In this regular update, we round-up FinTech-related regulatory developments for the week ending 20 August 2021.



FCA: Updated webpage – SCA

The FCA has updated its webpage on strong customer authentication (SCA). The update concerns the FCA’s decision not to incorporate the European Banking Authority’s (EBA) view of ‘inherence’ in its Approach Document. This decision follows on from the FCA’s Consultation Paper 21/3 (CP21/3) earlier this year. [20 Aug 2021]



FCA: Portfolio strategy letter on IBCF

The FCA has published a template version of its ‘Dear CEO’ letter setting out its supervisory strategy for firms in the investment-based crowdfunding (IBCF) portfolio. Having previously written to all IBCF firms in February 2020 setting out its concerns and expectations for the IBCF market, the FCA has provided an update on its view of the key risks it has seen in the IBCF market, its expectations of firms, and a summary of the work it intends to undertake.

The FCA also reminds firms that it will use the Senior Managers and Certification Regime (SMCR), which applied to IBCF platforms from 9 December 2019, to engage directly with accountable individuals on areas of concern. [17 Aug 2021]




Federal Court considers efficacy of publishing misconduct notices on mobile banking apps

The Federal Court of Australia has considered whether it is appropriate to publish misconduct notices on a bank’s app acknowledging its false or misleading deceptive conduct by overcharging interest on business overdraft accounts. The Court indicated that the time had come to reconsider the approach to such orders.

Section 12GLB of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) allows the Court to make punitive orders requiring adverse publicity.

The Court ultimately determined that it was not appropriate to publish misconduct notices on the bank’s app based on the evidence and circumstances. In coming to this conclusion, the Court considered the informative function that would be satisfied by publishing the misconduct notices on the bank’s app, the punitive effects the order would have on the bank and its customers, and the extent to which it could be mitigated.

In considering the non-punitive purpose of informing the public, the Court accepted that the publication of the misconduct notice would inform the relevant audience of the misconduct while recognising that there was likely to be a significant “overspill” for customers using the bank’s app to whom the misconduct notices did not relate to and who were unaware of the context.

In considering the punitive purpose, the Court reluctantly made a finding of fact based on the evidence that there was not an insignificant risk that the misconduct notices were open to be misinterpreted by the users of the bank’s app with lower literacy rates. The Court also accepted based on the evidence that it may cause some customers to be confused, anxious, distressed, alarmed, suspicious, and/or uncertain, which may have further consequences on how consumers conduct their finances. Accordingly, the Court was not satisfied of the punitive purpose and consumer-protection functions of s 12GLB of the ASIC Act would be advanced.

In considering mitigation, the Court found that without experimentation and research as to the potential consequences of the publication would have on the bank and its customers, it was not satisfied that the order would achieve the punitive and non-punitive purposes of s 12GLB of the ASIC Act.

The Court made further observations that there was merit in rethinking the approach to how an adverse publication notice is made under s 12GLB of the ASIC Act. Although the Court was satisfied that the ordering of publications on the bank’s website and newsroom had some limited utility, the Court was not convinced that it was optimal. The Court ultimately left open, that on other evidence, it would not be inappropriate to make an order requiring misconduct notices to be published on a bank’s app.

The orders made by the Court required the Bank to:

  • publish, at its own expense, both a written and an audio-visual adverse publicity notice on its website and newsroom; and
  • ensure that each adverse publicity notice appears immediately upon access by a person to the landing page as a picture tile on the websites under the heading, “Notification of Misconduct by [the Bank]” and be maintained for 90 days.

The bank was found to have breached the law on 12,119 occasions when it charged higher-than-advised interest rates on business overdraft accounts. The bank was ordered to pay a penalty of $7 million for the misconduct. [16 Aug 2021]





OJK issued new regulation on commercial banks

OJK has published on its website OJK Regulation No. 12/POJK.03/2021 on Commercial Banks (in Indonesian language). It is as a new implementing regulation to the Indonesian banking law (in Indonesian language) and aimed to, among others, align the Indonesian banking regulatory framework with the rapid development brought about by digitalisation in the banking sector and strengthen banks’ resilience.

The new regulation will come into effect on 30 October 2021. Some notable changes introduced are as follows:

  • newly licensed Indonesian banks will be required to maintain a minimum subscribed and paid-up capital of IDR 10,000 billion – this was previously IDR 3,000 billion;
  • introduction of the concept of ‘digital bank’; and
  • banks’ classification will be changed from Bank Umum Kelompok Usaha (Commercial Bank Business Group or BUKU) to Kelompok Usaha Berdasarkan Modal Inti (Core Capital Business Group or KBMI).

The new regulation will also revoke several existing regulations and provisions, including Bank Indonesia Regulation No. 11/1/PBI/2009 on Commercial Banks and OJK Regulation No. 6/POJK.03/2016 on Banks’ Business Activities and Office Network Based on Core Capital (both in Indonesian language). [20 Aug 2021]





BOT retail CBDC pilot

Based on findings from a study it has undertaken and feedback received through a public consultation exercise, the Bank of Thailand (BOT) has established guidelines for the development and testing of a retail central bank digital currency (CBDC) in a real-life environment (Pilot Test) under two tracks:

  • the Foundation Track: To test and evaluate the usage of CBDC in conducting cash-like activities within a limited scale, such as accepting, converting, or paying for goods and services. This phase of testing is expected to begin in the second quarter of 2022; and
  • the Innovation Track: To test and evaluate the ways in which CBDC can be further developed for innovative use cases, by allowing for participation from the private sector and technology developers. The BOT is currently in the process of considering the format and criteria for participation. [19 Aug 2021]
BOT announces launch of Indonesia and Thailand cross-border QR payment linkage

The BOT has announced the launch of the Indonesian and Thai cross-border QR payment linkage. ​The launch is the project’s pilot phase, in preparation for full commercial launch in 2022. At this stage, users from Indonesia are now able to use their mobile payment applications to scan Thai QR Codes to make payments to merchants across Thailand. Likewise, users from Thailand are now able to use their mobile payment applications to scan QRIS (Quick Response Code Indonesian Standard) to pay for goods and services at merchants in Indonesia and also use this service for their cross-border e-commerce transactions. [17 Aug 2021]






SEBI circular on ‘security and covenant monitoring’ using DLT

SEBI has released a circular on ‘security and covenant monitoring’ using distributed ledger technology (DLT). SEBI has previously outlined the process for independent ‘due diligence’ by debenture trustee(s) on assets of an issuer company for the purpose of creation of security and ‘periodical monitoring’ of security created and enhanced disclosures on the website by debenture trustee(s) on a continuous basis.

SEBI established a working group to consider ways to strengthen the process of security creation, monitoring of security creation, monitoring of asset cover and covenants of the non-convertible securities. The working group recommended the development of a platform, the ‘Security and Covenant Monitoring System’, to be hosted by depositories which will use DLT.

The circular describes the roles and responsibilities of various stakeholders in the new system. The system is due to come into effect from 1 April 2022; testing will commence from 1 January 2022. [13 Aug 2021]




DoJ Announces that Ohio Resident Pleads Guilty to Operating Darknet-Based Bitcoin ‘Mixer’ That Laundered Over $300 Million

The Department of Justice (DoJ) has announced that an Ohio man pleaded guilty to a money laundering conspiracy arising from his operation of a Darknet-based cryptocurrency laundering service. According to court documents, the defendant admitted that he operated the cryptocurrency laundering service from 2014 to 2017. It functioned as a bitcoin ‘mixer’ or ‘tumbler’, allowing customers, for a fee, to send bitcoin to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin. The cryptocurrency laundering service was linked to and associated with a Darknet search engine also run by the defendant. The defendant advertised the cryptocurrency laundering service to customers on the Darknet to conceal transactions from law enforcement. [18 Aug 2021]





FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors

The Financial Industry Regulatory Authority (FINRA) has published a Notice stating that member firms are increasingly using third-party vendors to perform a wide range of core business and regulatory oversight functions. FINRA’s Notice aims to remind member firms of their obligation to establish and maintain a supervisory system, including written supervisory procedures (WSPs), for any activities or functions performed by third-party vendors, including any sub-vendors (collectively, vendors), that is reasonably designed and compliant with applicable securities laws and regulations and FINRA rules. The Notice reiterated applicable regulatory obligations; summarized recent trends in examination findings, observations and disciplinary actions; and provided questions member firms may consider when evaluating their systems, procedures and controls relating to Vendor management. [13 Aug 2021]

FFIEC Issues Guidance on Authentication and Access to Financial Institution Services and Systems 

The Federal Financial Institutions Examination Council (FFIEC) has issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance:

  • highlights the current cybersecurity threat environment including increased remote access by customers and users, and attacks that leverage compromised credentials; and mentions the risks arising from push payment capabilities.
  • recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
  • supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication.
  • discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
  • includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management. [11 Aug 2021]