FinTech Global FS Regulatory Round-up - w/e 6 December 2024

ICYMI

• Australia’s 2024 Cyber Security Reforms - A high-level guide to the November 2024 cyber law reforms

---

Global

BIS paper: CBDCs and fast payment systems – rivals or partners?

The Bank for International Settlements (BIS) has published a paper which analyses how retail central bank digital currencies (CBDCs) and fast payment systems (FPS) compare with each other and why some jurisdictions have opted for a retail CBDC, while others have chosen to introduce an FPS or both. It also compares emerging challenges and risks related to retail CBDCs and FPS.

The paper concludes that the choice between a retail CBDC or an FPS, or both, is very contextual and will depend on the market features, ecosystem and degree of maturity and innovation of existing payment infrastructures in a country. [4 Dec 2024]  #CBDC #Payments

---

UK

Lords: Answer to written question on crypto regulation

For HMT, Lord Livermore has provided a response to a question posed by Lord Taylor of Warwick on what assessment has been made on the impact of the increased value of cryptocurrency and whether there are plans to introduce regulations to ensure oversight of the crypto market. The response confirms that HM Government (HMG) intends to proceed with creating a new financial services regulatory regime for cryptoassets, which will include the creation of new regulated activities for cryptoassets and stablecoin issuance. The new framework will also include admissions and disclosures, and market abuse regimes. [2 Dec 2024]  #Crypto

---

Europe

ECB: Eurosystem completes tests using DLT for central bank money settlement

The European Central Bank (ECB) has published news that the Eurosystem has successfully concluded a series of tests employing distributed ledger technology (DLT) for wholesale settlement in central bank money. In total, 64 participants comprising central banks, financial market participants and DLT operators completed over 40 trials and experiments. Trials included actual settlement in central bank money, while experiments were tests with mock settlement. The Eurosystem will draw lessons from the exploratory work and further analyse the opportunities and challenges of DLT for financial markets. In January 2025, participants involved in the exploratory work will be invited to discuss lessons learned from the trials and experiments. [5 Dec 2024] #DLT

ESMA/EBA guidelines: Suitability assessment of management body of issuers of ARTs and CASPs

The European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) have published joint guidelines on the assessment of the suitability of members of the management body of issuers of asset-referenced tokens (ARTs) and cryptoasset service providers (CASPs).

The guidelines apply at authorisation and on an ongoing basis to competent authorities and issuers of ARTs and CASPs. The suitability assessment is based on the requirement that members of the management body must be of sufficiently good repute and capable of committing sufficient time to effectively perform their duties. The requirement also includes an assessment of whether members have the appropriate individual and collective knowledge, skills and experience to perform their duties.

The guidelines apply from 4 February 2025. [4 Dec 2024]  #MiCAR #Crypto

ESAs issue statement on DORA application

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) have published a statement on the application of the Digital Operational Resilience Act (DORA), calling on financial entities and third-party providers to advance their preparations to ensure their readiness for the application of DORA from 17 January 2025.

Financial entities are therefore expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements and prepare for the new reporting obligations. The ESAs also invite ICT third-party service providers, which consider they may meet the criticality criteria published in May 2024, to assess their operational setup against DORA requirements. The first designation of critical third party providers is expected to take place in H2 2025. [4 Dec 2024]  #OpRes #Cyber #CTPPs #Outsourcing

EBA consults on criteria for appointing CASP central contact point

The EBA has published a consultation on draft regulatory technical standards (RTS) specifying the criteria according to which CASPs should appoint a central contact point to ensure compliance with local anti-money laundering and countering the financing of terrorism (AML/CFT) obligations of the host Member State.

CASPs can provide services in other Member States through establishments other than branches. Once established, CASPs have to comply with local AML/CFT obligations, even if their establishments are not ‘obliged entities’ themselves. The draft RTS set out the criteria for determining the circumstances in which the appointment of a central contact point is appropriate, as well as the functions of those central contact points.

Responses to the consultation are requested by 4 February 2025. [4 Dec 2024]  #MiCAR #Crypto

Council agrees position on FiDA framework

The Council of the EU has announced that it has reached an agreement on a  proposed framework for Financial Data Access (FiDA) that aims to provide financial institutions access to each other's customer data.

It is intended that the proposals will create a more competitive financial sector and improve consumers’ access to finance by introducing harmonised rules on what data to share and how to share it. The new framework provides that customers will retain effective control over their data and empowers the European Supervisory Authorities the ESAs to issue guidelines to provide for protection against unfair treatment or exclusion risks.

The Council will now engage in negotiations with the European Parliament (EP) on the final shape of the legislation. [4 Dec 2024] #OpenBanking #OpenFinance #Data

OJ: MiCAR ITS – crypto-asset white papers

The Commission Implementing Regulation laying down ITS for the application of MiCAR with regard forms, formats and templates for cryptoasset white papers has been published in the OJ.

The regulation will enter into force on the 20th day following its publication and will apply from 23 December 2025. [3 Dec 2024]  #MiCAR #Crypto

ECB: Second progress report on digital euro

The ECB has published its second progress report on the preparation phase of a digital euro. Since the publication of the first progress report, the ECB has updated its digital euro scheme rulebook, aimed at harmonising digital euro payments across the euro area. This followed an interim review carried out by members of the Rulebook Development Group (RDG), representing the views of consumers, retailers and payment service providers. The updated draft also includes input from seven new workstreams, launched in May 2024 to further develop key sections of the rulebook, including minimum user experience standards and risk management.

Work has also progressed on the design of a digital euro, specifically on the methodology to calibrate the holding limit and the deployment of the digital euro offline functionality on the secure elements of mobile devices.

In parallel with the report, the ECB has concluded a call for applications, launched in January 2024, for selecting potential providers of digital euro components and related services. The ECB has invited selected bidders to tender and will publish the outcome of this process in 2025.

A letter summarising the report has been sent by Piero Cipollone, ECB Executive Board Member, to Ms Aurore Lalucq, Chair of the Committee on Economic and Monetary Affairs (ECON). [2 Dec 2024]  #CBDC

EC: Regulation supplementing MiCAR

A Commission Delegated Regulation supplementing MICAR with regard to RTS specifying the content and format of order book records for cryptoasset service providers operating a trading platform for cryptoassets, has been added to the register of Commission documents. [2 Dec 2024]  #MiCAR #Crypto

OJ: DORA ITS – Standard templates for the register of information

The Commission Implementing Regulation laying down ITS for the application of DORA with regard to standard templates for the register of information has been published in the OJ.

The regulation will enter into force on the 20th day following its publication. [2 Dec 2024]  #OpRes #Cyber

---

Australia

AUSTRAC takes action to stamp out financial crime through cryptocurrency ATMs

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has announced that it is cracking down on cryptocurrency ATM providers in Australia which  do not comply with the country’s anti-money laundering (AML) regime. AUSTRAC confirmed that an internal cryptocurrency taskforce has been established to ensure that digital currency exchanges (DCEs) that provide crypto ATM services meet minimum standards and have robust practices in place to identify and minimise the risk that their machines will be used to move money associated with scams, fraud or other proceeds of crime. AUSTRAC CEO Brendan Thomas said AUSTRAC will be tightening the monitoring of crypto ATM providers, and will take action against operators that are flouting the rules. Mr Thomas further stated that 'this is the first step in AUSTRAC’s focus to reduce the criminal use of cryptocurrency in Australia. We will be focusing on this industry over the course of next year.'

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), DCEs, including those providing crypto ATM facilities, have to register with AUSTRAC and are also required to:

• undertake transaction monitoring;
• complete know your customer (KYC) information checks on customers;
• report suspicious activity in suspicious matter reports (SMRs); and
• submit threshold transaction reports (TTRs) for cash deposits and withdrawals of $10,000 or more. [6 Dec 2024]  #Crypto

ASIC invites feedback on proposed updates to digital asset guidance

ASIC has announced that it will be consulting on proposals to update Information Sheet 225 Crypto Assets (Info Sheet 225). The proposals are aimed at providing greater clarity about the current law, including by adding 13 practical examples of how the current financial product definitions apply to digital assets and related products. ASIC has said that generally, its existing approach to financial services licences will apply to digital assets, for instance, whether an applicant is proposing to deal in traditional securities or securities based on a digital asset platform, the same licensing regime applies. The consultation seeks feedback on:

• ASIC’s updated guidance in Info Sheet 225, including the worked examples;
• the application of the existing Australian Financial Services (AFS) licence processes, ASIC guidance and standard conditions to digital asset businesses;
• practical licensing issues for wrapped tokens and stablecoins, issues arising from the potential transition to the Government’s proposed digital asset platform and payment stablecoins regimes, and consideration of potential regulatory relief; and
• a potential class ‘no action’ position for digital asset businesses that are in the process of applying for or varying an AFS licence, Australian Markets Licence or Clearing and Settlement Facility licence.

The consultation will close on 28 February 2025, with ASIC intending to publish the updated Info Sheet 225 in mid-2025. [4 Dec 2024]  #Crypto

---

Hong Kong

Government gazettes Protection of Critical Infrastructures (Computer Systems) Bill, to be introduced into LegCo on 11 December 2024

The Government has gazetted the Protection of Critical Infrastructures (Computer Systems) Bill, which seeks to impose statutory requirements on designated operators of critical infrastructures to ensure they take appropriate measures to protect their computer systems and minimise the chance of essential services being disrupted or compromised due to cyberattacks.  The Bill will be introduced into the Legislative Council (LegCo) for the first and second reading on 11 December 2024 (the LegCo brief can be accessed here).

The Government previously launched a public consultation on the proposed legislative framework,  which ended on 1 August 2024 (see our blog post for background information).  The Security Bureau subsequently published a consultation report in October 2024 to brief the LegCo on its findings from the consultation (see our previous update).

The Government has indicated that, in drafting the Bill, reference has been made to the relevant legislation of other jurisdictions to establish a regulatory model suitable for Hong Kong. The operators of critical infrastructures to be regulated will be those necessary for the continuous provision of essential services or maintaining critical societal and economic activities in Hong Kong, most of which are large organisations.  Small and medium enterprises and the general public will not be regulated.  The purpose of these statutory obligations to be imposed is to safeguard the security of the computer systems that are critical to the core functions of the critical infrastructure, and is not intended to target personal data and trade secrets.

The statutory obligations on designated operators of critical infrastructures under the Bill are grouped into three categories, namely, organisational obligations, preventive obligations, and incident reporting and response obligations. 

The Bill takes into account feedback from stakeholders, including in relation to the time frame for incident reporting.  Among other things, the time frame for reporting serious computer system security incidents has been relaxed from 2 hours to 12 hours after being aware of the incident, and from 24 hours to 48 hours after being aware of other incidents, consistent with the comments in the Security Bureau's consultation report of October 2024 (see our previous update).  [4 & 6 Dec 2024]  #OpRes #Cyber

Government gazettes Stablecoins Bill, to be introduced into LegCo on 18 December 2024

The Government has gazetted the Stablecoins Bill, which seeks to put in place a regulatory regime for issuers of fiat-referenced stablecoins in Hong Kong.  The Bill will be introduced into the Legislative Council (LegCo) for first reading on December 18. 

This follows the conclusion of the consultation on the proposed regulatory regime by the Financial Services and the Treasury Bureau and the HKMA in July 2024 (see our previous update).

The Bill aims to enhance the regulatory framework for virtual asset activities, by addressing the potential financial stability risks posed by fiat-referenced stablecoins, ensuring adequate user protection, and harnessing the potential benefits of virtual assets and their underlying technologies.  The Bill also seeks to provide the HKMA with necessary supervision, investigation and enforcement powers for the effective implementation of the regime.

Under the proposed licensing regime, a person who carries on any of the following activities has to be licensed by the HKMA:

• Issuing fiat-referenced stablecoins in Hong Kong in the course of business;
• Issuing fiat-referenced stablecoins that purport to maintain a stable value with reference to Hong Kong dollars in the course of business; or
• Actively marketing the person's issue of fiat-referenced stablecoins to the public of Hong Kong.  [6 Dec 2024]  #Crypto #Stablecoins

Insurance Authority publishes revised Guideline on Cybersecurity (GL20), to take effect on 1 January 2025

The Insurance Authority has published a revised Guideline on Cybersecurity (GL20), which will take effect on 1 January 2025.

The guideline sets the minimum standard for cybersecurity that authorised insurers are expected to have in place and the general guiding principles which the Insurance Authority uses in assessing the effectiveness of an insurer's cybersecurity framework.

One of the key revisions to GL20 concerns the introduction of a Cyber Resilience Assessment Framework (CRAF) which aims to assist insurers to assess their inherent risks and maturity level of their cybersecurity measures against a set of prescribed control principles.  The CRAF comprises the following main elements:

• Inherent risk assessment: Authorised insurers should assess the inherent cyber risk exposure of their organisations using a set of risk indicators to determine the overall inherent risk rating;
• Cybersecurity maturity assessment: Authorised insurers should assess according to the cybersecurity maturity level they are expected to achieve based on their overall inherent risk rating, and compare the cybersecurity maturity level expected of them against their actual cybersecurity maturity based on a set of prescribed control principles; and
• There should be a protocol on submission to the Insurance Authority of assessment results and improvement / remedial plan where authorised insurers' actual cybersecurity maturity level falls short of the level expected of them.  [6 Dec 2024]  #Crypto

---

Singapore

MAS and ABS announce new e-payment solutions and extension to deadline for processing corporate cheques

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have announced that two new payment solutions will be launched in mid-2025 to support the transition to electronic payments (e-payments) for both corporate and retail cheque users. These solutions will complement Singapore's existing suite of e-payment modes, including PayNow, FAST, GIRO and MEPS+. To allow corporates sufficient time to adopt these new solutions, MAS and ABS have also announced a one-year extension of the deadline to cease processing of corporate cheques. [5 Dec 2024]  #Payments

MAS: AI model risk management

MAS has published an information paper which sets out the findings of its thematic review of banks’ AI, including Generative AI (Gen AI), model risk management practices. The paper sets out good practices for AI and Gen AI model risk management that were observed during the review, focusing on those relating to governance and oversight, key risk management systems and processes, and development and deployment of AI. MAS encourages all financial institutions to reference these good practices when developing and deploying AI. [5 Dec 2024]  #AI

---

India

RBI: Amendment to framework for facilitating small value digital payments in offline mode

The Reserve Bank of India (RBI) has published a circular entitled Amendment to Framework for Facilitating Small Value Digital Payments in Offline Mode. In relation to RBI circular CO.DPSS.POLC.No.S1264/02-14-003/2021-2022, dated January 03, 2022 (updated as at 24 August 2023), which enabled small value digital payments in offline mode, the framework, inter-alia, prescribes an upper limit of ₹500 for offline digital payment transaction, and a total limit of ₹2,000 for a payment instrument at any point in time.

In relation to the Statement on Developmental and Regulatory Policies, dated 9 October 2024, which announced an enhancement to the stated limits for unified payments interface (UPI) Lite, the offline framework has been updated and the enhanced limits for UPI Lite will be ₹1,000 per transaction, with ₹5,000 being the total limit at any point in time.

The amendments come into effect immediately. [4 Dec 2024]  #Payments

---

Philippines

BSP completes testing for Project Agila

The Bangko Sentral ng Pilipinas (BSP) has announced that, in conjunction with financial institutions (FIs), it has completed the testing for Project Agila, which is a proof-of-concept of the BSP’s central bank digital currency (CBDC) at the wholesale level. The evaluation with FIs covered functional, performance, security, exploratory, end-to-end and programmability testing, and demonstrated that transactions can safely be supported by open-source distributed ledger technology (DLT) through the Oracle Cloud Infrastructure. Project Agila will allow FIs to transfer funds to each other even during off-business hours, including evenings, weekends, and holidays. [5 Dec 2024]  #CBDC

---

US

CFPB proposes rule to stop data brokers from selling sensitive personal data to scammers, stalkers, and spies

The Consumer Financial Protection Bureau (CFPB) has proposed a rule to rein in data brokers that sell Americans' sensitive personal and financial information. The proposed rule would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies and make sure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress. The proposal would make clear that when data brokers sell certain sensitive consumer information they are "consumer reporting agencies" under the Fair Credit Reporting Act (FCRA), requiring them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse.

Comments on the proposed rule are requested by March 3, 2025. [3 Dec 2024]  #Data