FinTech Global FS Regulatory Round-up - w/e 4 October 2024

ICYMI

• FCA consults on changes to safeguarding requirements for payments and e-money firms 
• Cyber security: A month in retrospect

---

Global

FSB – OECD Roundtable on AI in finance

The Financial Stability Board (FSB) and the Organisation for Economic Co-operation and Development (OECD) held a roundtable with experts from the public and private sectors and with academics to analyse trends and use cases of artificial intelligence (AI) in finance. Participants discussed opportunities and risks and shared emerging best practices regarding policy frameworks.

A summary of key findings has also been published which covers: AI in banking and insurance; AI in asset management and securities markets; financial stability implications of the growing use of AI in finance; and financial consumer protection, market conduct considerations and policy approaches to AI in finance. [30 Sep 2024]  #AI

---

UK

PSR: PS24/7 Confirming maximum level of reimbursement for APP scams under the FPS

The Payment Systems Regulator (PSR) has published Policy Statement 24/7 Faster Payments APP scams reimbursement requirement: Confirming the maximum level of reimbursement (PS24/7). PS24/7 confirms the recent announcement made by the PSR to reduce the maximum reimbursement level from £415,000 to £85,000 per claim, for victims of authorised push payment (APP) scams, under the Faster Payments System (FPS) from 7 October 2024. The level will be kept under review as part of the PSR's 12-month evaluation of the reimbursement policy. [03 Oct 2024]  #APPScams

BoE data lead discusses transforming data collections

The Bank of England (BoE) has published a speech by James Benford, Executive Director (ED) for Data and Analytics Transformation and Chief Data Officer (CDO), delivered at the RegTech Summit London.

The speech focused on maximising the value of data collection across the financial sector in the context of the three missions in the BoE's new data and analytics strategy: making it easy for people in the BoE to work with and analyse its data; bridging data gaps to increase the value of what the BoE collects and shares; and enabling safe and effective innovation, including artificial intelligence (AI). Mr Benford commented specifically on the second mission, noting that:

• new technologies, including the cloud and AI, are allowing the BoE to process data and quality assure it more quickly and efficiently, enabling it to work more seamlessly across different systems;
• aligning how firms manage, exchange and use data internally with the way they report to the BoE will both improve data quality and cut the costs of reporting; and
• the opportunity to streamline data collection will contribute to the BoE's secondary objective of facilitating the international competitiveness and growth of the UK economy. [03 Oct 2024]  #Data #AI

BoE: Response to DP exploring extended RTGS hours

The BoE has published a response to its February 2024 discussion paper (DP) exploring extended real-time gross settlement (RTGS) hours. The response sets out the BoE's central expectation for the path ahead, namely:

• the BoE is minded to extend RTGS and CHAPS settlement hours;
• the BoE expects to adopt a phased implementation approach, starting with opening earlier at 1.30am, no earlier than 2027; and 
• the BoE aims to achieve near 24x7 around the turn of the decade.

The BoE will publish a consultation paper with a full proposal for future RTGS and CHAPS settlement hours after analysing the full range of implications. It aims to publish a final decision on future RTGS and CHAPS settlement hours in late 2025/early 2026. [03 Oct 2024]  #Payments

BCAP consults on new rule restricting broadcast ads for qualifying cryptoassets

The Broadcast Committee of Advertising Practice (BCAP) has published a new rule that explicitly bans ads for certain types of cryptoasset products from being broadcast to mainstream, non-specialist audiences. These products were already subject to such a restriction under BCAP Code rule 14.5.4, as they were not initially regulated by FCA. Following changes to FCA supervision in October 2023, certain ‘qualifying cryptoassets’, categorised as Restricted Mass Market Investments by the FCA, can be marketed to the public subject to restrictions that recognise their risk level and require investors to undergo pre-vetting. BCAP considers that adding this category explicitly to the BCAP Code will maintain the existing restriction of such products to appropriate specialised broadcast audiences.

Cryptoassets that are not included under the ‘qualifying cryptoassets’ category will continue to be caught under rule 14.5.4, which covers unregulated investments more generally.

Alongside the new rule, BCAP has published a consultation on the amendment to its existing rule restricting ads for certain types of financial products to specialised financial channels, stations and programming.

This consultation seeks to clarify that the restriction in rule 14.5.4 applies to unregulated products that would be regarded as investments, in a conventional sense. ‘Investment activity’ defined under the Financial Services and Markets Act (FSMA) includes services unlikely to be regarded by the public as investments, and therefore the Code as currently worded unintentionally restricts ads for products that do not conform with the type of high-risk investments the rule was intended to keep away from mass audiences.

Feedback is requested by 31 October 2024. [03 Oct 2024]  #Crypto

Draft Payment Services (Amendment) Regulations 2024

The draft Payment Services (Amendment) Regulations 2024 has been published. This draft statutory instrument (SI) will allow payment service providers (PSPs) to slow down the processing of outbound payments when there are reasonable grounds to suspect fraud or dishonesty. This will support efforts to tackle authorised push payment (APP) fraud, where victims are unknowingly tricked into sending significant sums to fraudsters.

The draft SI will be laid before parliament shortly after its return from conference recess. [03 Oct 2024]   #Payments

PSR: APP fraud reimbursement protections

The Payment Systems Regulator (PSR) has published information for consumers on the new authorised push payment (APP) fraud reimbursement protections that will apply to payments made on or after 7 October 2024. The frequently asked questions (FAQs) page also contains relevant information in this regard. [02 Oct 2024]  #APPScams

BoE speech: Innovation in digital assets in the financial system

The Bank of England (BoE) has published a speech by its Executive Director of Financial Market Infrastructure, Sasha Mills, on how recent innovations in digital assets and payments pose both opportunities and risks to the BoE in meeting its monetary and financial stability objectives. Ms Mills highlighted the BoE's recent work on innovation, including the discussion paper on its approach to innovation in money and payments, the launch of the Digital Securities Sandbox (DSS) and experiments on wholesale payments.

She discussed the benefits of capitalising on new technology but warned that the potential benefits can only be realised if the technology is implemented safely, which is why the DSS will have several stages, with limits that adjust as firms meet higher standards of resilience.

With respect to wholesale payments, Ms Mills maintained that the BoE has a low-risk appetite for a significant shift away from wholesale settlement in central bank money towards private settlement assets. Accordingly, the BoE is exploring options to enhance the ability to settle tokenised wholesale transactions in central bank money. It is also considering how central bank money could interact with programmable ledgers through the use of a wholesale central bank digital currency (wCBDC). [02 Oct 2024]  #Crypto

BoE: UK market wide simulation exercise – SIMEX 24

The BoE has announced that it has undertaken its latest UK market wide simulation exercise, SIMEX 24, in partnership with UK Finance, the financial sector, HM Treasury (HMT) and the FCA. The simulation set out to exercise the UK financial sector’s ability to respond to a major infrastructure failure that would require a total shut down and restart of the sector.

SIMEX has been developed and delivered by the Cross Market Operational Resilience Group (CMORG), a strategic partnership between the financial authorities, UK Finance and industry, established by the BoE in 2015. It is the latest exercise in a continuous programme that explores the financial sector’s response to some of the most challenging scenarios, including those on the UK Government’s National Risk Register. [02 Oct 2024]  #Cyber

FCA/BoE: Joint approach to the Digital Securities Sandbox

The FCA and the Bank of England (BoE) have published a policy statement (PS) which sets out the regulators' joint approach to safely adopting new technologies in the operation of financial market infrastructure (FMI). The PS also provides feedback to responses which the regulators received to the Digital Securities Sandbox (DSS) consultation.

The DSS will facilitate the use of developing technology, such as distributed ledger technology (DLT), in the issuance, trading and settlement of securities by allowing firms to operate under a temporarily modified legal and regulatory framework. As the first FMI sandbox, the DSS is also a test-case for this new form of policymaking, where regulators can observe activity and consider whether changes to rules or legislation are required to enable it.

This PS is relevant to existing FMIs and prospective providers of FMI which are interested in applying to the DSS to operate a trading venue and/or carry out other FMI using developing technology such as DLT. The PS is published alongside other documents, including the DSS Guidance and the relevant application form. [30 Sep 2024] #Sandbox #Tokenisation

FCA: Individual pleads guilty to illegally operating crypto ATM network

The FCA has reported that an individual has pleaded guilty to five offences relating to the operation of crypto automated teller machines (ATMs). The defendant will be sentenced for running multiple crypto ATMs without FCA registration, creating and using false documents, and for possession of criminal property. He illegally operated a network of at least 11 crypto ATMs which processed more than £2.6m in crypto transactions between 29 December 2021 and 8 September 2023. This is the first UK conviction of its kind for offences relating to the operation of crypto ATMs. [30 Sep 2024]  #Crypto

---

Europe

EBA: Work Programme 2025

The European Banking Authority (EBA) has published its 2025 Work Programme. Among the key priorities and initiatives, the EBA highlighted the implementation of the EU Banking Package and starting oversight and supervision under the Digital Operational Resilience Act (DORA) and Markets in Crypto-Assets Regulation (MiCAR). The EBA will also develop consumer oriented mandates and will aim to ensure a smooth transition to the new anti-money laundering and countering the financing of terrorism (AML/CFT) framework. In addition, the EBA will focus its work on enhancing data infrastructure along with launching a data portal and enhancing risk-based and forward-looking financial stability for a sustainable economy. [02 Oct 2024]  #MiCAR #Crypto

EIOPA: ESAs appoint Director to lead their DORA joint oversight

The European Insurance and Occupational Pensions Authority (EIOPA) has announced that the European Supervisory Authorities (EIOPA, ESMA and EBA – the ESAs) have appointed Marc Andries as a Director to lead the Digital Operational Resilience Act (DORA) joint oversight activities. Mr Andries will be responsible for the oversight framework for critical ICT third-party service providers (CTPPs) at a pan-European scale.

Prior to the appointment, Mr Andries was Chief Inspector at Banque de France and Head of the IT Inspection Unit at the French Prudential Supervision and Resolution Authority (ACPR). [01 Oct 2024]  #OpRes #Cyber

EC: Delegated Regulation on RTS supplementing MiCAR – complaints handling

A Commission Delegated Regulation supplementing the Markets in Cryptoassets Regulation (MICAR), with regard to RTS specifying the requirements, templates and procedures for the handling of complaints by the cryptoasset service providers CASPs), has been added to the register of European Commission (EC) documents. [01 Oct 2024]  #MiCAR #Crypto

EIOPA: Revised Single Programming Document 2025-2027

The European Insurance and Occupational Pensions Authority (EIOPA) has published the Revised Single Programming Document which sets out the activities EIOPA will undertake in the period 2025-2027. The publication also includes the Annual Work Programme 2025.

Deliverables for 2025-2027 relate to: the Digital Operational Resilience Act (DORA); Solvency II Review; the Insurance Recovery and Resolution Directive (IRRD); the European Single Access Point (ESAP); the EU Artificial Intelligence (AI) Act; the Financial Data Access (FiDA) Regulation; and the Retail Investment Strategy (RIS),  [30 Sep 2024]  #OpenFinance #FiDA #AI

---

Hong Kong

CGFin holds fourth meeting discussing latest developments in fintech sector

The Coordination Group on Implementation of Fintech Initiatives (CGFin) has held its fourth meeting, where the government and representatives from the financial regulators, the fintech sector, academia, and research institutions exchanged views on the latest developments in the fintech sector in Hong Kong.

The participants discussed various fintech-related topics, including how virtual assets should be further integrated into the mainstream financial market, and the adoption of artificial intelligence in the financial market.  Cyberport and the HKMA reported the latest developments regarding the Green and Sustainable Fintech Proof-of-Concept Funding Support Scheme (see our previous update) and the wholesale central bank digital currency Project Ensemble (see our previous update) respectively.

The meeting also noted that the Hong Kong FinTech Week 2024, themed 'Illuminating New Pathways in Fintech', will be held from 28 October to 1 November 2024, with the main conference taking place on 28 and 29 October 2024.  

CGFin is chaired by the Secretary for Financial Services and the Treasury.  Its members include representatives from the HKMA, the SFC, the Insurance Authority, the Mandatory Provident Fund Schemes Authority, the Accounting and Financial Reporting Council, Invest Hong Kong, Cyberport, and the Hong Kong Science and Technology Parks Corporation.  [3 Oct 2024]  #AI #wCBDC #Crypto

SB briefs LegCo panel on findings from consultation on proposed legislative framework to enhance protection of computer systems of critical infrastructures, and indicates it is seriously considering relaxing reporting timeframe following feedback

The Security Bureau (SB) has published a consultation report to brief the Legislative Council (LegCo) Panel on Security on its findings from the consultation on the proposed legislative framework to enhance the protection of the computer systems of critical infrastructure.  The one-month consultation ended on 1 August 2024 on (see our blog post for background information).  The SB received a total of 53 written submissions and also organised five consultation sessions for the industry (attended by nearly 200 stakeholders) to receive feedback.

The consultation report discusses the consultation feedback in detail as well as the SB's views.  The following points (among others) are notable:

• The SB understands the actual difficulties that critical infrastructure operators may encounter in incident reporting, and has made reference to the relevant requirements in the UK, the EU and the US.  It will seriously consider relaxing the time frame for reporting serious computer system security incidents from 2 hours to 12 hours after being aware of the incident, and from 24 hours to 48 hours after being aware of other incidents.  In the meantime, to ensure effective and early response to incidents, the SB has made reference to the practices in Singapore and Australia, and propose that when a critical computer system necessary for an operator’s provision of essential services has been (or is likely to be) disrupted, or its services interrupted, the Commissioner’s Office should be empowered to proactively investigate the cause directly with the operator, so as to ascertain whether it is caused by an attack.

• The proposed legislation does not have extraterritorial effect.  The Commissioner’s Office will ensure that it will only request information that is accessible by operators with offices set up in Hong Kong, and will allow them reasonable time for preparation.

• The SB understands the practical difficulties that critical infrastructure operators may encounter in reporting changes in ownership and will seriously consider removing such requirement.

The SB plans to introduce the Bill on the proposed legislative framework into LegCo within 2024.  It is aiming to set up the Commissioner’s Office within one year of the passage of the Bill and bring the new legislation into force within half a year’s time.  [2 Oct 2024]  #OpRes #Cyber

HKMA shares insights gathered from industry engagement regarding management of risks associated with third-party IT solutions

The HKMA has issued a circular to authorised institutions (AIs) to share insights gathered from its industry engagement and remind AIs to ensure that adequate measures are implemented to effectively manage third-party dependencies and enhance their operational resilience against the failure of third-party IT solutions.

The HKMA's industry engagement follows the recent global IT incident arising from the faulty update of a cybersecurity solution provider.  The widespread impact of the incident may be attributed to the service provider’s testing issues before product update, the concerned solution’s ability to push automatic updates without user controls, and inadequate risk management around third-party software.

The HKMA has gathered insights from the industry on risk management measures to prevent similar incidents in the future.  In addition to complying with the principles and guidance in the Supervisory Policy Manual, Cyber Risk Assessment Framework, and circulars on third-party risk management, the HKMA expects senior management of AIs to ensure that their institutions take into account the good practices attached to the circular in reviewing and enhancing their risk management controls.  These good practices cover the following areas:

• Third -party risk assessment;
• IT change / patch management;
• Privileged access management; and
• Preparedness and recovery capabilities for IT incidents.  [27 Sep 2024]  #OpRes #Cyber

HKMA publishes research paper on GenA.I. in financial services sector

The HKMA has published a research paper titled 'Generative Artificial Intelligence in the Financial Services Space', which explores the transformative potential of generative artificial intelligence (GenA.I.) and its implications for the financial industry, particularly in terms of operational efficiency, risk management, and customer engagement.

The HKMA has been working closely with other financial regulators to promote cross-sectoral adoption of fintech (with artificial intelligence being a key area of focus) under the 'All banks go Fintech' initiative of its 'Fintech 2025' strategy (see our previous update). 

The HKMA recently conducted an industry-wide survey participated by 137 industry practitioners and in-depth interviews with 16 organisations across the technology, banking, securities, and insurance sectors.  Findings reveal that most financial institutions are currently focusing on internal applications that drive employee productivity, such as innovations aimed at automating routine tasks, improving workflow efficiencies, and enhancing knowledge sharing.  The adoption of GenA.I. for customer-facing applications remains nascent.  Concerns around regulatory compliance, operational deployment, and the resource-intensive nature of GenA.I. solutions are cited as key barriers to more widespread adoption.

The research paper:

• Provides insights into the current state of GenA.I. adoption within the financial sector, highlighting key applications and challenges identified through interviews with financial institutions and technology solution providers;
• Outlines the critical risk management considerations associated with GenA.I., including data privacy, cybersecurity, information inaccuracy and algorithmic bias, and offers recommendations for governance structures and deployment approaches to support responsible innovations.

The HKMA encourages all authorised institutions to review this paper and consider how GenA.I. can be thoroughly tested (such as through the new GenA.I. Sandbox – see our previous update), and responsibly integrated into the institutions’ operations, service offerings and risk management systems.

The HKMA indicates that it remains committed to fostering a fintech ecosystem that balances innovation with supervisory oversight, ensuring that the benefits of GenA.I. can be realised without compromising the stability, security, or ethical standards of the financial system.  [27 Sep 2024]  #AI

HKMA discusses proposed regulatory regime for stablecoin issuers in feature article

The HKMA has published a feature article, 'Regulatory Regime for Stablecoin Issuers in Hong Kong' in its September 2024 Quarterly Bulletin.  The article covers the following areas:

• Background on stablecoins and digital assets more broadly, and key events in the market since 2020;
• Potential risks of stablecoins;
• Background to the formulation of a regulatory regime for fiat-referenced stablecoins and the proposed regulatory requirements;
• Stablecoin issuer sandbox and proposed use cases.

The HKMA believes that early implementation of the regulatory regime can lay a solid foundation to foster innovations and help promote the healthy, responsible and sustainable development of the stablecoin and broader digital asset ecosystem in Hong Kong.  It is aiming to introduce the draft legislation into the Legislative Council by the end of 2024.  [27 Sep 2024]  #Stablecoin #Crypto

---

Singapore

SCM unveils regulatory sandbox and initiatives to spur innovation – capital market

The Securities Commission Malaysia (SCM) has announced that it will introduce a regulatory sandbox and enhance its regulatory framework in order to encourage securities tokenisation to help spur innovations in the capital market. The sandbox is among the initiatives unveiled at the SCxSC Fintech Summit 2024 that are aimed at promoting a responsible innovation in the country’s capital market.

The SCM will develop a guidance in early 2025 for intermediaries to understand and manage associated risks in relation to securities tokenisation. Firms have until April 2025 to apply for the first cohort of the sandbox.  [1 Oct 2024]  #Sandbox #Tokenisation

---

India

 IFSCA consults on guidelines on cyber security and cyber resilience

The IFSCA has published a consultation on its principle-based guidelines on cyber security and cyber resilience for all regulated entities. The major components of the guidelines include: governance, cyber security and cyber resilience framework; third party risk management, communication and awareness; and audit.

The implementation of these guidelines will be done in accordance with the principle of proportionality, considering the scale and complexity of operations, the nature of the activity the entity is engaged in, its interconnectedness to the financial ecosystem and the corresponding cyber risks the entity is exposed to.

Feedback to the consultation is requested by 19 October 2024. [28 Sep 2024]  #Cyber

---

US

NY Fed: Liberty Street Economics insight on Gen AI and inequality

The Federal Reserve Bank of New York (NY Fed) has released a new article in its Liberty Street Economics series on exposure to Gen AI and expectations about inequality. In supplemental questions to the February 2024 Survey of Consumer Expectations (SCE), NY Fed economists asked a representative sample of U.S. residents about their experience with Gen AI tools. They report that relatively few people have used the technology, but that those who have used it have a bleaker outlook on its impacts on jobs and future inequality.

The Liberty Street Economics series features insight and analysis from NY Fed economists working at the intersection of research and policy.  [2 Oct 2024]  #AI

SEC charges entities operating cryptoasset trading platform

The SEC has filed settled charges against entities operating a cryptoasset trading platform for engaging in the unregistered offer and sale of cryptoasset tokens. The SEC also settled charges against two entities for engaging in unregistered broker activity in connection with various cryptoassets being offered and sold as securities on the platform. The SEC’s complaint alleges that by skirting the SEC’s registration provisions, the entities deprived investors of critical protections afforded by the federal securities laws.

Without admitting or denying the allegations, the entities have agreed to settle the SEC charges, consenting to injunctions and orders to collectively pay nearly $700,000 in civil penalties. They have also agreed to destroy the relevant tokens, to request the removal of those tokens from trading platforms, and to refrain from soliciting any trading platform to allow trading in or offering or selling of those tokens. The settlements are subject to court approval.  [27 Sep 2024]  #Crypto

Treasury: Acting Assistant Secretary of Financial Institutions addresses Fintech policy forum

The U.S. Department of the Treasury has published the remarks by Acting Assistant Secretary of Financial Institutions Laurie Schaffer at the Electronic Transaction Association’s Annual Fintech Policy Forum.  Ms Schaffer began with a short summary of Treasury’s views about AI broadly and then turned to how AI risks and benefits are seen when the technology is applied in financial services, particularly in consumer lending and insurance spaces.  [26 Sep 2024]  #AI

Treasury: FIO hosts roundtable on AI in the insurance sector

The Federal Insurance Office (FIO) at the U.S. Department of the Treasury hosted a roundtable discussion with representatives from the insurance industry, consumer groups, state insurance regulators, academics, and other stakeholders to discuss AI in the insurance sector.  Among other issues, the roundtable considered the growing use of AI by insurers and its potential for facilitating innovation and modernization in insurance product design, distribution, delivery, and cost. Participants noted that insurers are using AI in various aspects of the insurance business, including claims processing, underwriting, marketing, fraud detection, and rating. The roundtable discussion also focused on potential risks and challenges around various issues, including fairness and privacy.  [24 Sep 2024]  #AI