In this weekly post, we round-up FinTech-related financial services regulatory developments for the week ending 7 July 2023.
- New recommendations for reform and development of the law on digital assets
- Remedies for IP infringement by NFTs – the MetaBirkins case continues
BIS publishes Parts 2 and 3 of Project Polaris – CBDC, DLT
The Bank for International Settlements (BIS) Innovation Hub has published Part 2 and Part 3 of its Project Polaris workstream. Project Polaris, led out of the BIS Innovation Hub Nordic Centre, focuses on designing secure and resilience central bank digital currency (CBDC) systems, both online and offline.
Part 2 details a security and resilience framework for CBDC systems. The framework leverages existing industry standards and guidelines to provide central banks with a seven-step model for secure and resilient CBDC systems.
Part 3 analyses several notable distributed ledger technology (DLT) attacks in the decentralised finance (DeFi) domain using the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observation. The analysis uses DLT as a starting point to begin threat modelling and gap analysis for CBDC. [7 Jul 2023]
#CBDC #DLT #DeFi
FSB plenary meeting
The Financial Stability Board (FSB) has published details of its plenary meeting in Frankfurt to discuss preliminary lessons learned from the recent banking sector turmoil and the outlook for global financial stability. Topics discussed include: the FSB roadmap for addressing financial risks from climate change; and cryptoasset activities and markets. [7 Jul 2023]
PSR consults on legal instruments
The Payment Systems Regulator (PSR) has published a consultation paper on two draft directions, which are the legal means to put the new Authorised Push Payments (APP) fraud reimbursement requirements in place.
The paper is relevant to the payments industry, consumer groups, payment service providers, and prospective qualifying customers who use APP to send money and will be within scope of the policy, once implemented.
The PSR has proposed an implementation date of 2 April 2024. Responses to the consultation are requested by 25 August 2023. [7 Jul 2023]
CSPL commences 2023 survey of regulators’ approaches to AI
The Committee on Standards in Public Life (CSPL) has published its letter to regulators asking them for an update on how they are adapting to the challenges posed by AI. The CSPL previously wrote to regulators in 2020 to find out how they were adapting their regulatory practices for AI.
The current letter follows up on the recommendations made in the 2020 report with the intention of publishing a formal update on progress later in the year. [7 Jul 2023]
FCA writes to cryptoasset firms on financial promotion regime
Following the passing of legislation to bring qualifying cryptoassets within the scope of the financial promotion regime, the FCA has published a letter from its Director of Consumer Investments Supervision, Policy and Competition, Lucy Castledine, which confirms that all firms marketing cryptoassets to UK consumers, including firms based overseas, must comply with the financial promotion regime from 8 October 2023.
The letter also discussed:
EC updates feedback period on payments, open finance and digital euro
The European Commission (EC) has updated the deadline for comments on the following initiatives to 1 September 2023:
All feedback received will be summarised by the EC and presented to the European Parliament and Council with the aim of feeding into the legislative debate. [7 Jul 2023]
#openfinance #digitaleuro #payments
EBA: Speech on fintech and future of financial intermediation
The EBA has published a speech delivered by its Chairperson, José Manuel Campa, at the Central Bank of Cyprus. The speech focused on the transformation of the financial sector through the use of technology, specifically, the growing role of fintech in the future financial intermediation.
While noting the opportunities created by technological innovations, Mr Campa stressed on the importance of industry, supervisors and regulators staying proactive in identifying, monitoring and mitigating risks that are often multi-faceted and inter-related. [4 Jul 2023]
Cyber security stocktake exposes gaps
The Australian Prudential Regulation Authority (APRA) has released some early findings from an expansive study that it is conducting on cyber resilience in financial services.
As part of this study, APRA’s regulated entities are required to appoint an independent auditor to assess their compliance with prudential standard CPS 234 Information Security, which seeks to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats. APRA states that results from this first tranche of assessments highlight several concerning gaps across the industry. The most common gaps identified in this tranche were:
FATF statements and other sanctions updates
The SFC has published a circular to licensed corporations (LCs), licensed virtual asset service providers (VASPs) and associated entities (ACs) regarding recent updates from the Financial Action Task Force (FATF):
The SFC has also issued a circular to provide an early alert regarding amendments to the details of 16 individuals by the United Nations Security Council in relation to its sanction list for Democratic People’s Republic of Korea on 30 June 2023. LCs, SFC-licensed VASPs and AEs should update their screening databases with the above changes for sanctions screening of customers and payments. They are reminded to refer to the SFC’s circular of 7 February 2018, which sets out the SFC’s expectations in respect of the actions they should take regarding sanctions imposed by the UNSC (see our earlier update). [4 – 6 Jul 2023]
Government establishes Task Force on Promoting Web3 Development
The Government has announced the establishment of the Task Force on Promoting Web3 Development, chaired by the Financial Secretary.
The task force comprises 15 non-official members from relevant market sectors, as well as key government officials and heads of financial regulators (the SFC, the HKMA, the Insurance Authority and the HKEX). The term of the non-official members is for two years from 1 July 2023 to 30 June 2025.
The market responded favourably to the Government’s policy statement on the development of virtual assets published in October 2022 (see our previous update). As virtual assets are an integral part of a vibrant Web3 ecosystem, the Financial Secretary announced the establishment of the task force in the 2023-24 Budget (see our previous update) to provide recommendations on the sustainable and responsible development of Web3 in Hong Kong. [30 Jun 2023]
MAS publishes investor protection measures for DPT services
Following an October 2022 consultation on regulatory measures to enhance investor protection and market integrity in Digital Payment Token (DPT) services. The Monetary Authority of Singapore (MAS) has announced new requirements for DPT service providers to safekeep customer assets under a statutory trust before the end of the year.
The new measures aim to mitigate the risk of loss or misuse of customers’ assets, facilitate the recovery of customers’ assets in the event of a DPT service provider’s insolvency and restrict DPT service providers from facilitating lending and staking of DPT tokens by their retail customers.
Additionally, MAS has published a consultation, closing on 3 August 2023, on the draft legislative amendments to the Payment Services Regulations (PSR) to put these requirements into effect. It also intends to publish guidelines in due course to support consistent implementation by the industry. [3 July 2023]
SEBI consults on cyber framework
SEBI has issued a consultation on its proposals for a Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI-regulated entities. SEBI explains that the framework presents a common structure for approaches to cybersecurity and the prevention of cyber risk and incidents. The framework takes a proportionate approach, with some elements applicable to all SEBI-regulated entities, some elements applicable to only specified SEBI-regulated entities, and some elements applicable for market infrastructure institutions (MII).
SEBI summarises the framework as follows: ‘The framework is based on five concurrent and continuous functions of cybersecurity […] Identify, Protect, Detect, Respond, and Recover.’ Further, the framework references internationally-recognised standards, including those released by the US National Institute for Standards and Technology (NIST).
Responses to the consultation are requested by 25 July 2023. [4 Jul 2023]
CFTC charges alleged Bitcoin seller and former attorney with multi-million dollar bitcoin fraud, imposes over $5 million in restitution
The Commodity Futures Trading Commission (CFTC) has issued two orders simultaneously filing and settling charges against two individuals for perpetrating a multi-million dollar bitcoin fraud.
The orders charge the individuals with engaging in a deceptive and fraudulent scheme where they knowingly or recklessly made false representations to investors inducing them to send over $5 million to one of them, a licensed attorney, to buy bitcoin from the other. After receiving the investors’ funds, the individuals failed to deliver the bitcoin as promised and failed to return the investors’ funds.
In the orders, the CFTC imposes full restitution for the victims of the fraud and permanent trading and registration bans against the individuals. [6 Jul 2023]
NY Fed/NYIC: Research study examines feasibility of theoretical payments system designed to facilitate and settle digital asset transactions
The Federal Reserve Bank of New York’s New York Innovation Center (NYIC), in collaboration with members of the U.S. financial services sector, has published the findings of a proof of concept that explored the feasibility of an interoperable network for wholesale payments operating on a shared multi-entity distributed ledger.
The research project, undertaken jointly with private sector organizations, experimented with the concept of a regulated liability network (RLN), a theoretical payment infrastructure designed to support the exchange and settlement of regulated digital assets. While existing payment systems function effectively, certain frictions remain, particularly around speed, cost, accessibility, and the settlement process. This proof of concept explored the feasibility of distributed ledger technology in support of safe and efficient payments.
The study was spearheaded by a collaborative working group leading three workstreams that analyzed the technical feasibility, business applicability, and legal viability of using shared ledger technology to settle the liabilities of regulated financial institutions through the transfer of central bank money. The experiment was conducted in a test environment and used only simulated data. All simulated liabilities were denominated in U.S. dollars. [6 Jul 2023]