FinTech Global FS Regulatory Round-up - w/e 31 January 2025

ICYMI

• FiDA: Open Finance in the EU?
• Navigating representative actions: takeaways from Getty Images v Stability AI

• International Data Privacy Day: Our predictions for 2025

---

Global

IMF Fintech Notes: Tokenization and Financial Market Inefficiencies

The International Monetary Fund (IMF) has published a report, as part of its Fintech Notes series, entitled Tokenization and Financial Market Inefficiencies. The report introduces a taxonomy and a conceptual framework centred on market inefficiencies to evaluate the consequences of tokenization for financial markets. The report posits that:

•  tokenization may amplify shocks if it induces institutions to become more interconnected and hold lower liquidity buffers or higher leverage, potentially jeopardizing financial stability;
• programs themselves may introduce new risks related to strings of contingent contracts or faulty code; and
•  while competition may grow among financial intermediaries, the provision of market infrastructure could become more concentrated due to network effects. [30 Jan 2025] #Tokenisation

GFIN: Key insights on the use of consumer-facing AI in global financial services

The Global Financial Innovation Network (GFIN) has published a report which outlines key insights on consumer-facing AI and its implications for global financial innovation. The paper is based on the discussions of roundtables hosted by the GFIN AI Project; this activity was co-led by the UK FCA and the Dubai Financial Services Authority (DFSA). The report covers the application of AI to robo-advice, personalised finance and consumer education/information. It also sets out information about approaches to AI being adopted in different jurisdications.

The publication does not represent any regulatory guidance or policy positions by any regulators or international organisations. [27 Jan 2025]  #AI

---

UK

DSIT: Voluntary code for AI cyber security

The Department for Science, Innovation & Technology (DSIT) has published a voluntary Code of Practice, alongside an implementation guide, for the cyber security of AI. The code sets out how organisations using AI can protect themselves from a range of cyber threats. This can include steps such as implementing cyber security training programmes which are focused on AI vulnerabilities, developing recovery plans following potential cyber incidents, and carrying out robust risk assessments.

The code is intended to form the basis of a new global standard for secure AI through the European Telecommunications Standards Institute (ETSI).

The code is not sector specific. [31 Jan 2025]  #AI #Cyber

The Financial Services and Markets Act 2023 (Digital Securities Sandbox) (Amendment) Regulations 2025

The Financial Services and Markets Act 2023 (Digital Securities Sandbox) (Amendment) Regulations 2025 have been made. This statutory instrument (SI) amends the Financial Services and Markets Act 2023 (Digital Securities Sandbox) Regulations 2023 (DSS Regulations). It modifies the effect of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) and makes other minor amendments to the DSS Regulations.

Specifically, it temporarily disapplies the provisions of the MLRs that apply to cryptoassets (and other related concepts as defined in regulation 14A of the MLRs) for activities in scope of the DSS. It does this by inserting a fifth table into the schedule to the DSS Regulations.

The regulations come into force on 3 March 2025. An explanatory memorandum accompanies the SI. [30 Jan 2025]  #Sandbox

PSR: Response to HMG on supporting growth

The PSR has published its response to the Prime Minister's December 2024 letter on the role of regulators in supporting economic growth. The PSR expressed its strong support for the growth mission and outlined five ways the regulator will promote growth in 2025:

• continue to build and embed an efficient and effective whole-system regulatory approach that supports growth;
• encourage innovation;
•  take action on card fees;
•  enable payments infrastructure for the future; and
•  realise the opportunities of open banking. [28 Jan 2025]  #Payments #OpenBanking

FPC responds to Chancellor's recommendations

HMT has published the response of the Financial Policy Committee (FPC) to the Chancellor's November 2024 letter setting out recommendations to the FPC. The response notes that the FPC has made progress over the past year across all four of its medium-term priorities, particularly with respect to setting out its approach to operational resilience as well as the continuation of the programme of cyber stress testing.

The response addresses the series of recommendations and outlines the work of the FPC to help identify, monitor and address systemic risks to the resilience of the UK financial system. It also provides examples of how the FPC has supported its secondary objective in recent years. [28 Jan 2025]  #Cyber

UK Finance: Generative AI in action – opportunities and risk management in financial services

UK Finance has published a report, in collaboration with Accenture, which looks at how generative AI is being used by financial services firms to enhance operations, improve customer engagement, and drive innovation, while carefully managing the associated risks.

The report identifies three key risks linked to generative AI and explains how firms are addressing them:

• Reliability of outputs: generative AI models, particularly Large Language Models (LLMs), could produce bias, errors, or inappropriate language – firms mitigate these risks by carefully selecting models, finetuning them using use case-specific datasets, and ongoing testing of outputs.
•  Data privacy and security: in addition to risks common to many systems, such as inadequate handling of input data, LLMs can produce or reveal personal information in unexpected ways – strong data protection practices and cybersecurity measures are critical, with new measures emerging such as personal information ‘filters’.
• Third-party considerations: relying on external AI providers can reduce control – firms can enhance third-party risk management processes to deal with this. [28 Jan 2025]  #GenAI #AI #LLM #Data

PSR publishes correspondence with BoE – cooperation on CHAPS with regard to APP

The PSR has published its letter to the BoE which sets out how the PSR and the BoE, as the payment system operator of the CHAPS system, will cooperate in relation to the reimbursement of victims of authorised push payment (APP) fraud within CHAPS. In response, the BoE expressed its agreement with the updated principles set out in the PSR's letter. [27 Jan 2025]  #APPFraud #Payments

---

Europe

ESMA: Supervisory Briefing – Authorisation of CASPs under MiCAR

The European Securities and Markets Authority (ESMA) has published a new supervisory briefing as part of an effort to align practices in authorising cryptoasset service providers (CASPs) under the Markets in Cryptoassets Regulation (MiCAR) across the EU.

The briefing sets out ESMA's expectations of applicant CASPs, and of national competent authorities (NCAs), when processing authorisation requests. It covers:

• substance and governance, and the ability of CASPs offering their service in the EU to operate autonomously and with sufficient in-country personnel;
• outsourcing and the effective limits to set regarding the externalisation of functions and services; and 
• suitability of personnel and the importance, particularly for executive management, of having effective technical knowledge of the crypto ecosystem. [31 Jan 2025]  #CASPs #MiCAR #Crypto

EIOPA: Insurance risk dashboard

EIOPA has published its January 2025 insurance risk dashboard. The dashboard shows that risks in the European insurance sector are stable and overall at medium levels, with pockets of vulnerabilities stemming from market volatility and shifts in real estate prices. The dashboard comments on the following risk types: macroeconomic; market; liquidity and funding; solvency and profitability; credit, insurance, market perceptions, interlinkages and imbalances; ESG; and digitalisation and cyber. [31 Jan 2025]  #Digitalisation #Cyber

EC rejects RTS for ICT subcontracting under DORA, requests ESAs amend

The EC has published a letter from John Berrigan, Director-General for Financial Stability, Financial Services and Capital Markets Union (FISMA), to Petra Hielkema, Chair of the Joint Committee of the European Supervisory Authorities (ESAs).

The letter advises that the EC has decided to rejected the draft regulatory technical standards (RTS) for ICT subcontracting under the Digital Operational Resilience Act (DORA). The EC considers that the requirements introduced by article 5 of the draft RTS go beyond the ESAs' mandate under article 30(5) of DORA by introducing requirements not specifically linked to the conditions for subcontracting.

The EC advises that article 5 and the related recital 5 should be removed from the draft RTS to ensure its compliance with the mandate. Once the relevant concerns have been addressed and the necessary modifications made, the EC intends to adopt the RTS.

In terms of next steps, the EC will send the draft RTS back to the ESAs, explaining the reasons for its amendments. The ESAs may amend the draft RTS within a period of six weeks and resubmit it to the EC in the form of a formal opinion. [31 Jan 2025]  #DORA 

OJ: Correction of Commission Delegated Regulation (EU) 2017/2055 under PSD 2

Commission Delegated Regulation (EU) 2025/212 correcting Commission Delegated Regulation (EU) 2017/2055 supplementing the Payment Services Directive 2 (PSD2) with regard to RTS for the cooperation and exchange of information between National Competent Authorities (NCAs) relating to the exercise of the right of establishment and the freedom to provide services of payment institutions, has been published in the Official Journal of the EU (OJ). [31 Jan 2025]  #Payments

EC: Competitiveness Compass for the EU

The EC has presented its Competitiveness Compass which will guide the EC's work in the coming five years and lists priority actions to reignite economic dynamism in Europe. The Compass responds to recommendations regarding the EU's competitiveness which were made in a September 2024 report prepared for the EC by Mario Draghi, a former ECB president and former prime minister of Italy.

The Draghi Report identified three transformational imperatives to boost competitiveness, and the Compass sets out an approach and a selection of flagship measures to translate each of these imperatives into reality:

• closing the innovation gap;
• a joint roadmap for decarbonisation and competitiveness; and
• reducing excessive dependencies and increasing security.

The three pillars are complemented by five horizontal enablers: simplification; lowering barriers to the Single Market; financing competitiveness; promoting skills and quality jobs; and better coordination of policies at EU and national level.

A timeline and non-exhaustive list of planned initiatives is set out at the end of each section of the report.

Among the flagship actions which are positioned under 'closing the innovation gap' imperative are an EU Cloud and AI Development Act, an EU Quantum Strategy and Quantum Act, and a 28th legal regime to 'simplify applicable rules, including relevant aspects of corporate law, insolvency, labour and tax law, and reduce the costs of failure'.  The Savings and Investment Union is positioned as a flagship action under the five horizontal enablers. [29 Jan 2025]  #AI #Quantum

---

Australia

Key issues outlook 2025

ASIC has announced that it has identified the most significant current, ongoing and emerging issues within its regulatory remit in 2025, including:

• Scams and fraud with increasing technological sophistication: Financial frauds and scams continue to evolve, with cryptocurrency and celebrity endorsement impersonations being prevalent. ASIC continues to support the National Anti-Scam Centre by sharing scam intelligence. ASIC has had over 7,300 phishing and investment scam websites taken down since July 2023 and maintains an Investor Alert List.
• Cyber-attacks, data breaches and internal system failures: The digitisation of the financial sector, reliance on third-party service providers and legacy systems are driving continuing risk in this area. ASIC has said that it 'expects directors to ensure their organisation’s risk management framework adequately addresses cyber security threats and that controls are in place to protect assets and information and enhance cyber resilience'. ASIC has a variety of active investigations underway in the cyber security space and will be reviewing cyber and operational resilience in various sectors.

ASIC has said that 'increased market volatility, geopolitical changes, the global accumulation of debt to drive growth, perceived and real inequality of wealth, shifts in the way capital is invested, and advances in artificial intelligence, data and cyber risk, are all key factors influencing the way ASIC views the issues facing Australia’s financial system'.  [24 Jan 2025]  #Cyber #Crypto #Phishing #OpRes #AI

 

---

Hong Kong

SFC to host cybersecurity webinar sessions on 17 and 19 February 2025

The SFC has issued a  circular to inform licensed corporations, licensed virtual asset service providers and associated entities that it will host two cybersecurity webinar sessions on 17 February (Cantonese) and 19 February (English) 2025 respectively.  Information on the speakers and the rundown of the sessions is outlined in the Appendix to the circular. 

The objectives of the webinar are to:

• share the SFC's observations on the report of the 2023/24 thematic cybersecurity review of licensed corporations (see our previous update); and
• raise awareness on emerging cybersecurity threats in Hong Kong.

Each firm should only submit one enrolment form on or before 7 February 2025 and enrolment is limited to a maximum of two representatives per firm.  Places will first be allocated to the first nominee in each of the enrolment forms on a first come first served basis, and any remaining places will be allocated to the second nominee on the same basis.  [24 Jan 2025]  #VirtualAsset #Cyber

 

---

Thailand

BoT enhances measures to tackle mule accounts

The Bank of Thailand (BoT) has announced additional measures to enable banks to take proactive action to prevent risks and solve financial fraud problems more effectively. These include modifications to the conditions for being classified as a mule account by taking into account other factors such as the transfer behaviour of the mule account and the value of the transaction, and a requirement to exchange lists of persons the bank has investigated for suspicious behaviour.  [30 Jan 2025]  #Payments

---

India

RBI amends framework for imposing monetary penalty and compounding of offences

The Reserve Bank of India (RBI) has  announced amendments to the instructions contained in the framework for imposing monetary penalty and compounding of offences under the Payment and Settlement Systems Act, 2007 (PSS Act). The changes were made in view of the amendments to the provisions of the PSS Act, and with the objective of rationalising and consolidating enforcement action by the RBI. [30 Jan 2025]  #Payments

---

US

FINRA publishes 2025 Regulatory Oversight Report

FINRA has published its 2025 Regulatory Oversight Report which comprises observations from across FINRA’s Member Supervision, Market Regulation and Enforcement programs.  The report covers 24 topics, including new content. For each area, the report: identifies the relevant rule(s); summarizes noteworthy findings or observations, as well as effective practices observed, from recent oversight activities; and provides additional resources that may be helpful to member firms in reviewing their supervisory procedures and controls and fulfilling their compliance obligations.

New content covered in the 2025 report included: the third-party risk landscape; sales practice and Reg BI compliance regarding complex products; extended hours trading; AI, including GenAI; investment fraud by bad actors that directly targets investors; FINRA rules concerning the Remote Inspections Pilot Program and Residential Supervisory Location designation; and trade reporting enhancements for fractional share transactions.  [28 Jan 2025] #AI #GenAI