In this regular update, we round-up FinTech-related regulatory developments for the week ending 10 September 2021.



IOSCO: Report on use of AI and ML by market intermediaries and asset managers

The International Organization of Securities Commissions (IOSCO) has published a report setting out guidance on regulating and supervising the use of artificial intelligence (AI) and machine learning (ML) by market intermediaries and asset managers. The annexes to the report detail how regulators are addressing the challenges created by AI and ML and the other guidance in this area. [7 Sep 2021]





FCA: Speech on the risks of token regulation

The FCA has published a speech by its Chair, Charles Randell, on the risks of token regulation. In his speech, Mr Randell highlighted:

  • the need for a solution to the problem of online fraud from paid-for advertising;
  • consumers’ losses while using speculative crypto tokens are not covered or protected by the Financial Services Compensation Scheme (FSCS); and
  • key considerations in the regulation of crypto, including making it harder for such tokens to be used for financial crime and the extent to which consumers should be free to buy unregulated speculative tokens. [6 Sep 2021]


FCA: Updated webpages

The FCA has updated its webpages on the Green FinTech Challenge and the Digital Sandbox. The update details that the application window for the Green FinTech Challenge 2021 and for the Digital Sandbox open on 6 September 2021. [6 Sep 2021]

BoE: Report on RTGS system and CHAPS

The Bank of England (BoE) has published its Annual Report on the real-time gross settlement (RTGS) system and the clearing house automated payment system (CHAPS). The report sets out the BoE’s strategy for RTGS, the main strategic focus for the year ahead, and the BoE’s response to Covid-19 challenges. [6 Sep 2021]




EC: Updated consultation response deadlines – AML package, incl in relation to crypto-assets

The European Commission (EC) has updated the consultation response deadline for the following consultations under its anti-money laundering (AML) initiative to 5 November 2021:

ESAs: Joint Assessment Report 2021

The European Supervisory Authorities (ESAs) have published their second Joint Assessment Report 2021. The Report highlights the risks of phasing out crisis measures due to increasing vulnerabilities across the financial sector, in particular cyber risks and event-driven risks. The Report sets out policy actions that national competent authorities (NCAs), financial institutions (FIs), and market participants should take to mitigate such risks. [8 Sep 2021]

EC: Strategic Foresight Report 2021

The EC has published its Strategic Foresight Report 2021. This is the second Foresight report which the EC has prepared; these reports give a forward-looking and multi-disciplinary perspective. The report identifies four main global trends affecting the EU’s capacity and freedom to act:

  • climate change and other environmental challenges;
  • digital hyperconnectivity and technological transformation;
  • pressure on democracy and values; and
  • shifts in the global order and demography.

The report also sets out strategic areas for policy action which will inform the EC’s work programme and priority-setting. Among those action are: strengthening capacity in data management, artificial intelligence and cutting-edge technologies; ensuring first-mover global position in standard setting; and building resilient and future-proof economic and financial systems. [8 Sep 2021]



Hong Kong

Insurance Authority encourages authorised insurers to consider Cybersec Infohub in their compliance with Guideline on Cybersecurity

The Insurance Authority has issued a circular to inform authorised insurers that the Cybersec Infohub is open for registration.

Cybersec Infohub is a partnership programme jointly administered by the Office of the Government Chief Information Officer and the Hong Kong Internet Registration Corporation Limited.  Any local company or organisation with a business address in Hong Kong and owns a “.hk” internet domain name may register at no cost.

The Cybersec Infohub allows its members to (among other things) access private groups to exchange information on specific topics of common interest and conduct discussions in a closed environment, collect threat intelligence through application programming interfaces, and receive trending cyber threat insights via daily emails.

The Guideline on Cybersecurity (GL20) requires insurers to gather and analyse cyber risk information and participate in relevant fora such as information sharing platforms so that spontaneous and appropriate measures can be taken to combat cyber-attacks as well as other forms of cyber risks.

The Insurance Authority encourages authorised insurers to consider deploying the Cybersec Infohub in their compliance with GL20.  A private group for the insurance sector has been set up on the platform to facilitate sharing and collaboration.  Each authorised insurer is allowed to designate up to five representatives, and the first one appearing on the e-registration form will be regarded as primary contact point.  [9 Sep 2021]




RBI publishes documents submitted to FMCBG meeting

The RBI has published a press release noting the various documents which it submitted to the Second BRICS (Brazil, Russia, India, China, and South Africa) Finance Ministers’ and Central Bank Governors (FMCBG) Meeting held on 26 August 2021. The RBI tabled:

The documents were prepared by the respective teams of the BRICS central banks. They were approved by the FMCBG during the August meeting. [9 Sep 2021]

RBI: Enhancements to card tokenisation framework

The RBI has announced the following enhancements to the framework on card tokenisation services:

  • the device-based tokenisation framework advised vide circulars of January 2019 and August 2021 has been extended to Card-on-File Tokenisation (CoFT) services; and
  • card issuers have been permitted to offer card tokenisation services as Token Service Providers (TSPs); the tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA).

notification sets out more detail for payment system providers and payment system participants. [7 Sep 2021]




The DoJ Announces International Money Launderer Prison Sentence for Laundering Millions of Dollars in Cyber Crime Schemes

The DoJ has sentenced a dual Canadian and US national to 140 months in federal prison for conspiring to launder tens of millions of dollars stolen in various wire and bank fraud schemes – including a massive online banking theft by North Korean cyber criminals. According to court documents, the defendant and his co-conspirators used business email compromise schemes, ATM cash-outs and bank cyber-heists to steal money from victims and then launder the money through bank accounts and digital currency. The defendant previously pleaded guilty in two money laundering cases. The defendant was sentenced after pleading guilty to two counts of conspiracy to commit money laundering. As part of his sentence, the defendant is also required to pay more than $30 million in restitution to victims and serve three years of supervised release after completion of his prison sentence. [8 Sep 2021]