FinTech Global FS Regulatory Round-up - w/e 7 February 2025

ICYMI

• The long and winding road of regulatory overhaul
• The sanity of crowds – Can smart data initiatives transform consumer finances?
• AI and insurance: The emerging risk landscape in Australia

• FSR GPS Podcast Series – EP15: Cybersecurity and the impact of AI in financial services

---

Global

BCBS: 2025/26 work programme and strategic priorities

The Basel Committee on Banking Supervision (BCBS) has published its work programme and strategic priorities for 2025/26. The key themes of the BCBS's 2025-26 work programme includes digitalisation of finance, which covers AI-related issues and cryptoasset market developments.

The Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of the BCBS, met on 4 February to endorse the work programme and agreed to take stock of the BCBS's work on climate-related financial risks later in 2025. [5 Feb 2025]  #AI #Crypto

FATF: Annual report 2023-2024

The Financial Action Task Force (FATF) has published its annual report for 2023-24 which outlines its work to prevent the abuse of the international financial system, and to strengthen foundations for sustainable and more inclusive economic development.

The 2023-24 report includes FATF's work on virtual assets, particularly the publication of a list of jurisdictions with materially important virtual asset service provider (VASP) activity and the steps they have taken to encourage and implement global implementation of FATF’s requirements. [3 Feb 2025]  #VirtualAsset

---

UK

PSR: PS – Compliance Monitoring Framework

The Payment Systems Regulator (PSR) has published PS25/2 – The PSR’s Compliance Monitoring Framework. The framework explains how the PSR carries out its monitoring work, including the steps that it takes when evaluating firms’ compliance with various requirements, including: general directions, specific directions and specific requirements; the UK Interchange Fee Regulation (IFR); Regulations 61 and 103 of the Payment Services Regulations 2017 (PSRs); and the designation of alternative switching schemes under the Payment Accounts Regulations 2015.

The PSR Compliance Team works with, but is separate to, the Supervision Team which focuses on supervision of the payment system operators (PSOs). [5 Feb 2025] #Payments

FCA sets out supervisory priorities for firms in the payments sector

The FCA has published a template version of its portfolio letter to CEOs in the payments sector. The letter sets out the FCA's supervisory priorities for firms authorised or registered under the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs).

In the interests of preventing harm to consumers and maintaining the integrity of the financial system, the FCA has specified three key outcomes that it expects firms to achieve:

• effective competition and innovation to meet customers’ needs, characteristics and objectives – the FCA encourages firms to attend its Tech and Policy Sprints, and advises that it will also be monitoring firms' compliance with the Consumer Duty, examining in particular the clarity of foreign exchange pricing in payment services;
• firms must not compromise financial system integrity – the FCA expects firms to focus on reducing and preventing financial crime, and minimising operational disruptions; and
• firms must keep customers’ money safe – the FCA expects firms to focus on safeguarding, prudential risk, and wind-down planning.

The FCA expects firms and their Boards to discuss the letter and take the necessary steps to deliver these outcomes; it will be engaging with firms to ensure this has taken place. [3 Feb 2025]  #Payments

TSC: Inquiry into AI in financial services

The Treasury Select Committee (TSC) has opened an inquiry into AI in financial services. The inquiry has a broad scope, with Committee members interested to hear evidence on how the UK financial services industry might take advantage of the opportunities which AI presents while mitigating threats to financial stability and consumers.  A call for evidence accompanies the launch of the inquiry, with input requested by 17 March 2025. [3 Feb 2025]  #AI

---

Europe

EBA: Opinion on amendments to RTS on conflicts of interests for issuers of ARTs

The EBA has published an opinion on the European Commission’s (EC's) amendments to the final draft Regulatory Technical Standards (RTS) on conflicts of interests for issuers of asset-referenced tokens (ARTs) supplementing the Markets in Cryptoassets Regulation (MiCAR).

The EBA agrees with the substantive changes proposed by the EC, which favour proportionality, as well as with the other amendments which are considered non-substantives. [5 Feb 2025]  #Crypto

EBA: Final draft ITS on uniform reporting under SEPA

The EBA has published its final report on draft Implementing Technical Standards (ITS) on reporting of data on charges for credit transfers and payments accounts, and shares of rejected transactions. The ITS deliver on the mandate in the Instant Payment Regulation (IPR), amending the Single Euro Payments Area (SEPA) Regulation, and are aimed at standardising reporting from payment service providers (PSPs) to their National Competent Authorities (NCAs).

Following its public consultation, the EBA has postponed the first harmonised reporting from PSPs by 12 months, from April 2025 to April 2026, and the subsequent reporting from the NCAs to the EBA and the European Commission (EC) to October 2026.  The EBA notes that, until the first reporting, NCAs should: deprioritise collecting data from PSPs; discourage the provision of unharmonised reporting prior to the availability of the EBA’s taxonomy, datapoint model and validation rules; and not take enforcement action in relation to PSPs that do not report in 2025. [4 Feb 2025]  #Payments

EBA speech: Integrated reporting in the EU and FiDA

The EBA has published a keynote speech by its Chair, Jose Manuel Campa, delivered at the 9th annual Afore Consulting fintech conference. Mr Campa discussed the elements needed to establish an integrated reporting system and open finance, the foundations of which have been set out in the Financial Data Access Act (FIDA). (For more on FiDA, see our recent article here.) [4 Feb 2025]  #OpenFinance

---

Australia

Scams Prevention Framework – Protecting Australians from scams

The Australian Treasury released a guide on the Scams Prevention Framework (under the Scams Prevention Framework Bill 2024 (Cth) which has not yet been assented to) (SPF). The guide notes that the SPF will lift 'the bar across the economy by setting out consistent and enforceable obligations for businesses in key sectors where scammers operate'. The guide provides information on the SPF, including on:

• the roles of various entities in scam prevention, stating that banks, certain digital platforms and telecommunication providers will be the first sectors required to comply with the SPF;
• what is and isn’t a scam under the SPF;
• steps to prevent scams, with the SPF requiring regulated businesses to take reasonable steps to prevent, detect and disrupt scams;
• sectors’ obligations, including that, while the SPF codes will set out the baseline steps that businesses will need to take, mandatory industry codes of conduct will be introduced which set out specific obligations for each sector – the sector codes for the three initial sectors are expected to be developed through consultation with industry and consumers in 2025;
• intelligence sharing, including the requirement on businesses to share scam intelligence with the Australian Competition and Consumer Commission, which will then distribute it to other businesses, law enforcement and international partners; and
• consumer compensation where businesses have not met their obligations resulting in the consumer suffering a loss – the guide notes that 'consumers will have clear and accessible pathways to report a scam or make a complaint to the business' and that, under the SPF, businesses will be required 'to have accessible and transparent internal dispute resolution (IDR) processes to manage consumer complaints'. If IDR is not successful, consumers will be able to make a claim with the Australian Financial Complaints Authority or in court. [3 Feb 2025]  #Fraud #Scam

 

---

Hong Kong

SFC publishes circular and report following 2023/24 thematic cybersecurity review and announces plan to comprehensively review requirements and develop industry-wide cybersecurity framework in 2025

The SFC has issued a circular (with appendix) to inform licensed corporations (LCs) that it has published its Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations and to set out expected standards relating to cybersecurity.  The report is based on:

• The SFC’s recent thematic review (see our previous update) of selected internet brokers’ compliance with its main code of conduct and Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (collectively, Cybersecurity Requirements); and
• Cybersecurity incidents reported by LCs in recent years.

The SFC notes that LCs reported eight material cybersecurity incidents between 2021 and 2024, and that some of these incidents had caused significant business disruptions or hacking of client accounts. 

Compared to the 2020 review (see our previous update), the SFC noted an improvement in compliance with some of the Cybersecurity Requirements and expected standards, including mobile security.  However, there are still deficiencies in certain critical areas, which may expose internet brokers to significant cybersecurity risks.  There is also a lack of audit trail in key systems and servers, hindering LCs' ability to conduct regular monitoring and investigations.

The SFC reminds LCs to implement adequate cybersecurity controls to protect their systems, client accounts and data, particularly in respect of network security, patch management, data encryption, user access rights, audit logs, and monitoring client accounts.

LCs should also implement policies and procedures on the management and supervision of external service providers (including cloud services) and ensure their compliance with the relevant Cybersecurity Requirements.  The SFC sets out its expected standards in the following areas in the appendix to the circular:

• Phishing detection and prevention;
• End-of-life software management;
• Remote access;
• Third-party service provider management; and
• Cloud security.

The SFC reiterates that senior management, in particular the manager-in-charge of information technology, is ultimately responsible for the identification, monitoring and mitigation of cybersecurity risks faced by LCs. 

The requirements in the circular take immediate effect.  LCs should critically review their cybersecurity framework, procedures and controls and their systems and network to ensure they meet the expected standards of conduct.  The SFC recognises that some LCs may need more time to update their systems and will take a pragmatic approach in assessing compliance.

The existing Cybersecurity Requirements primarily focus on internet brokers.  However, with LCs' increasing dependence on technology for their critical operations, those engaging in non-internet trading business are equally susceptible to cyber-attacks.  The SFC plans to comprehensively review the existing Cybersecurity Requirements and expected standards in 2025, and develop an industry-wide cybersecurity framework to guide LCs in better managing cybersecurity risks.

The SFC and the Hong Kong Police Force will host cybersecurity webinars on 17 and 19 February 2025 to share the findings of the thematic review and the common cybersecurity threats (see our previous update).  [6 Feb 2025]  #Cyber

 

---

Malaysia

BNM sets out regulatory requirements and guidance for EMIs

Bank Negara Malaysia (BNM) has published a policy document setting out regulatory requirements and guidance for electronic money issuers (EMIs) approved pursuant to section 11 of the Financial Services Act 2013 (FSA) or the Islamic Financial Services Act 2013 (IFSA).

The requirements in the policy document are intended to ensure the safety and reliability of e-money issued by EMIs, and aim to preserve confidence in using or accepting e-money for the payment of goods and services.

The policy document is supplemented by a feedback statement which responds to consultation feedback  and revised FAQs.  [31 Jan 2025]  #E-Money

 

---

Indonesia

OJK revises insurance sector regulation, expands business scope

The Indonesian Financial Services Authority (OJK) has issued OJK Regulation No. 36 of 2024 on amendment to the OJK Regulation No. 69 of 2016 on the Operation of Insurance Companies, Sharia Insurance Companies, Reinsurance Companies, and Sharia Reinsurance Companies (the 'OJK Regulation 36', in Indonesian language). The regulation will take effect on 23 June 2025.

This regulation, among others, expands the scope of permitted business activities and introduces a new regulatory framework for digital insurance services.

• Expansion of business scope: One of the key changes introduced by OJK Regulation 36 is the inclusion of the expansion of fee-based business activities for life insurance companies, sharia life insurance companies, and sharia units within life insurance companies. Once the regulation takes effect, general insurance company and life insurance company (either sharia or non-sharia) will also be permitted to enter into partnerships within a single ownership structure, for a fee-based business activity.
• Governance on digital insurance service: OJK Regulation 36 clarifies the scope of digital insurance services and sets out a list of requirements and supporting documents that companies must submit to OJK to obtain approval for fully digital insurance operations. Once OJK approval is granted, the company must register as an electronic system provider and commence its digital insurance activities within 30 days of registration. Insurance companies offering digital services may collaborate with, among others, licensed payment service providers and IT service providers.  [7 Feb 2025]  #DigitalInsurance

---

India

RBI statement on developmental and regulatory policies

The Reserve Bank of India's (RBI's) latest statement on policy measures has been released. Measures covered include:

Cybersecurity:

• In response to increased instances of fraud in digital payments are a significant concern, the RBI is introducing an exclusive internet domain for Indian banks. Registrations will commence from April 2025. Detailed guidelines for banks will be issued separately. Going forward, it is planned to have an exclusive domain for other non-bank entities in the financial sector.

Payment Systems:

• In order to provide a similar level of safety for online international transactions using cards issued in India, the RBI will propose enabling additional factor of authentication (AFA) for international card not present (online) transactions. A draft circular will be issued 'shortly' for feedback. [7 Feb 2025]  #Cyber #Payments