Worldwide: FinTech Global FS Regulatory Round-up – W/e 7 July 2023

Global

BIS publishes Parts 2 and 3 of Project Polaris – CBDC, DLT

The Bank for International Settlements (BIS) Innovation Hub has published Part 2 and Part 3 of its Project Polaris workstream. Project Polaris, led out of the BIS Innovation Hub Nordic Centre, focuses on designing secure and resilience central bank digital currency (CBDC) systems, both online and offline.

Part 2 details a security and resilience framework for CBDC systems. The framework leverages existing industry standards and guidelines to provide central banks with a seven-step model for secure and resilient CBDC systems.

Part 3 analyses several notable distributed ledger technology (DLT) attacks in the decentralised finance (DeFi) domain using the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observation. The analysis uses DLT as a starting point to begin threat modelling and gap analysis for CBDC. [7 Jul 2023]

#CBDC #DLT #DeFi

FSB plenary meeting

The Financial Stability Board (FSB) has published details of its plenary meeting in Frankfurt to discuss preliminary lessons learned from the recent banking sector turmoil and the outlook for global financial stability. Topics discussed include: the FSB roadmap for addressing financial risks from climate change; and cryptoasset activities and markets. [7 Jul 2023]

#cryptoassets

UK

PSR consults on legal instruments

The Payment Systems Regulator (PSR) has published a consultation paper  on two draft directions, which are the legal means to put the new Authorised Push Payments (APP) fraud reimbursement requirements in place.

The paper is relevant to the payments industry, consumer groups, payment service providers, and prospective qualifying customers who use APP to send money and will be within scope of the policy, once implemented.

The PSR has proposed an implementation date of 2 April 2024. Responses to the consultation are requested by 25 August 2023. [7 Jul 2023]

#APPFraud

CSPL commences 2023 survey of regulators' approaches to AI

The Committee on Standards in Public Life (CSPL) has published its letter to regulators asking them for an update on how they are adapting to the challenges posed by AI. The CSPL previously wrote to regulators in 2020 to find out how they were adapting their regulatory practices for AI.

The current letter follows up on the recommendations made in the 2020 report with the intention of publishing a formal update on progress later in the year. [7 Jul 2023]

#AI

FCA writes to cryptoasset firms on financial promotion regime

Following the passing of legislation to bring qualifying cryptoassets within the scope of the financial promotion regime, the FCA has published a letter from its Director of Consumer Investments Supervision, Policy and Competition, Lucy Castledine, which confirms that all firms marketing cryptoassets to UK consumers, including firms based overseas, must comply with the financial promotion regime from 8 October 2023.

The letter also discussed:

• the legal routes for communicating cryptoasset promotions to UK consumers;
• how firms should prepare for the financial promotion regime; and
• registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. [4 Jul 2023]

#cryptoassets

Europe

EC updates feedback period on payments, open finance and digital euro 

The European Commission (EC) has updated the deadline for comments on the following initiatives to 1 September 2023:

• Payment services – revision of EU rules (new Regulation);
• Payment services – revision of EU rules (Directive);
• Open finance framework – enabling data sharing and third party access in the financial sector;
• A digital euro for the EU; and
• Clarifying the legal tender status of euro banknotes and coins.

All feedback received will be summarised by the EC and presented to the European Parliament and Council with the aim of feeding into the legislative debate. [7 Jul 2023]

#openfinance #digitaleuro #payments 

EBA: Speech on fintech and future of financial intermediation

The EBA has published a speech delivered by its Chairperson, José Manuel Campa, at the Central Bank of Cyprus. The speech focused on the transformation of the financial sector through the use of technology, specifically, the growing role of fintech in the future financial intermediation.

While noting the opportunities created by technological innovations, Mr Campa stressed on the importance of industry, supervisors and regulators staying proactive in identifying, monitoring and mitigating risks that are often multi-faceted and inter-related. [4 Jul 2023]

#fintech

Australia

Cyber security stocktake exposes gaps

The Australian Prudential Regulation Authority (APRA) has released some early findings from an expansive study that it is conducting on cyber resilience in financial services.

As part of this study, APRA's regulated entities are required to appoint an independent auditor to assess their compliance with prudential standard CPS 234 Information Security, which seeks to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats. APRA states that results from this first tranche of assessments highlight several concerning gaps across the industry. The most common gaps identified in this tranche were:

• incomplete identification and classification for critical and sensitive information assets;
• limited assessment of third-party information security capability;
• inadequate definition and execution of control testing programs;
• incident response plans not being regularly reviewed or tested;
• limited internal audit review of information security controls; and
• inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner. [5 Jul 2023]

#CyberSecurity

Hong Kong

FATF statements and other sanctions updates

The SFC has published a circular to licensed corporations (LCs), licensed virtual asset service providers (VASPs) and associated entities (ACs) regarding recent updates from the Financial Action Task Force (FATF):

• Statement identifying high-risk jurisdictions that are subject to a call for action – In light of the Covid-19 pandemic, the FATF has paused the review process for Iran and the Democratic People's Republic of Korea. While the FATF statement issued in February 2020 may not necessarily reflect the most recent status of such jurisdictions' anti-money laundering and counter-financing of terrorism (AML/CFT) regimes, the FATF's call to apply countermeasures on these high-risk jurisdictions remains in effect. Further, given the continued lack of progress (with the majority of the action items in relation to Myanmar's strategic deficiencies still not addressed after a year beyond the action plan's deadline), the FATF's has called on its members and other jurisdiction to apply enhanced due diligence measures proportionate to the risks arising from Myanmar since October 2022.
• Updated statement on jurisdictions under increased monitoring – The FATF has added Cameroon, Croatia and Vietnam to this list of jurisdictions. The FATF will continue to assess the progress made by the jurisdictions on the list in addressing the deficiencies in their AML/CFT systems, LCs, SFC-licensed VASPs and AEs are reminded to refer to the FATF's website for the latest information, including any updated statements.
• Various outcomes of the FATF plenary held during 21 to 23 June 2023 – They include (among others) the finalisation of the fourth targeted update on the implementation of the FATF standards on virtual assets and VASPs, and the agreement on the release of the updated FATF Best Practices Paper on Combating the Abuse of Non-Profit Organisations and the potential revisions to the FATF Recommendation 8 for public consultation.

The Insurance Authority and the HKMA (to authorised institutions and stored value facility licensees) have also issued circulars regarding the above FATF updates.

The SFC has also issued a circular to provide an early alert regarding amendments to the details of 16 individuals by the United Nations Security Council in relation to its sanction list for Democratic People's Republic of Korea on 30 June 2023. LCs, SFC-licensed VASPs and AEs should update their screening databases with the above changes for sanctions screening of customers and payments. They are reminded to refer to the SFC's circular of 7 February 2018, which sets out the SFC's expectations in respect of the actions they should take regarding sanctions imposed by the UNSC (see our earlier update). [4 – 6 Jul 2023]

#VirtualAssets

Government establishes Task Force on Promoting Web3 Development

The Government has announced the establishment of the Task Force on Promoting Web3 Development, chaired by the Financial Secretary.

The task force comprises 15 non-official members from relevant market sectors, as well as key government officials and heads of financial regulators (the SFC, the HKMA, the Insurance Authority and the HKEX). The term of the non-official members is for two years from 1 July 2023 to 30 June 2025.

The market responded favourably to the Government's policy statement on the development of virtual assets published in October 2022 (see our previous update). As virtual assets are an integral part of a vibrant Web3 ecosystem, the Financial Secretary announced the establishment of the task force in the 2023-24 Budget (see our previous update) to provide recommendations on the sustainable and responsible development of Web3 in Hong Kong. [30 Jun 2023]

#Web3 #VirtualAssets

Singapore

MAS publishes investor protection measures for DPT services

Following an October 2022 consultation on regulatory measures to enhance investor protection and market integrity in Digital Payment Token (DPT) services. The Monetary Authority of Singapore (MAS) has announced new requirements for DPT service providers to safekeep customer assets under a statutory trust before the end of the year.

The new measures aim to mitigate the risk of loss or misuse of customers' assets, facilitate the recovery of customers' assets in the event of a DPT service provider's insolvency and restrict DPT service providers from facilitating lending and staking of DPT tokens by their retail customers.

Additionally, MAS has published a consultation, closing on 3 August 2023, on the draft legislative amendments to the Payment Services Regulations (PSR) to put these requirements into effect. It also intends to publish guidelines in due course to support consistent implementation by the industry. [3 July 2023]

#DPT

India 

SEBI consults on cyber framework 

SEBI has issued a consultation on its proposals for a Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI-regulated entities. SEBI explains that the framework presents a common structure for approaches to cybersecurity and the prevention of cyber risk and incidents. The framework takes a proportionate approach, with some elements applicable to all SEBI-regulated entities, some elements applicable to only specified SEBI-regulated entities, and some elements applicable for market infrastructure institutions (MII).

SEBI summarises the framework as follows: ‘The framework is based on five concurrent and continuous functions of cybersecurity […] Identify, Protect, Detect, Respond, and Recover.' Further, the framework references internationally-recognised standards, including those released by the US National Institute for Standards and Technology (NIST).

Responses to the consultation are requested by 25 July 2023. [4 Jul 2023]

#CyberResilience #CyberSecurity

USA 

CFTC charges alleged Bitcoin seller and former attorney with multi-million dollar bitcoin fraud, imposes over $5 million in restitution

The Commodity Futures Trading Commission (CFTC) has issued two orders simultaneously filing and settling charges against two individuals for perpetrating a multi-million dollar bitcoin fraud.

The orders charge the individuals with engaging in a deceptive and fraudulent scheme where they knowingly or recklessly made false representations to investors inducing them to send over $5 million to one of them, a licensed attorney, to buy bitcoin from the other. After receiving the investors' funds, the individuals failed to deliver the bitcoin as promised and failed to return the investors' funds.

In the orders, the CFTC imposes full restitution for the victims of the fraud and permanent trading and registration bans against the individuals. [6 Jul 2023]

#Bitcoin

NY Fed/NYIC: Research study examines feasibility of theoretical payments system designed to facilitate and settle digital asset transactions

The Federal Reserve Bank of New York's New York Innovation Center (NYIC), in collaboration with members of the U.S. financial services sector, has published the findings of a proof of concept that explored the feasibility of an interoperable network for wholesale payments operating on a shared multi-entity distributed ledger.

The research project, undertaken jointly with private sector organizations, experimented with the concept of a regulated liability network (RLN), a theoretical payment infrastructure designed to support the exchange and settlement of regulated digital assets. While existing payment systems function effectively, certain frictions remain, particularly around speed, cost, accessibility, and the settlement process. This proof of concept explored the feasibility of distributed ledger technology in support of safe and efficient payments.

The study was spearheaded by a collaborative working group leading three workstreams that analyzed the technical feasibility, business applicability, and legal viability of using shared ledger technology to settle the liabilities of regulated financial institutions through the transfer of central bank money. The experiment was conducted in a test environment and used only simulated data. All simulated liabilities were denominated in U.S. dollars. [6 Jul 2023]

#DigitalAssets #DLT