FinTech Global FS Regulatory Round-up - w/e 15 November 2024

ICYMI

• Cross Examining Cyber EP12: Cross Examining Privacy Commissioner Carly Kind – Part 1

• Cyber Monthly Wrap-up (UK, EMEA and the US) – October 2024

---

Global

FSB assesses the financial stability implications of AI

The Financial Stability Board (FSB) has published a report outlining recent developments in the adoption AI in finance and their potential implications for financial stability. Highlights of the report include:

• that the rapid adoption of AI offers several benefits but may also amplify certain financial sector vulnerabilities, such as third-party dependencies, market correlations, cyber risk and model risk, potentially increasing systemic risk;
• while existing financial policy frameworks address many of the vulnerabilities associated with use of AI by financial institutions (FIs), more work may be needed to ensure that these frameworks are sufficiently comprehensive; and
• a call for financial authorities to enhance monitoring of AI developments, assess whether financial policy frameworks are adequate, and enhance their regulatory and supervisory capabilities including by using AI-powered tools. [14 Nov 2024] #AI

IMF: Policy paper on CBDC progress and further considerations

The International Monetary Fund (IMF) has published a policy paper on the progress of central bank digital currency (CBDC). The paper briefs the IMF Executive Board on further considerations regarding CBDC and covers: the positioning of CBDC in the payments landscape; cyber resilience; CBDC adoption; data use and privacy protection; implications for monetary policy operations; and cross-border payments with retail CBDC.[11 Nov 2024] #CBDC #Crypto

---

UK

Chancellor sets out plans for financial services in first Mansion House speech

Chancellor Rachel Reeves has delivered her first Mansion House speech. She opened her remarks by reiterating that 'economic growth' is the 'national mission'. Ms Reeves reviewed the plans set out in the Budget that are intended to tackle longstanding issues in the supply-side of the economy before moving on to speak about financial services, which she described as 'the crown jewel' of the UK economy.

Ms Reeves observed that the UK's approach to regulation is a critical part of the economic reform needed to unlock the potential of the British economy – 'the key test for regulation is whether it will make our economy more dynamic and more competitive'.  To this end, in Spring, the government will publish a Financial Services Growth and Competitiveness Strategy, which is intended to give the financial services sector the confidence to invest. There are five priority growth opportunities on which the strategy will focus: fintech; sustainable finance; asset management and wholesale services; insurance and reinsurance; and capital markets.

The Chancellor observed that some regulatory changes made in response to the Global Financial Crisis have led to a system which this has gone too far towards eliminating risk taking. Changes have also led to unintended consequences. For example, some elements of the Senior Managers and Certification Regime (SMCR) have become overly costly and administratively burdensome; the Treasury, FCA and PRA will shortly publish the outcomes of the SMCR review, and there will be a consultation on removing the current Certification Regime from legislation. 

Other recent and forthcoming developments set out in the speech include (but are not limited to):

• The PRA will consult on reducing the length of pay deferrals, reflecting that post-crisis pay structures have made the UK an international outlier on deferral arrangements.
• The FCA will consult on transformational changes to financial advice and guidance.
• Looking to create a surer climate for investment, the FCA and the Financial Ombudsman Service (FOS) have prepared a joint Call for Input on the rules governing how the FOS operates.
• Because reforming capital markets is a priority, the government will legislate to establish PISCES, an innovative new stock market, by May 2025.
• To support innovation, a pilot to deliver a Digital Gilt Instrument (DIGIT) using distributed ledger technology (DLT) will be launched.
• As insurance markets are pivotal in supporting growth, a consultation on captive insurance has been launched.
• The National Payments Vision includes decisive action to progress Open Banking and support fintech businesses.
• On pensions, the Chancellor confirmed plans to create 'Canadian and Australian style-"megafunds" to power growth'. The interim report of the Pensions Investment Review has been published, and the government will legislate for changes in the Pension Scheme Bill in 2025.

A number of documents relating to announcements in the speech have also been published.  [15 Nov 2024] #Payments #PISCES #DLT #DIGIT

Mansion House: Call for evidence on the Financial Services Growth and Competitiveness Strategy

The government has published a call for evidence to inform the development of its financial services sector plan, referred to as the Financial Services Growth and Competitiveness Strategy which is to be published in Spring 2025. Once developed, the strategy will serve as the central guiding framework through which the government will deliver sustainable, inclusive growth for the financial services sector and secure the UK’s competitiveness as an international financial centre.

Feedback is requested by 12 December 2024. [15 Nov 2024] #Innovation

Mansion House: National Payments Vision

The government has published the National Payments Vision setting out its ambition for the sector to deliver world-leading payments. The Vision responds to the findings of the independent Future of Payments Review 2023 and takes action to address key issues across the landscape. Reflecting the Review, the focus is on retail payments, but the government acknowledges the importance of work to enhance wholesale payments.

The first section of the paper outlines this overarching Vision and the framework for delivery. This applies to the entirety of the payments landscape, setting out the strategic expectations and priorities that the future landscape must deliver, regardless of which method of payment is being used and irrespective of whether the payment is domestic or cross-border, retail or wholesale.

The second section sets out actions the government is taking in the short term, in order to strengthen the foundations needed to deliver the Vision.

The third section outlines early actions to deliver on the three pillars of the government’s vision: to drive innovation; facilitate competition; and ensure security.

Section four outlines the next steps to deliver a Payments Forward Plan and implement the Vision. This includes a mechanism to support close collaboration.

To facilitate delivery, the government is establishing a new Payments Vision Delivery Committee which will be a senior cross-authority group, chaired by HM Treasury.

The FCA has welcomed the Vision in a statement; the Payment Systems Regulator (PSR) has published its joint statement with the FCA and the BoE which also welcomes it. [15 Nov 2024] #Payments #OpenBanking

Mansion House: Letters to the FCA and PSR

The government has published the letter from the Chancellor to the CEO of the FCA and the Managing Director of the PSR providing recommendations on payments regulation.  This letter also outlines the key role the FCA and PSR play in supporting the growth mission and achieving the ambitions set out in the National Payments Vision.

Articulated in Section B of the letter are government priorities which the FCA and PSR should have regard to, these include:

• enhancing coordination to address congestion in the regulatory landscape, including through the FCA’s commitment to lead work on enhancing the management of overlaps between the FCA and PSR’s exercise of their functions, including on fraud and Open Banking policy;
• supporting the development of Open Banking;
• ensuring high standards of consumer protection and that people and businesses can make payments efficiently and safely – in this respect, the government welcomes upcoming work from the regulators to examine data sharing initiatives that help to prevent fraud across the financial services sector and the PSR’s commitment to commission an independent review of the new authorised push payment (APP) fraud reimbursement rules after 12 months of implementation; and
• driving an agile approach to delivering the UK’s retail payments infrastructure needs, including through work of the Payments Vision Delivery Committee to examine and refresh the requirements for the UK’s retail infrastructure and the governance and funding arrangements required to deliver this. [15 Nov 2024] #Payments #OpenBanking

Mansion House: PSR MD reflects on the National Payments Vision

The PSR has published the reflections of its MD David Geale on the National Payments Vision. Noting that there was much to welcome, Mr Geale wanted to highlight a few particular areas, including:

• On infrastructure – these systems must be upgraded as soon as possible and the PSR will work with the BoE to clarify and refresh the requirements for the UK’s retail infrastructure. In light of the Vision’s direction on payments infrastructure, the PSR will consult on changing our obligations on Pay.UK in relation to the New Payments Architecture.
• On open banking – the PSR will deliver its current work on phase one of variable recurring payments and will shortly publish proposed next steps.
• On consumer protection– the PSR confirms that the 12-month implementation review the 'world leading APP reimbursement rules' will be independently led.

Additionally, the PSR will publish a mid-Strategy review shortly. This will recognise the outcomes already delivered, and set out the intention to increase focus on innovation and economic growth. [15 Nov 2024] #Payments 

Mansion House: Remit and recommendations for the FPC

The government has published the letter from the Chancellor to the Governor of the Bank of England (BoE) providing recommendations for the Financial Policy Committee (FPC).  Section B of the letter sets out matters which the FPC should have regard to as relevant to the BoE's financial stability objective; these include climate change and nature, risks arising from the non-bank financial sector, geopolitical risks, and non-financial risks such as cyber, operational and new technology risks. [15 Nov 2024] #Cyber #Tech

Mansion House: PISCES consultation outcome and draft legislation for comment

The government has published the outcome of the consultation on the Private Intermittent Securities and Capital Exchange System (PISCES), a new type of stock market for private company shares. The outcome document sets out how the government intends to design the regulatory framework for PISCES. The draft legislation to establish PISCES and a policy note on draft legislation have also been published. The legislation will establish the PISCES sandbox and, alongside FCA rules, will set the regulatory requirements for PISCES.

Feedback on the draft legislation is requested by 9 January 2025. [15 Nov 2024] #PISCES

PSR: Summary of breakfast session on promoting innovation in payment systems

The PSR has published a summary of its breakfast session, hosted in October 2024, on the theme of 'promoting innovation in payment systems'. Key takeaways from the discussion included:

• the importance of upgrading the existing payments central infrastructure to facilitate innovation;
• the market needs to move at pace in respect of open banking payments – use cases will drive adoption, as well as clear user experience benefits, regulatory clarity and a commercial model which rewards innovation and supports investment;
• the importance of innovation meeting specific end user needs and delivering clear benefits;
• the role of data sharing and digital identity as key enablers of future innovation and in addressing fraud;
• the opportunities from new payment approaches – including tokenisation, stablecoins, programmable money and the digital pound;
• regulatory speed and agility, as well as clarity on regulatory vision, will help firms to engage with, and understand, regulatory priorities;
• closer collaboration amongst regulators could reduce duplicative work for industry and support a shared approach;
• the importance cost and the need for innovative solutions to reduce cost; and
• the collective effort of businesses, regulators, and industry partners is critical in fostering a more competitive and innovative payments ecosystem. [13 Nov 2024] #Payments #Tokenisation #CBDC #DigitalPound #OpenBanking

FCA, PRA and BoE set out final requirements in relation to oversight regime for CTPs

The FCA, PRA and Bank of England (BoE) have published PS24/16: Operational resilience - Critical third parties to the UK financial sector. PS24/16 sets out new requirements which allow the regulators to monitor and manage the systemic risks posed by certain critical third parties (CTPs) to the UK financial services sector. CTPs are those third parties providing services to the UK financial services sector which have been designated as such by HM Treasury (HMT). The PS is relevant to CTPs (that is, entities which may be designated as CTPs by HMT), to every 'Person Connected with a CTP' (including but not limited to undertakings in a CTP’s group) and to regulated firms. In the case of firms, the CTP regime does not impose additional requirements, but is positioned by the regulators as complementing existing requirements relating to operational resilience and third party risk management.

The regulators’ final policy and arrangements are set out in the following:

• BoE Financial Markets Instrument (FMI) Rulebook: CTP Instrument 2024;
• BoE FMI Rulebook: CTP Emergency Provisions Instrument 2024;
• PRA Rulebook: CTP Instrument 2024;
• FCA Handbook: Critical third parties Instrument 2024;
• The regulators’ joint final Supervisory Statement 6/24– Operational resilience: Critical third parties to the UK financial sector(SS6/24);
• The BoE/PRA’s final SS 7/24 – Reports by skilled persons: Critical third parties;
• The regulators’ approach to the oversight of CTPs;
• The BoE's Approach to enforcement: proposed changes to statements of policy and procedure following the Financial Services and Markets Act 2023(Enforcement SoPP); and
• FCA Handbook: Critical Third Parties Statement of Policy relating to Disciplinary Measures Instrument 2024.

PS24/16 also contains the regulators' feedback to responses the received to Consultation Paper 26/23 – Operational resilience: Critical third parties to the UK financial sector (CP26/23).

The final rules for CTPs will take effect from 1 January 2025, although the BoE's Enforcement SoPP comes into effect from date of publication, i.e. 12 November 2024.  The rules will only apply to a CTP on the date which the designation order made by HMT comes into force; additionally compliance with some requirements will be subject to transitional provisions. [12 Nov 2024] #Outsourcing #OpRes

HMT signs MoU with FCA, PRA and BoE on CTP regime

HM Treasury (HMT) has announced that it has signed a Memorandum of Understanding (MoU) with the FCA, PRA and BoE. The MoU provides for the establishment of a joint CTP Consultation and Coordination Forum (CCF), through which the regulators will co-ordinate the exercise of their CTP functions.

The MoU will be reviewed annually. [12 Nov 2024] #Outsourcing #OpRes

Draft SI: The Financial Services and Markets Act 2000 (Designated Activities) (Supervision and Enforcement) Regulations 2024

The draft Financial Services and Markets Act 2000 (Designated Activities) (Supervision and Enforcement) Regulations 2024 have been published. This draft statutory instrument (SI) extends the FCA's supervision and enforcement powers under the Financial Services and Markets Act 2000 (FSMA 2000) to enable the FCA to supervise and enforce rules that it makes under ‘designated activity regime’ (DAR).

A draft explanatory memorandum accompanies the draft SI. [11 Nov 2024] #DAR

---

Europe

EIOPA: Opinion on the scope of DORA in light of the review of the Solvency II framework

The European Insurance and Occupational Pensions Authority (EIOPA) has published an Opinion on the impact of the increased size thresholds regarding exclusion from scope of Solvency II as part of the Solvency II Review on insurance undertakings in the scope of the Digital Operational Resilience Act (DORA). EIOPA calls on the European Commission (EC) to take the necessary actions to avoid disproportionate compliance efforts from small insurance undertakings in the transition period prior to the application of the revised Solvency II Directive.

The Opinion also outlines EIOPA's expectation that national competent authorities (NCAs) should not prioritise DORA supervisory actions for these small insurance undertakings. [15 Nov 2024] #DORA #OpRes 

ESAs: Information collection for designation of CTPPs under DORA

The ESAs (EBA, EIOPA and ESMA – the ESAs) have published a Decision on the information that competent authorities must report to them for the designation of critical ICT third-party service providers (CTPPs) under DORA. The Decision requires competent authorities to report by 30 April 2025 the registers of information on contractual arrangements of the financial entities with ICT third-party service providers.

Following the entry into force of DORA on 17 January 2025, the ESAs and competent authorities, will start the oversight of CTPPs offering services to financial entities in the EU. The first oversight activity is the designation of CTPPs. The Decision provides a general framework for the annual reporting of information necessary for designation, including: timelines; frequency and reference dates; general procedures for the submission of information; quality assurance and revisions of submitted data; and confidentiality and access to information. [15 Nov 2024] #DORA #CTPPs #Outsourcing #OpRes

---

Australia

AUSTRAC and Pacific Financial Intelligence units meet regarding financial crime in the region

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has hosted a conference for thirteen Pacific financial intelligence units. The focus of this three-day event was combating serious financial crime issues in the region, such as: the illicit use of cryptocurrency; new payment platforms; gambling in the region; and money laundering. [12 Nov 2024] #Crypto

---

Hong Kong

SFC issues circular on use of generative AI language models, taking immediate effect

The SFC has issued a circular setting out its expectations for licensed corporations (LCs) offering services or functionality provided by generative artificial intelligence language models (AI LMs) or AI LM-based third party products in relation to their regulated activities.  The circular takes immediate effect, although the SFC will take a pragmatic approach in assessing compliance with the circular for LCs requiring more time to update their policies and procedures.

The circular identifies four Core Principles that LCs may implement in a risk-based manner.  The Appendix to the circular lists non-exhaustive risk factors tied to each Core Principle.

Core Principle 1: Senior management responsibilities

• An LC’s senior management should ensure that effective policies, procedures and internal controls are implemented and that adequate senior management oversight and governance by suitably qualified and experienced individuals are in place. 

Core Principle 2: AI model risk management

• LCs should have an effective AI model risk management framework in place. 
• The SFC considers using an AI LM for providing investment recommendations, investment advice or investment research to investors or clients as high-risk use cases.  LCs should adopt extra risk mitigation measures for high-risk use cases.

Core Principle 3: Cybersecurity and data risk management

• LCs should have effective policies, procedures and internal controls in place to manage cybersecurity risks, including measures to promptly identify cybersecurity intrusions and, where appropriate, suspend the use of an AI LM.

Core Principle 4: Third Party Provider risk management

• LCs should exercise due skill, care and diligence in the selection of a third party provider and assess their level of dependence on the services by the third party providers.

The SFC reminds LCs intending to adopt AI LMs in high-risk use cases to comply with the notification requirements under the Securities and Futures (Licensing and Registration) (Information) Rules (Information Rules), and encourages LCs to discuss their plans with the SFC as early as possible, preferably at the business planning and development stage, to avoid potential adverse regulatory implications.  [12 Nov 2024] #AI #Cyber #Data #Outsourcing

HKMA, Cyberport and banking sector host SME Digital Technology Solution Day to promote SMEs' digital transformation

The HKMA, Hong Kong Cyberport Management Company Limited (Cyberport), the Hong Kong Association of Banks and the Chinese Banking Association of Hong Kong successfully co-organised the SME Digital Technology Solution Day to discuss how the banking sector can support small and medium-sized enterprises' (SME) digital transformation through big data and technology.

Over 100 participants from SMEs in the food and beverage and retail sectors, bank representatives, and technology solution providers attended the event.

In October, the HKMA introduced five new measures together with the banking sector to further support the continuous development of SMEs (see our previous update).  To actively support the Digital Transformation Support Pilot Programme operated by Cyberport and other SME funding schemes, seven banks have committed to offering fast-approval loan products for SMEs that have applied for these schemes.  Such loans can be approved within five working days to meet the upfront financing needs of SMEs for adjusting their business operations and developing new businesses and markets. 

Bank representatives at the event also shared case studies of assisting SME clients to use technology and digitalise their operations, such as digital payment solutions and shopfront sales, online promotion as well as customer management and loyalty solutions, for business development and enhanced efficiency.  [11 Nov 2024] #BigData #Payments

 

---

Singapore

MAS: Written response to PQ on regulation of finfluencers

The Monetary Authority of Singapore (MAS) has published the response to a Parliamentary Question (PQ) on complaints data regarding 'finfluencers' and whether MAS will review the Financial Advisers Act 2001 (FAA) to regulate the finfluencer sector. The response highlights that:

• financial institutions (FIs) employing finfluencers are expected to ensure that the information they present is in a clear and balanced format;
• if finfluencers provide financial advice, they must be licensed and regulated under the FAA;
• there are MAS-issued guidelines which clarify that any individual who is remunerated for making a recommendation or expressing an opinion on the buying, selling, or holding of investment products will be considered as providing financial advice and, even if not remunerated, they will be considered to have provided financial advice if they make such recommendations or expressions regularly;
• over the past five years, MAS received an average of less than five complaints per year against finfluencers; and
• MAS and the Commercial Affairs Department (CAD) will take enforcement action against individuals providing financial advice without a licence. [13 Nov 2024] #SocialMedia #FinFluencers

MAS: Written response to PQ on digital banking and fraud liability protection for minors

MAS has published the response to a PQ on digital banking and fraud liability protection for minors. The response explains that all bank accounts, including accounts of customers below 16 years old, are subject to security measures, such as real-time notification alerts, and a 'kill switch' which can be activated by either the parent or the child to block online payment transactions. Further, banks are expected to follow up promptly when they receive a report of a fraudulent transactions. MAS' new Shared Responsibility Framework (SRF) applies to accounts operated by minors as it does to account operated by adults. [12 Nov 2024] #DigitalBanking

MAS: Oral response to PQ on SRF

MAS has published the response to a PQ on possible refinement to the Shared Responsibility Framework (SRF). The response comments on the operation of the 12-hour cooling-off period, the real-time fraud surveillance duty and operationalising the SRF.  [12 Nov 2024]  #SRF #Fraud 

 

---

Thailand

SECT consultation - digital assets business

The Securities and Exchange Commission Thailand (SECT) has published a consultation on proposed amendments to the regulations regarding the qualifications and prohibited characteristics of applicants for digital asset business licenses and related persons. The amendments aim to align digital asset business regulations with securities regulations, and to protect investors from negative impacts in cases where digital asset business operators provide services beyond the scope of their licenses.

Feedback is requested by 27 November 2024. [13 Nov 2024] #Crypto

BoT participation in Singapore Fintech Festival 2024

The Bank of Thailand (BoT) has published a summary of Governor Dr. Sethaput Suthiwartnarueput's participation in the Singapore FinTech Festival. Discussing Thailand's digital finance journey, the Governor shared experiences on the development of Thailand’s payment infrastructure, such as the PromptPay system and QR code standards. This was accompanied by an announcement that the BoT is preparing to develop infrastructure that will enable use of a digital footprint to support more efficient and inclusive access to financial services (the 'Your Data' project).

Alongside this, the BoT has summarised the participation of Ms. Daranee Saeju, Assistant Governor for Payment Systems Policy and Financial Consumer Protection, in panels on the future of cross-border payments, and advancing inclusive policy frameworks. [13 and 12 Nov 2024] #Payments #Data #QR

---

India

SEBI consults on use of AI tools by regulated entities

The Securities and Exchange Board of India (SEBI) has published a consultation on proposed amendments to various regulations with  respect to assigning responsibility for the use of artificial intelligence (AI) tools by Market Infrastructure Institutions (MFIs), Registered Intermediaries (RIs)  and other persons regulated by SEBI.

Feedback is requested by 28 November 2024. [13 Nov 2024] #AI

SEBI extends timeline for consultation on recognition as SDP

SEBI has extended the timeline for feedback on its consultation on recognition as Specified Digital Platform (SDP) from 12 November 2024 to 26 November 2024. [12 Nov 2024] #Platforms #SDP

---

US

CFPB report details carveouts for financial institutions in state data privacy laws

The Consumer Financial Protection Bureau (CFPB) has released a report examining federal and state-level privacy protections for consumers’ financial data.  The report describes how states have been active recently in passing consumer data privacy laws, including 18 states that passed new laws between January 2018 and July 2024 that give consumers greater control over and access to their data and take steps to reduce the collection of unneeded data. 

In addition to the report, the CFPB is taking further steps to address emerging data privacy challenges. This includes reviewing how big tech companies adhere to consumer financial protection laws, issuing a final rule to give consumers more control over their personal financial data rights, and developing new rulemaking regarding the application of the Fair Credit Reporting Act's (FCRA’s) privacy protections to data brokers.

The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (GLBA) and the FCRA, along with both laws’ implementing regulations. The GLBA’s current regulatory framework is built around disclosures and opt-out requirements that may not fully address the challenges posed by modern data surveillance. The CFPB’s report explains that while states have significant latitude to provide additional data privacy protections, many states exempt the data and financial institutions subject to GLBA or the FCRA from their own data privacy laws. This means that such data often is not covered by the new state-law protections, such as the right under state law for consumers to fix or delete incorrect or outdated information, or the requirement that people opt in—instead of having to opt out—of the collection of especially sensitive data. [12 Nov 2024] #Data