compliance burdens without compromising security
The key objectives of Pillar S are to align compliance requirements, adopt risk-proportionate oversight, and promote regulatory clarity. The initiatives include:
- Exploring adopting a dynamic approach to custody technologies and storage ratios;
- Enhancing insurance and compensation frameworks; and
- Clarifying investor onboarding and product categorisation.
Pillar P (Products) – Expand product offerings and services based on investor categorisation
The key objectives of Pillar P are to enable risk-appropriate investment tools, safeguard retail investors, and mitigate potential risks. The initiatives include:
- Exploring a regulatory framework for professional investor-exclusive new token listings and virtual asset derivative trading;
- Exploring virtual asset margin financing requirements aligned with securities market risk management safeguards; and
- Considering allowing staking and borrowing/lending services under clear custody and operational guidelines.
Pillar I (Infrastructure) – Modernise reporting, surveillance and cross-agency collaboration
The key objectives of Pillar I are to strengthen market-wide oversight capabilities, detect illicit activities and misconduct at an early stage, and safeguard investor assets. The initiatives include:
- Considering solutions for efficient regulatory reporting and deploying advanced surveillance tools to detect illicit activities; and
- Strengthening local cross-agency collaboration and promoting cross-border cooperation with global regulators.
Pillar Re (Relationships): Empower investors and industry through education, engagement and transparency
The key objectives of Pillar Re are to enhance investor understanding, foster industry participation, and promote fit-for-purpose policymaking. The initiatives include:
- Considering a regulatory framework for financial influencers (also known as 'finfluencers') to address new investor engagement channels; and
- Cultivating sustainable communication and talent network. [19 Feb 2025] #VirtualAsset
HKMA publishes Adoption Practice Guide on Greentech in the Banking Sector
The HKMA has issued a circular to inform authorised institutions (AIs) that it has published the Adoption Practice Guide on Greentech in the Banking Sector, which explores the adoption of greentech and its potential to facilitate AIs' transition to net zero for both internal operations and financed emissions.
The HKMA's 'Fintech 2025' strategy was launched in June 2021 (see our previous update) and was aimed at encouraging the financial sector to adopt technology comprehensively by 2025, with greentech being a key area of focus. In light of increasing climate-related risks, and further to the FiNETech 3 collaboration in November 2024 (see our previous update), this practice guide aims to provide practical insights and actionable measures for AIs in Hong Kong to advance their net zero transition agenda by leveraging Greentech solutions, as well as a roadmap for integrating sustainability practices seamlessly into their operations.
The HKMA encourages AIs to review the practice guide and consider how greentech can be integrated into their operations responsibly. The practice guide:
- Illustrates the importance of integrating sustainable practices for AIs in Hong Kong from regulatory and supervisory, reputational, and business perspectives;
- Provides an overview of how greentech solutions can support the transition to green and sustainable banking;
- Offers best practices for the net zero transition journey, supported by greentech solutions; and
- Features cases on the adoption of greentech solutions to drive the net zero transition agenda. [18 Feb 2025] Greentech #Fintech
Singapore
MAS: Joint advisory on unauthorised card transactions using contactless payment methods
The Monetary Authority of Singapore (MAS), the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have issued a joint advisory reminding the public to be vigilant when providing credit card credentials to complete online transactions. [17 Feb 2025] #Payments #Fraud
ABS: Banks to step up measures to combat card provisioning scams
The Association of Banks in Singapore (ABS) has announced that major card issuing banks have adjusted their fraud surveillance measures following a rise in phishing scams involving the fraudulent provisioning of debit or credit cards into mobile wallets.
Going forward, banks will require additional verification such as in-app controls or digital token authentication for provisioning cards onto mobile wallets. Card issuing banks are expected to implement such enhancements by July 2025. [17 Feb 2025] #Fraud #Phishing
Thailand
BoT consults on 'Your Data' guidelines
The Bank of Thailand (BoT) has published a consultation on draft guidelines for a mechanism which would allow customers to exercise their right to send their information with financial services and other providers to other service providers under the 'Your Data' Project. Responses are requested by 14 March 2025. BoT expects to publish final guidelines in Q2 2025. [19 Feb 2025] #SmartData #OpenFinance
India
RBI launches RBIDATA app
The Reserve Bank of India (RBI) has announced the launch of RBIDATA, a mobile app that offers macroeconomic and financial statistics relating to the Indian economy. The app also offers quick access to the Database on the Indian Economy portal. [18 Feb 2025] #Data
Philippines
BSP forms cyber resilience council
The Bangko Sentral ng Pilipinas (BSP) has announced the establishment of the Financial Cyber Resilience Governance Council to strengthen the financial system's cyber resilience. The Council will implement the 2024-2029 Financial Services Cyber Resilience Plan, which BSP launched on 6 August 2024. This plan outlines high-level goals and strategies to maintain the integrity and security of the country’s financial system.
The Council will meet quarterly to discuss the success metrics of the FSCRP, review relevant cyber threat reports, and recommend policy enhancements. [19 Feb 2025] #Cyber
US
SEC announces Cyber and Emerging Technologies Unit to protect retail investors
The Securities and Exchange Commission (SEC) has announced the creation of the Cyber and Emerging Technologies Unit (CETU) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space. The CETU, led by Laura D’Allaird, replaces the Crypto Assets and Cyber Unit and is comprised of approximately 30 fraud specialists and attorneys across multiple SEC offices.
The CETU will utilize the staff’s substantial fintech and cyber-related experience to combat misconduct as it relates to securities transactions in the following priority areas:
- fraud committed using emerging technologies, such as AI and machine learning;
- use of social media, the dark web, or false websites to perpetrate fraud;
- hacking to obtain material nonpublic information;
- takeovers of retail brokerage accounts;
- fraud involving blockchain technology and crypto;
- regulated entities’ compliance with cybersecurity rules and regulations; and
- public issuer fraudulent disclosure relating to cybersecurity. [20 Feb 2025] #Cyber #AI #Crypto
Rashid Ahmed
FSR & CCI Professional Support Paralegal, London
Vasuki Balasubramaniam
FSR & CCI Professional Support Paralegal, London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.