Worldwide: FinTech Global FS Regulatory Round-up – W/e 25 November 2022

The International Organization of Securities Commissions (IOSCO) has  published the keynote speech by Tajinder Singh, Deputy Secretary General, on crypto-asset regulation to the September 27-29 World Federation of Exchanges (WFE) 61st General Assembly and Annual Meeting. In his speech, Mr Singh provided an update on the IOSCO's work in relation to fintech and crypto-assets, including:

• the work of the Fintech Task Force which brings together IOSCO members from a number of jurisdictions and is currently focusing on investor protection and market integrity in relation to crypto-assets;
• work with the Committee on Payments and Market Infrastructures (CPMI) around stablecoins which Mr Singh characterised as ‘providing the on- and off-ramps' between fiat and crypto;
• the IOSCO Crypto Asset Roadmap 2022-23 (which was published in July 2022);
• the ongoing work of IOSCO's crypto, digital assets and decentralized finance (DeFI) workstreams; and
• IOSCO's work on crypto asset trading platforms. [22 Nov 2022]

The International Organization of Securities Commissions (IOSCO) has  published a speech by Tuang Lee, Chair of IOSCO Fintech Task Force, on applying and adapting IOSCO principles to digital asset markets. In his speech, Ms Lee spoke about:

• the definition of digital assets;
• international scrutiny due to the lack of regulation of digital assets;
• the role of IOSCO Fintech Task Force; and
• key risks in relation to digital assets. [21 Nov 2022]

HM Treasury (HMT) has  published a Memorandum of Understanding (MoU) between the UK and Singapore's Monetary Authority Singapore (MAS) on the UK-Singapore FinTech Bridge. The FinTech Bridge is intended to remove barriers to fintech trade and boost cooperation. It should also break down barriers to trade for UK and Singaporean fintechs, boosting growth and investment opportunities.

The UK and Singapore also  held the 7th UK-Singapore Financial Dialogue in Singapore in which they renewed their commitment to deepening the UK-Singapore Financial Partnership that was originally agreed in 2021. [25 Nov 2022]

LawtechUK's UK Jurisdiction Taskforce has  extended the deadline for its  consultation on issuance and transfer of digital securities under English private law from 21 November to 30 November 2022. [24 Nov 2022]

The FCA has  added a new page to the ‘ About us‘ section of its website which describes how it is focusing on ‘Raising standards in new firms and financial promotions'.  The FCA explains that it created an  Early and High Growth Oversight function to work more closely with newly-authorised firms to help them adapt to supervision as they start up and grow.  The FCA conducted a pilot exercise in 2021/22 with 32 newly-authorised firms. During the pilot, the FCA identified marketing financial products as one area where these firms did not understand the FCA's rules well; the regulator intervened to correct issues and also provided training on its rules.  The FCA is now moving to phase two of its pilot, expanding the oversight of the Early and High Growth Oversight function to 300 firms. [23 Nov 2022]

The Financial Services Skills Commission (FSSC) has  published its  Future Skills Framework that has been developed with leading financial services employers. The framework identifies essential skills essential skills which are business critical for firms across the sector – particularly in light of the ongoing shortage of skills in technology, cyber and digital – with the goal of helping firms to prioritise their future skills needs and to attract and retain talent. [23 Nov 2022] 

#Tech 

#Cyber

#Digital

The FCA has  warned stock trading app operators to review design features, including those with game-like elements, which risk prompting consumers to take actions against their own interest.

Features include sending frequent notifications with the latest market news and providing consumers with in-app points, badges and celebratory messages for making trades. The FCA has found that consumers using apps with these kind of features were more likely to invest in products beyond their risk appetite.

Alongside this warning, the FCA has  published research that raises concerns that customers using such trading apps are exposed to high-risk investments, and that some appear to exhibit behaviours similar to problem-gambling. [21 Nov 2022] 

#App

The Bank of England (BoE) has  published a speech by Jon Cunliffe, Deputy Governor of Financial Stability, on decentralized finance (DeFi), digital currencies and regulation. In his speech, Mr Cunliffe discusses recent crypto market developments, and explains the work that the BoE, FCA and HM Treasury are undertaking on the regulation of crypto stablecoins and on a potential central bank digital currency. [21 Nov 2022]

#DigitalCurrencies

The European Insurance and Occupational Pensions Authority (EIOPA) has  published a  discussion paper (DP) on methodological principles of insurance stress testing with a focus on cyber risk. EIOPA aims to lay the groundwork for an assessment of insurers' financial resilience under severe but plausible cyber incident scenarios. The DP elaborates on two main aspects:

• cyber resilience, understood as the capability of an insurance undertaking to sustain the financial impact of an adverse cyber event; and
• cyber underwriting risk, understood as the capability of an insurance undertaking to sustain – from a capital and solvency perspective – the financial impact of an extreme but plausible adverse cyber scenario affecting underwritten business.

Feedback is requested by 28 February 2023. [24 Nov 2022]

The European Banking Authority (EBA) has  published its  final guidelines on the use of remote customer onboarding solutions. The guidelines set out the steps credit and financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable anti-money laundering and countering the financing of terrorism (AML/CFT) legislation and the EU's data protection framework. The guidelines apply to all credit and financial institutions that are within the scope of the Anti-money Laundering Directive (AMLD).

They will be translated into the official EU languages and published on the EBA website. The deadline for competent authorities to report whether they intend to comply with the guidelines will be two months following the publication of the translations. [23 Nov 2022]

ASIC has  commenced civil penalty proceedings against Block Earner, a fintech company that offered a range of fixed-yield earning products based on crypto-assets. ASIC allege the products were financial products that should have been licensed because the products were a managed investment scheme, a facility through which a person makes a financial investment, and/or a derivative.. The date for the first case management hearing is yet to be scheduled by the Federal Court.  [23 Nov 2022]

Every year, the Australian Taxation Office (ATO) shares their approach to the banking and finance sector with industry groups and advisory firms. The ATO has  announced that discussions with the industry on key areas of focus and issues for the year ahead have taken place. Common themes impacting across the banking and finance sector include mergers and acquisitions, divestment activities, and continual evolution in the FinTech sector. The ATO has noted uncertainty for tax and GST obligations in the industry around transfer pricing, branch attribution for income tax, reverse charge liabilities, and crypto assets for GST.  [21 Nov 2022]

The HKMA has issued a  circular to authorised institutions (AIs) to provide additional guidance on protection against distributed denial-of-service (DDoS) attacks.

As stated in the HKMA's Supervisory Policy Manual (SPM) guidance:

• AIs should implement adequate controls to promptly detect and respond to the threats posed by DDoS attacks that could impact the delivery of e-banking services (module TM-E-1 “Risk Management of E-banking”);
• AIs should put in place proper controls to safeguard their networks and systems against disruption (module TM-G-1 “General Principles for Technology Risk Management”).

In view of the increased incidence and sophistication of DDoS attacks, the HKMA considers it appropriate to provide more guidance in this area.  The additional guidance is developed with reference to the findings from a round of recent thematic reviews to assess the effectiveness of the anti-DDoS protective measures maintained by AIs.  AIs are expected to take into account such guidance in their regular assessments of the effectiveness of their anti-DDoS protection, which covers four key areas:

• Regular risk assessment and vulnerability management, including protective measures provided by third parties (regular assessment should be undertaken by the first line of defence, with the second line of defence providing additional opinion);
• Proper design of the architecture of anti-DDoS controls in respect of both customer-facing channels and components that support the AI's operations (a multi-layered defence should be deployed to achieve optimal protection);
• Effective governance over service providers to evaluate their cyber defence capability and robust contingency arrangements for potential disruption to their services (excessive reliance on a single service provider should be avoided);
• Proper incident response procedures (incorporating lessons learned from significant DDoS incidents) and regular rehearsal exercises (including both table-top drills and technical drills with involvement of anti-DDoS service providers).  [25 Nov 2022] 

As part of its “Fintech 2025” strategy, the HKMA has  co-organised its third AML Regtech Lab (AMLab) with Cyberport (supported by Deloitte).  The third AMLab builds on the first AMLab (see our  previous update), and relates to the adoption of network analytics to combat fraud risk and reduce losses from scams using mule account networks.  It follows the second AMLab on the use of “enabling technologies” held in July 2022 (see our  previous update).

The third AMLab 3 shared good practices and provided a platform for banks as well as data and technology experts to collaborate using synthetic data to demonstrate testing of network diagrams, thus helping fast track implementation at lower costs.  It was followed by Regtech Connect (an initiative introduced in July 2022), in which Cyberport technology companies demonstrated relevant regtech tools and services.

The HKMA will continue to engage with banks in 2023, including hosting more AMLabs with Cyberport and publishing research and thematic review results.

In the face of rising levels of online fraud and financial crime, the HKMA has transformed the way it works with banks to shape the direction of innovation in AML work, including the adoption of network analytics.  About 60% of retail banks are deploying network analytics (more than twice as that three years ago).  In the first nine months of 2022, retail banks have increased their identification and reporting of suspicious accounts and networks by 127% compared to a year ago, leading to a 166% increase in the amount of criminal proceeds restrained or confiscated by law enforcement agencies.  [24 Nov 2022]

The HKMA Research Department has published a memorandum titled  ‘An assessment of the volatility spillover from crypto to traditional financial assets: The role of asset-backed stablecoins', which looks at the volatility of crypto assets and how it could spill over to the traditional financial system in light of the rapid growth of the crypto ecosystem and its increasing connection with the traditional financial system.

The following are some key findings from the research:

• The study focuses on Tether, the largest asset-backed stablecoin, and found that its reserve adjustment magnifies the volatility spillover from crypto assets to money market instruments, which could be a channel via which risks borne by crypto assets could spill over to the traditional financial system.
• In extreme circumstances, the failures of stablecoins and other crypto assets could result in large-scale redemptions of asset-backed stablecoins and a fire-sale of their reserve assets, potentially posing material impact on the traditional financial system such as the money market identified in the study.
• As the crypto ecosystem continues to expand and is increasingly exposed to the financial sector, the linkages between crypto and traditional financial assets are likely to become stronger, potentially increasing the risk of spillover.  The crypto ecosystem remains largely outside the oversight of regulators with large data gaps impeding their assessments of the spillover risk.

Given that the international regulatory community is considering appropriate regimes to regulate stablecoins, the study provides two suggestions to regulators for reducing spillover risk:

• Requiring standardised and regular disclosures by the issuers of asset-backed stablecoins on their reserve asset holdings to help regulators assess and compare their liquidity condition and potential liquidity mismatch risk; and
• Strengthening the asset-based stablecoins' liquidity management, possibly by imposing restrictions on the composition of reserve assets and requiring well-defined redemption rights.

An effective implementation of the above would require internationally coordinated regulation and cooperative oversight given the borderless nature of the crypto ecosystem.  [21 Nov 2022]

#Crypto 

MAS made a  statement addressing some questions and misconceptions that have arisen in the wake of the FTX.com (FTX) debacle. MAS stressed that local users who dealt with FTX do not have regulatory protection as FTX was not licensed by MAS and operates offshore.

MAS explained that it placed Binance on its Investor Alert List (IAL) because it had solicited Singapore users without a licence; unlike FTX, Binance had actively been soliciting users in Singapore, offering listings in Singapore dollars and accepting Singapore-specific payment modes such as PayNow and PayLah.  On MAS' referral, the Commercial Affairs Department commenced investigation into Binance for possible contravention of the Payment Services Act (PS Act).

MAS has confirmed that it is not possible to list and provide information on all offshore crypto exchanges. In addition to maintaining the IAL, MAS publishes a Financial Institutions Directory on its website that is an exhaustive list of all MAS-regulated entities.  MAS stressed that dealing in any cryptocurrency, on any platform, is hazardous; it has consistently warned about the dangers of dealing with unregulated entities. [21 Nov 2022]

#Exchange

The People's Bank of China (PBOC), China Securities Regulatory Commission (CSRC), CBIRC and other five top PRC government authorities announced  a framework plan to build pilot financial reform zones for scientific and technological innovation in Shanghai, Nanjing, Hangzhou, Hefei and Jiaxing. The plan includes 19 measures to facilitate financial and technology reform and strengthen financial supports for innovation, including among others:

• encouraging qualified commercial banks to set up wealth management subsidiaries and other professional subsidiaries in the pilot zones to focus on technology innovation;
• supporting domestic and overseas technology insurance companies to establish R&D and innovation headquarters in the pilot zones;
• supporting banking financial institutions to provide facilities to qualified technology companies; and
• supporting overseas private fund to invest into domestic technology companies through QFLP regime.  [11 Nov 2022] 

#Innovation

Bank Negara Malaysia (BNM) is  seeking written feedback on its  Exposure Draft on Licensing and Regulatory Framework for Digital Insurers and Takaful Operators (DITOs). The Exposure Draft outlines the proposed framework to facilitate the entry of DITOs in Malaysia that can offer strong value propositions to realise the following outcomes: inclusion; competition and efficiency. It is envisaged that DITOs will carry on insurance or takaful business wholly (or almost wholly) through digital or electronic means.

The Exposure Draft specifies licensing and application procedures, as well as specific requirements on the eligible business models and distribution channels of DITOs. DITOs will have to comply with the existing requirements under the Financial Services Act 2013 (FSA) or Islamic Financial Services Act 2013 (IFSA). Applicants will be required to submit a comprehensive five year business plan, including planned measures to effectively manage technology and cyber risks in delivering its products and services in line with the  Risk Management in Technology policy. Applicants will also be expected to demonstrate their ability to protect consumer data and authenticate online transactions to mitigate fraud/cyber risks.

Licensed DITOs will benefit from a Foundational Phase (between 3 and 5 years), during which period lower minimum paid-up capital requirements and proportionate regulatory flexibilities apply, commensurate with their early stage of operations. At the end of the Foundational Phase, DITOs that cannot demonstrate credible prospects for long-term viability or meet higher prudential standards consistent with that applied to all existing licensed insurers and takaful operators will be required to implement an exit plan according to the conditions set out in the Exposure Draft. BNM aims to finalise the Policy Document and invite the applications for licence in 2023. Feedback is sought by 28 April 2023.  [25 Nov 2022]

Madam Kristalina Georgieva, Managing Director of the International Monetary Fund (IMF) had a  roundtable discussion with Thai digital entrepreneurs at the Devavesm Palace, Bank of Thailand (BoT). The discussion highlighted opportunities and challenges related to digitalization in Thailand, especially the productivity and welfare gains from the digital transformation. It also stressed the importance of ensuring regulatory coherence, promoting competition and small players, as well as supporting open infrastructure conducive to interoperability and data accessibility.  [18 Nov 2022]

SEBI had published a consultation paper on cloud framework and  has decided to extend the timeline for submission of comments from 14 November to 28 November 2022.  [22 Nov 2022]

CSDL has  detected malware in a few of its internal machines, which it immediately isolated, and disconnected itself from other constituents of the capital market. CSDL does not believe any confidential information or investor data was compromised and has reported the incident to the relevant authorities. The incident has  since been resolved and settlement activities duly completed. [18 – 20 Nov 2022]