FinTech Global FS Regulatory Round-up - w/e 11 October 2024

ICYMI

• Facing into the UK's APP Fraud Reimbursement Requirement

• Biannual Banking Litigation Update (Autumn 2024) (UK)

---

Global

IOSCO: Final Report – Investor education on cryptoassets

The International Organization of Securities Commissions (IOSCO) has published its Investor Education on Cryptoassets Final Report. The report summarises the results of a survey distributed to members of IOSCO’s Committee for Retail Investors (known as 'C8') in autumn 2023 about retail investor behaviour, demographics, and experiences with cryptoassets.

The report highlights examples of regulatory changes and enforcement activity by C8 members since December 2020 and suggests specific investor education messages that C8 members may wish to consider when delivering education regarding cryptoassets in their local jurisdiction. These messages relate to the risks associated with cryptoassets, as well reminding consumers to be alert to the lack of basic investor protections, potentially misleading financial promotions and fraudsters.  [9 Oct 2024] #Crypto

---

UK

HMT: Final TWG report – AI usage in investment management

HM Treasury's (HMT's) industry-led Technology Working Group (TWG) has published its third and final report: Intelligent Investment: AI Deployment Strategies for UK Investment Management Firms. The report explores existing and future use cases for artificial intelligence (AI) within the UK’s asset management sector, as well as the barriers firms have or are anticipated to encounter in adopting AI. It builds upon the earlier phases of the TWG’s work which focused on the application of distributed ledger technology (DLT) through investment fund tokenisation.

This report's key recommendations for policymakers and industry include:

• Establishing regulatory clarity and consistency to enable developers and users of AI to plan and invest with confidence. The TWG has recommended closer coordination between regulators and the further development of AI standards and is supportive on the current direction of UK Government travel.
• Building a UK fintech ecosystem with strong international connections that investment management firms can leverage to gain access to innovative solutions, specialised knowledge and valuable insights.
• Joint public and private sector action on AI-enabled fraud, to combat malicious actors and fight cybercrime and misinformation. This will be fundamental to building public trust in AI and supporting innovation efforts by well-intentioned organisations.
• Managing systemic risk through collective understanding and identifying best practice in risk management. The changing profile of systemic risk in the financial sector should not be a reason to hold back from innovating. [10 Oct 2024] #AI #DLT #Tokenisation #Cyber

FCA: Market abuse surveillance Techsprint

The FCA has published the results of its market abuse surveillance Techsprint, which covered a three-month period beginning in May 2024 and explored how advanced solutions leveraging AI and machine learning (ML) could help detect evolving forms of market abuse.

The Techsprint aimed to tackle three set problem statements, looking at how AI and advanced analytics can:

• improve accuracy and frequency of post-trade market surveillance alerts and signals;
• help identify instances of complex types of market abuse that traditional rules-based surveillance tools struggle to identify; and
• help identify market and trading anomalies indicative of market abuse, manipulative strategies, and disruptive trading practices.

The solutions developed included:

• AI/ML models such as isolation forests to reduce false positives and improve the accuracy of alerts, ensuring that genuine cases of market abuse are identified more reliably;
• anomaly detection techniques such as Bayesian Network Analysis to identify unusual trading patterns indicative of manipulative strategies and disruptive trading practices based on historical data; and
• the application of econophysics theory and kinetic energy models to identify subtle price changes in orderbook data and large language models to contextualise outliers and filter out false positives. [9 Oct 2024] #AI #MachineLearning #DataAnalysis 

The Payment Services (Amendment) Regulations 2024

The Payment Services (Amendment) Regulations 2024 has been made. This statutory instrument (SI) allows the payer's payment service provider (PSP) to delay the crediting of the payee’s PSP's account for certain in-scope payments (being outbound authorised push payments wholly executed in the UK in sterling) by up to a further 72 hours (D+4). Ordinarily, the Payment Services Regulations 2017 require the payee’s account to be credited by the end of the business day following receipt of the payment order (D+1).

Delaying the payment to D+4 is permissible only when the payer’s PSP has established that there are reasonable grounds to suspect that the payment order has been placed subsequent to fraud or dishonesty perpetrated by someone other than the payer. Such grounds must have been established by the end of D+1, and where more time is needed for the PSP to contact the payer or a relevant third party to make further enquiries in order to establish whether it should execute the payment order.

This SI comes into force on 30 October 2024. An explanatory memorandum accompanies the SI. [9 Oct 2024] #Payments #FraudPrevention

FCA: Expectations for banks and building societies in respect of APP fraud

The FCA has published template 'Dear CEO' letters to  banks and building societies and payment and e-money institutions, setting out expectations regarding authorised push payment (APP) fraud reimbursement, following the implementation of the Payment Systems Regulator's (PSR's) mandatory reimbursement rules, which came into effect on 7 October 2024.

The FCA's expectations include the following:

• Payment Service Providers (PSPs) should be working to reduce APP fraud by improving their anti-fraud systems and controls, including at onboarding and through ongoing transaction monitoring, which will firstly help to prevent customers from falling victim to APP fraud, and secondly help to identify fraudsters and prevent them from receiving payments.
• PSPs should recognise and manage their potential liability and the impact this may have on their capital and liquidity. The FCA also expects PSPs to review and adjust their business models and transactions to mitigate against any risk of prudential impact that may result from potential APP fraud reimbursement liabilities.
• Under the Consumer Duty, firms must avoid causing foreseeable harm. If a firm identifies that it has caused customers harm, either through its action or inaction, the firm must act in good faith by taking appropriate action to rectify the situation (including considering whether remedial action, such as redress, is appropriate).
• PSPs are reminded that they are required, by the Payment Services Regulations 2017 (PSRs 2017), to provide information about the availability of alternative dispute resolution procedures for payment service users and how to access them as part of their pre-contractual information. This includes the availability of the Financial Ombudsman Service.
• Firms' approaches to internal book transfers (also known as ‘on us’ or intra-firm payments) for APP fraud are expected to meet their obligations under the Consumer Duty. If a lower level of protection is provided for 'on us' APP fraud reimbursement, when compared to payments through the Faster Payments System (FPS) and CHAPS, those firms are asked to contact the FCA to explain the steps taken to meet the Consumer Duty obligations.

The FCA and the PSR will work together to monitor firms’ compliance with the PSR’s reimbursement regime. [8 Oct 2024] #Payments #APPFraud

PSR announces start of mandatory reimbursement for APP scam victims

The Payment Systems Regulator (PSR) has announced the start of its new protections for victims of APP scams. Payment firms are now required to follow the new reimbursement arrangements, which provide greater consumer protections, including:

• everyone making a payment via Faster Payments or CHAPS from one UK bank account to another will be covered;
• the vast majority of consumers can expect reimbursement within five business days of making their claim, with the new rules seeing over 99% of claims by volume covered;
• the standard reimbursement level will be £85,000, but banks and payment firms can still reimburse above that amount. Firms may also choose to apply an optional excess of up to £100, though this cannot be applied to vulnerable consumers;
• anyone who suffers a loss exceeding £85,000 can still raise their case with their payment provider and if they remain unsatisfied, they can take their case to the Financial Ombudsman Service (FOS). The FOS will look at each case on its individual merits; and
• the protections will apply to payments made on or after 7 October 2024. [7 Oct 2024] #Payments #APPFraud

---

Europe

ESMA Q&As – MiCAR

The European Securities and Markets Authority (ESMA) has published a Q&A on the status of entities providing cryptoasset services as part of the grandfathering regime. ESMA confirms that cryptoasset service providers that provided their services in accordance with applicable law before 30 December 2024 can continue to do so until the end of the applicable transition period (and not later than 1 July 2026), or until they are granted an authorisation, in accordance with the Markets in Cryptoassets Regulation (MiCAR).  [11 Oct 2024] #Crypto #MiCAR

EBA Q&As – PSD2, EMD2

The European Banking Authority (EBA) has published the following Q&As:

• The definition of payment services and, in particular, the definition of execution of payment transaction in relation to netting centres – the EBA advises that, in line with EBA Q&As 2020_5216 and 2020_5099, the receipt and forwarding of funds qualifies as a payment service according to Article 4(3) of the Payment Services Directive (PSD2) in conjunction with Annex I PSD2, unless an exclusion according to Article 3 PSD2 is applicable.
• Exclusion of cash withdrawal services from PSD2 – the EBA advises that automated teller machine (ATM) operators which do not provide payment services other than cash withdrawals and are not a party to the framework contract with the customer withdrawing cash are exempted from the scope of PSD2 if they are also acting on behalf of issuers.
• Application of Electronic Money Directive (EMD2) to vouchers and gift cards issued by an electronic money institution (EMI) – the EBA advises that if the funds are received by the issuer at the moment of the purchase of the gift card, the issuer must issue e-money in the corresponding amount at that moment, as well as respect the own funds and safeguarding requirements applicable according to Articles 5 and 7 of EMD2.
• Difference between payment account, e-money account and bank account (account held at the credit institution) in terms of allowed transactions – the EBA confirms that, although only an EMI or a credit institution may issue e-money, any type of payment service provider (PSP) (including a payment institution, an EMI or a credit institution) may service an account containing e-money or containing scriptural funds.  [11 Oct 2024] #Payments #EMoney #ATMs

EBA: Guidelines on redemption plans under MiCAR

The European Banking Authority (EBA) has published its final guidelines on the orderly redemption of token holders in case of crisis of the issuer. The guidelines, which are addressed to competent authorities designated under MiCAR, cover issuers of asset-referenced tokens (ARTs) and of e-money tokens (EMTs).

The guidelines specify the content of the redemption plan to be developed by issuers of ARTs and EMTs in going concern, including the liquidation strategies of the reserve of assets, the mapping of critical activities, the content of the redemption claims, the main steps of the redemption process and the elements that may lead to the trigger of the plan by the competent authority.

The final guidelines will apply from two months after the date of their publication in all official EU languages on the EBA’s website. [10 Oct 2024] #Crypto #ART #EMT #MiCAR

EPC publishes first VOP scheme rulebook

The European Payments Council (EPC) has issued the first version of its verification of payee (VOP) scheme rulebook, which is designed to support payment service providers (PSPs) across the Single Euro Payments Area (SEPA) in meeting the new regulatory requirements outlined in the Instant Payments Regulation (IPR) amending the SEPA Regulation.

The current rulebook is limited to verifications of a payee related to a SEPA credit transfer or a SEPA instant credit transfer. Future versions of the VOP scheme rulebook could cover other payment instruments as well, depending on market needs or interest.

Additionally, the first version of the EPC recommendations for the matching processes under the VOP scheme rulebook has also been published, which provides guidance to a responding PSP on how to manage matching processes and determine the outcome of the matching process under the VOP scheme rulebook.

The VOP application programming interface (API) specifications and the updated API security framework are expected to be released before the end of October 2024. [10 Oct 2024] #Payments #Verification

ESAs: 2025 Work Programme

The Joint Committee of the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) has published its 2025 Work Programme, placing particular emphasis on ongoing collaboration to tackle cross-sectoral risks, promoting sustainability in the EU financial system and strengthening financial entities’ digital resilience.

In addition to fostering regulatory consistency, adequate risk assessment, financial stability, and the protection of consumers and investors, the ESAs will undertake joint work in 2025 to:

• make progress on financial entities’ digital operational resilience by, among others, launching the oversight of critical information and communication technology (ICT) third-party providers and implementing the major ICT-related incident coordination framework in accordance with the Digital Operational Resilience Act (DORA); and
• promote coordination and cooperation among national innovation facilitators with a view to facilitating the scaling up of innovative solutions in the financial sector. [7 Oct 2024] #OpRES #DORA #Sandbox

ECB speech: Towards a digital capital markets union

The European Central Bank (ECB) has published the keynote by Piero Cipollone, Member of the ECB's Executive Board, at the Bundesbank Symposium on the future of payments. Mr Cipollone discussed the creation of a capital markets union for digital assets with a focus on distributed ledger technology (DLT) and tokenisation.

Mr Cipollone noted that while the potential benefits of advancements in tokenisation and DLT are significant, risks to the financial market structure must also be considered. In this regard, Mr Cipollone outlined three primary risks: uncoordinated proliferation of DLT platforms which could result in a fragmented landscape, the probability of central bank money losing its status as the safest and most liquid settlement asset and lack of assessment by public authorities of the inherent risks and vulnerabilities stemming from DLT-based tokenisation. Mr Cipollone further discussed a European vision for the future of digital capital markets and emphasised the need to adapt to new technologies to ensure that central bank money remains a cornerstone of stability. [7 Oct 2024] #DLT #Crypto #Tokenisation #Payments

---

Australia

ASIC issues 2024 licensing report on licensing and professional registration activities

The Australian Securities and Investments Commission (ASIC) has issued the 2024 licensing report (REP 797) to assist current and prospective Australian financial services (AFS). ASIC's annual licensing report is intended to increase transparency and provide guidance to licensees, professional auditor registrants, service providers and prospective aplicants on licensing and professional registration processes and the role played by ASIC. Further, it is intended to provide a measure of ASIC's performance against its service charter.

The 2024 licensing report also covers discussions relating to current and emerging licensing issues including: digital (crypto) assets; Buy Now Pay Later (BNPL) services; and payment systems. ASIC Commissioner Alan Kirkland shared that ASIC intends to improve licensing process and system, and that this will include the development of a new digital portal for AFS licensees and applicants who will be able to apply, maintain and vary their licences through the platform. [11 Oct 2024] #Crypto

---

Hong Kong

HKMA issues circular on enhancement measures for online payment card transactions for implementation by 31 December 2024

The HKMA has issued a circular to provide further guidance to authorised institutions (AIs) to implement enhanced anti-fraud/scam measures to strengthen the security of online payment card transactions.  This follows the announcement of this initiative in August 2024 alongside the launch of Suspicious Account Alerts for internet banking and physical branch transactions (see our previous update). 

Retail banks introduced an anti-malware measure in February 2024 in view of intelligence shared by law enforcement agencies, the HKMA and overseas regulators.  This measure entails restricting customers’ access to their mobile banking applications (apps) if suspicious apps are detected on their devices.  Since then, no new cases have been reported by AIs regarding malware manipulating mobile banking apps. 

However, the HKMA has recently observed new malware scam cases, where fraudsters tricked customers into installing a malicious mobile app and disclosing their credit card details and SMS one-time passwords (OTPs).

Consequently, the following enhanced measures should be implemented as soon as practicable and no later than 31 December 2024 (AIs with genuine difficulties in meeting the requirements and/or timeline are welcome to discuss alternative proposals with the HKMA): 

• Card-issuing AIs should ask customers with mobile banking apps to authenticate online payment card transactions via a bound device by default, instead of using SMS OTPs, provided that the arrangement is compatible with the relevant authentication protocol.  Any change to such default authentication method should be regarded as a high-risk transaction and SMS OTPs should not be used to authenticate the change.
• If customers with mobile banking apps encounter difficulties in authenticating payment card transactions using a bound device, AIs should take appropriate follow-up actions, such as providing suitable arrangements for vulnerable customers and dormant users of the apps.
• While customers without mobile banking apps may continue to use SMS OTPs for authentication of online payment card transactions, they should be incentivised to use mobile banking apps as appropriate and with proper education and awareness initiatives.
• AIs should tighten their fraud monitoring for online payment card transactions authenticated via SMS OTPs.
• AIs should regularly review and assess the effectiveness of their authentication processes and related controls, making reference to applicable Supervisory Policy Manual modules, guidelines and circulars (including this circular).  [10 Oct 2024] #Payments

SFST confirms that policy statement for responsible use of AI will be announced at Hong Kong FinTech Week 2024

The Secretary for Financial Services and the Treasury (SFST), Mr Christopher Hui, has confirmed that a policy statement for the responsible use of artificial intelligence (AI) in the financial services sector will be announced during the Hong Kong FinTech Week 2024.

The ninth edition of the Hong Kong FinTech Week is themed 'Illuminating New Pathways in Fintech', and will take place from 28 October to 1 November 2024.  It is organised by the Financial Services and the Treasury Bureau and Invest Hong Kong, in collaboration with the HKMA, the SFC, and the Insurance Authority.

The main conference (taking place on 28 and 29 October 2024) will feature eight themed forums on the latest technologies and cross-industry connections:

• Global Forum;
• AI & Advanced Tech Forum;
• Blockchain & Digital Assets Forum;
• Payments & Other FinTech Forum;
• InsurTech Forum;
• Green FinTech & Impact Forum;
• WealthTech & InvestTech Forum; and
• Hong Kong Connect Forum.  [8 Oct 2024]  #AI #Payments #InsurTech # GreenTech #DLT #Crypto

---

Singapore

MAS consults on regulatory approach to Digital Token Service Providers

MAS has published a consultation setting out the proposed regulatory approach, regulations, notices and guidelines for Digital Token Service Providers regulated under Part 9 of the Financial Services and Markets Act 2022. The consultation topics include: licensing processes and fees; minimum financial requirements; governance arrangements, including the duties of CEOs; requirements in respect of any existing customers onboarded before a license has been obtained; third parties; correspondent account services; bearer negotiable instruments and cash payouts; value transfer requirements; reporting requirements; technology risk management and cyber hygiene; and conduct requirements.

Feedback to the consultation is requested by 4 November 2024. #Crypto

---

Thailand

SECT consults on investment in digital assets by MFs and private funds

Following on from the approval for crypto exchange traded fund (ETF) establishment and trading on US stock exchanges, the Securities and Exchange Commission Thailand (SECT) has published a consultation on the principles and draft amendments to the regulations concerning investment in digital assets by mutual funds (MFs) and private funds. The proposed amendments include:

• adding investment tokens as an eligible asset for investment;
• allowing MFs and private funds to invest in cryptoassets under a risk level appropriate for the types of investors;
• the revision of relevant regulations to accommodate the establishment and management of MFs and private funds investing in digital assets, for example: asset custody; calculation of digital asset value; disclosure of information; appropriate advertising; and adjustment of suitability test.

Feedback to the consultation is requested by 8 November 2024. [9 Oct 2024] #Crypto

---

India

RBI: Facilitating accessibility to digital payment systems for persons with disabilities

The Reserve Bank of India (RBI) has published a circular to all payment system participants (PSPs) regarding facilitating accessibility to digital payment systems for persons with disabilities. To promote effective access, PSPs are advised to review their payment systems / devices in terms of accessibility and then to carry out the necessary modifications, such that all their payment systems and devices, such as point-of-sale machines, can be accessed and used by persons with disabilities with ease.

The RBI notes that the Accessibility Standards issued by the Ministry of Finance may also be adhered to, as applicable, by all PSPs. While selecting potential solutions for the purpose, PSPs are reminded that care should be taken to ensure that the modifications / enhancements do not compromise security aspects of their systems. 

PSPs are required to submit to the RBI, within one month of the date of issue of the circular, details of their systems / devices that need to be modified, along with a timeline for undertaking those actions. [11 Oct 2024] #Payments

RBI: Statement on developmental and regulatory policies

The RBI has published a statement on developmental and regulatory policies relating to payment systems. The statement covers:

• the enhancement of limits for certain unified payment interface (UPI) products; and
• the introduction of a beneficiary account name look-up facility within various payment systems, in order to reduce the incidences of fraud and incorrect payments, and to improve consumer confidence. [9 Oct 2024] #Payments #UPI

---

US

SEC Chair Gensler video: Fraud and deception in AI

The SEC has released the latest video of office hours with Chair Gary Gensler which focuses on fraud and deception in artifical intelligence (AI). A transcript is also available.  [10 Oct 2024] #AI

SEC: Settled charges regarding AI statements

The SEC has announced that, without admitting or denying the SEC's charges, several entities have agreed to settle charges and pay $310,000 in civil money penalties in relation to statements made, including about the use of AI to perform automated trading for client accounts.  [10 Oct 2024] #AI

OCC solicits research on AI in banking and finance

The Office of the Comptroller of the Currency (OCC) is soliciting academic research papers on the use of AI in banking and finance for submission by December 15, 2024.

Authors of selected papers will be invited to present to OCC staff and invited academic and government researchers at OCC Headquarters in Washington, D.C., on June 6, 2025. Authors of will be notified by April 1, 2025, and will have the option of presenting their papers virtually.  [7 Oct 2024] #AI