Fintech is a rapidly developing area where developments in the regulatory regime are ongoing. We have created a timeline of key UK and European regulatory milestones to watch out for over the coming months and years.
Fintech is a rapidly developing area where developments in the regulatory regime are ongoing. We have created a timeline of key UK and European regulatory milestones to watch out for over the coming months and years.
This article has also been published by the International Financial Law Review (IFLR).
The payments sector is one of the fastest growing sectors within the financial services industry. It is underpinned by consumers’ widespread move away from physical cash and towards electronic payments. Whether consumers are using payment cards or apps, the result has been a continual increase in the volumes of payments being processed electronically. This has created an enormous opportunity for payments businesses such as FIS and Fiserv (in the US) and Nexi and Klarna (in the EU) to establish themselves as key players in the payment chain, with the potential to become systemically important.
These businesses participate in a well-developed and very active area of the payments sector. So, what comes next?
The use of distributed ledger technology (DLT), and the associated use of cryptocurrencies and other cryptoassets, has long been discussed as a potential means for making global payment systems more efficient and more secure. For many years, payment processing has relied on centralised channels to transfer money, by established participants such as card issuers, clearing banks, and merchant acquiring banks and card schemes. By contrast, DLT involves a decentralised, shared ledger, with no need for central intermediation. It is considered immutable.
The question is, to what extent will cryptoassets become more widely used in the payments sector, including their potential use by central banks. Stablecoins, a relatively recent and topical sub-class of cryptoassets, may play a key role here. It will be interesting to see what types of stablecoins emerge and how they fit into the broader UK regulatory framework applicable to cryptoassets. Another important issue derives from two key aspects of stablecoins that are designed to facilitate payments: (i) in relation to the asset itself – concerns raised by private stablecoins, and whether a central bank digital currency could be an alternative; and (ii) in relation to the technology underlying it – its possible utility as a private payment system and question marks over whether it can co-exist with or link into public payment systems.
Stablecoins: how are they categorised and why does it matter?
“Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks.” (The Economist, 30 August 2018)
Sadly for the original creators of cryptocurrencies – and despite their anarchistic intentions, cryptocurrencies and other types of cryptoassets cannot be exempt from the application of law and regulation just because they are a technological construct. The tone for the UK regulatory approach was set in the UK Cryptoassets Taskforce report, where the government stated its ambition for the UK to be the world’s most innovative economy and to maintain its position as one of the leading financial centres globally, to be achieved in part by “allowing innovators in the financial sector that play by the rules to thrive”. The message is clear: innovation is encouraged, but only where it complies with high standards of regulation.
The genesis of stablecoins, a relatively recent sub-category of cryptoassets, was an attempt to address the high price volatility exhibited by many cryptoassets so far. Stablecoins are, in short, cryptoassets that are backed by other assets, including fiat, commodities or other cryptocurrencies (a fuller definition is contained in the Financial Stability Board’s (FSB) ‘Regulatory issues of stablecoins’, 18 October 2019).
There are many types of stablecoin, each with different structures, functions and uses. Despite the word ‘coin’, a stablecoin could constitute a financial derivative, a unit in a collective investment scheme (fund), a debt security, e-money, or another type of specified (regulated) investment. They could potentially fall within any of three broad categories of cryptoassets as described by the UK Financial Conduct Authority (FCA), the categories having been revised in July 2019 following an earlier consultation.The diagram in Figure 1 compares the prior and current UK FCA categories of cryptoassets.
The position could change. During 2020 UK HM Treasury is expected to consult on expanding the regulatory perimeter. The EU Commission is also consulting on an “EU framework for markets in crypto-assets”.
It was the prospect of a stablecoin achieving, in a very short timescale, widespread adoption for transactions currently processed by retail and wholesale payment systems, particularly if integrated into existing online platforms or social media, that brought stablecoins into the sharp focus of national and international regulatory bodies. In a Bank of England speech (Responding to leaps in payments: from unbundling to stablecoins), Christina Segal-Knowles noted that: “In India, Google Tez reported having 50 million users 10 months after its launch in September 2017. In China, Alipay and WeChat Pay by some measures handled more than $37 trillion in mobile payments in 2018”.
The UK and other regulators consider that an appropriate regulatory framework needs to be adopted for stablecoins prior to their launch.
Global stablecoins as a payment asset
Key drivers for the creation of stablecoins as an alternative payment asset include improving
cross-border payments, to increase speed and reduce costs; assisting with financial inclusion
and providing payment tools for people who are underbanked or underserved by financial
services; and the growing preference in society for peer to peer interactions.
However, there are significant challenges and risks arising from use of stablecoins. These include difficulties with legal certainty, sound governance, AML/CFT compliance, operational resilience (including cyber security), consumer/investor and data protection and tax compliance. If stablecoins reach a global scale, they could pose challenges and risks to monetary policy, financial stability, the international monetary system and fair competition.
Here are a selection of key policy points identified by the G7 Working Group on Stablecoins, highlighting why regulators are so concerned about global stablecoins:
- Competition: global stablecoin arrangements could achieve market dominance due to their strong existing networks and the large fixed costs that a potential competitor would need to implement large-scale operations, and the exponential benefit of access to data.
- Stability mechanism: the mechanism used to stabilise the value of a global stablecoin must address market, credit and liquidity risk. If these are not adequately addressed, it could trigger a run, where users would all attempt to redeem their global stablecoins at reference value. Other triggers for a run could include a loss of confidence resulting from a lack of transparency about reserve holdings or if the reporting lacks credibility.
- Credit risk: global stablecoins whose reference assets include bank deposits may be exposed to the credit risk and liquidity risk of the underlying bank.
- Increased cost of funding for banks: if users hold global stablecoins permanently in deposit-like accounts, retail deposits at banks may decline, increasing bank dependence on more costly and volatile sources of funding.
- Change in nature of deposit: in countries whose currencies are part of the stablecoin reserve, some deposits drained from the banking system when retail users buy global stablecoins may be repaid to banks by way of larger wholesale deposits from stablecoin issuers. If banks were to counter this by offering products denominated in global stablecoins, they could be subject to new forms of foreign exchange risk and operational dependencies.
- Exacerbation of bank runs: easy availability of global stablecoins may exacerbate bank runs in times when confidence in one or more banks erodes.
- Shortage of high-quality liquid assets (HQLA): purchases of safe assets for a stablecoin reserve could cause a shortage of HQLA in some markets, potentially affecting financial stability.
- Reduced impact of monetary policy: this could happen in several ways. If, for example, there were multiple currencies in the reserve basket, the return on global stablecoin holdings could be a weighted average of the interest rates on the reserve currencies, attenuating the link between domestic monetary policy and interest rates on global stablecoin deposits. This would be particularly true where the domestic currency is not included in the basket of reserve assets.
The FSB is due to submit a consultative report on stablecoins to the G20 Finance Ministers and Central Bank Governors in April 2020, with a final report in July 2020.
Central bank digital currencies: alternative, interoperable or additional solutions?
Central bank digital currencies (CBDCs) are new variants of central bank money that differ from physical cash or central bank reserve/settlement accounts. There are two potential types of CBDCs: (i) a “wholesale” or “token-based” CBDC – restricted-access digital token for wholesale settlements (for example, interbank payments or securities settlement); and (ii) a general-purpose variant available to the public and based on tokens or accounts, allowing for a variety of ways of distribution.
So how would a CBDC act as an alternative to global stablecoins? A general purpose CBDC would essentially give effect to a disintermediated currency of which the central bank, rather than a private entity, would keep control. The view of the UK central bank, which first raised the possibility of CBDCs in 2015, seems to be evolving. Back in 2018, in his ‘The Future of Money’ speech (March 2 2018), Bank of England Governor Mark Carney identified that a general-purpose CBDC could mean a much greater role for central banks in the financial system. He noted that central banks could find themselves disintermediating commercial banks in normal times and running the risk of destabilising flights to quality in times of stress.
An independent report commissioned by the Bank of England on the Future of Finance noted that there was no compelling case for CBDCs and that the focus should be on improving current systems to allow for private sector innovation. However, in January 2020 the Bank of England announced that it would be participating in a central bank group with six other banks to assess potential use cases on CBDCs.
Payments systems and the transfer technology underlying stablecoins
In his ‘The Future of Money’ speech in 2018, Carney noted the potential for underlying technologies to transform the efficiency, reliability and flexibility of payments by increasing the efficiency of managing data; improving resilience by eliminating central points of failure, as multiple parties share replicated data and functionality; enhancing transparency (and auditability) through the creation of instant, permanent and immutable records of transactions; and expanding the use of straight-through processes, including with smart contracts that on receipt of new information automatically update and if appropriate, pay.
An European Central Bank (ECB) Occasional Paper (‘In search for stability in crypto-assets: are stablecoins the solution?’) notes that: “A platform for the recording of stablecoins and other assets using DLT and smart contracts may either benefit interoperability and competition among different DLT-based infrastructures and issuers – if its governance aims at harmonising the business and technological standards adopted by different operators and issuers competing in the market –, or lead to increased fragmentation if multiple initiatives emerge that compete for the market.”
The Bank of England confirmed in July 2018 that its renewed real-time gross settlement (RTGS) service would support DLT settlement models following a successful proof of concept.
Cryptoassets are a daily reality
The prevailing market views seems to be that in the short to medium term, DLT will augment rather than replace RTGS. Interoperability remains a key challenge, as do the technological and energy requirements of a successful and permanent DLT-based payments system.
Nevertheless, it no longer seems fanciful to talk of cryptoassets forming a daily part of the mainstream payments system. They are no longer only the preserve of speculators, or of payors seeking anonymity. The number of transactions in cryptoassets continues to grow rapidly, and regulators are focused on managing their increasing role in day-to-day financial services. It will be fascinating to see how central banks and regulators continue to respond to the growth of cryptoassets, and where this sector will go next.
In another article entitled, ‘Fintech market enters a new stage of maturity‘, we review macro-developments in Europe.
On 4 October 2019, the Securities and Futures Commission (SFC) published proforma terms and conditions which will apply to virtual asset fund managers that meet specified criteria.
See our latest APAC Fintech E-Bulletin for more.
On 12 July, the European and Securities Markets Authority (ESMA) published its Report on the licensing of FinTech business models (the Report) as part of the European Commission’s wider FinTech Action Plan. While ESMA concluded in its report that it was not necessary to put forward any recommendations to the European Commission to adapt the current financial services legislative framework to address innovative business models in the FinTech industry, the Report did set out some of the key challenges National Competent Authorities (NCAs) are facing in regulating FinTech firms.
On 28 June 2019, the Monetary Authority of Singapore (MAS) announced that it will issue up to five new digital bank licences, which will effectively open digital banking business to non-bank players in Singapore. Announcing the measures at the 46th Annual Dinner of The Association of Banks in Singapore, Mr Tharman Shanmugaratnam, Senior Minister and Chairman of MAS, said that “the new digital bank licences mark the next chapter in Singapore’s banking liberalisation journey. They will ensure that Singapore’s banking sector continues to be resilient, competitive and vibrant.” MAS expects to invite applications for the licences in August 2019.
Authors: Hannah Cassidy, Jeremy Birch, Sheena Loi and Peggy Chow
The Hong Kong Monetary Authority (HKMA) has issued a circular to encourage authorised institutions to adopt the “Ethical Accountability Framework” (EAF) for the collection and use of personal data issued by the Office of the Privacy Commissioner for Personal Data (PCPD). A report on the EAF was published by the PCPD in October 2018 (Report), which explored ethical and fair processing of data through (i) fostering a culture of ethical data governance and (ii) addressing the personal data privacy risks brought by emerging information and communication technologies such as big data analytics, artificial intelligence and machine learning.
The EAF is expressly stated to be non-binding guidance, intended as a first step towards a privacy regime better equipped to address modern challenges. However, the HKMA’s circular arguably elevates the legal status of the EAF for authorised institutions. The HKMA is likely to incorporate the EAF into its broader supervision and inspection of authorised institutions. In particular, in construing the principles based elements of the Supervisory Policy Manual as it applies to FinTech, the EAF will undoubtedly have an influence going forward.
- Tension between the value of data-processing technology and public trust
- Data stewardship accountability
- Data stewardship values
- International Direction of Travel
Big data has no inherent value in its raw form. Its value lies in the ability to convert that data into useful information for organisations, which can then generate knowledge or insight relating to clients or the market as a whole through data analytics or artificial intelligence. Ultimately, this insight results in competitive advantage. However, a tension exists between (i) developing data-processing technology to gain a competitive advantage; and (ii) addressing public distrust arising from the data-intensive nature of such technology.
As the Report highlights, the existing regulatory regime in Hong Kong does not adequately address the privacy and data protection risks that arise from advanced data processing. Big data analytics and artificial intelligence in particular pose challenges to the existing notification and consent based privacy legal framework. These challenges are not limited to the legal framework in Hong Kong. The privacy and data protection legislations on an international level are also ill-equipped to anticipate advances in data-intensive technology.
The PCPD sees the need to provide guidance on how institutions could act ethically in relation to advanced data-processing to foster public trust. It reminds institutions to be effective data stewards, not merely data custodians. Data stewards take into account the interests of all parties and consider whether the outcomes of their advanced data processing are not just legal, but also fair and just.
The PCPD also encourages data stewardship accountability, which calls for institutions to define and translate stewardship values into organisational policies, using an “ethics by design” approach. This approach requires institutions to have data protection in mind at every step and to apply the principles of privacy by default and privacy by design. Privacy by default means that once a product or service has been released to the public, the strictest privacy settings should apply by default. Privacy by design, on the other hand, requires organisations to ensure privacy is built into a system during the entire life cycle of the system. Ultimately, data stewardship should be driven by policies, culture and conduct on an organisational level, instead of technological controls.
Both the privacy by design and the privacy by default principles are mandatory requirements under the EU General Data Protection Regulation (GDPR). The legal development trend is for Asian-based privacy regulators to, whether by means of enacting new laws (e.g. India) or issuing non-mandatory best practice guidance to encourage data users to meet the higher standards under GDPR.
The PCPD encourages institutions to adopt the three “Hong Kong Values”, whilst providing the option to modify each value to better reflect their respective cultures. The three Hong Kong Values listed below are in line with the various Data Protection Principles of the Personal Data (Privacy) Ordinance (Cap. 486):
(i) The “Respectful” value requires institutions to:
- be accountable for conducting advanced data processing activities;
- take into consideration all parties that have interests in the data;
- consider the expectations of individuals that are impacted by the data use;
- make decisions in a reasonable and transparent manner; and
- allow individuals to make inquiries, obtain explanations and appeal decisions in relation to the advanced data processing activities.
(ii) The “Beneficial” value specifies that:
- where advanced data-processing activities have a potential impact on individuals, organisations should define the benefits, identify and assess the level of potential risks;
- where the activities do not have a potential impact on individuals, organisations should identify the risks and assess the materiality of such risks;
- once the organisation has identified all potential risks, it should implement appropriate ways to mitigate such risks.
(iii) The “Fair” value specifies that organisations should:
- avoid actions that are inappropriate, offensive or might constitute unfair treatment or illegal discrimination;
- regularly review and evaluate algorithms and models used in decision-making for any bias and illegal discrimination;
- minimise any data-intensive activities; and
- ensure that the advanced data-processing activities are consistent with the ethical values of the organisation.
The PCPD also encourages institutions to conduct Ethical Data Impact Assessments (EDIAs), allowing them to consider the rights and interests of all parties impacted by the collection, use and disclosure of data. A process oversight model should be in place to ensure the effectiveness of the EDIA. While this oversight could be performed by internal audit, it could also be accomplished by way of an assessment conducted externally.
The approach outlined above is not unique to Hong Kong. In fact, at the time the EAF was announced by the PCPD in October 2018, the 40th International Conference of Data Protection and Privacy Commissioners released a Declaration on Ethics and Protection in Artificial Intelligence (Declaration) which proposes a high level framework for the regulation of artificial intelligence, privacy and data protection. The Declaration endorsed six guiding principles as “core values” to preserve human rights in the development of artificial intelligence and called for common governance principles on artificial intelligence to be established at an international level.
It is clear that there is a global trend toward ethical and fair processing of data in the application of advanced data analytics. For instance, the Monetary Authority of Singapore has formulated similar ethical principles in the use of artificial intelligence and data analytics in the financial sector, announced in November 2018. Another example is the EU’s GDPR’s specific safeguards related to the automated processing of personal data that has, or is likely to have, a significant impact on the data subject, to which the data subject has a right to object. Specifically, a data protection impact assessment assessing the impact of the envisaged processing operations must be carried out before such processing is adopted, if such processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons after taking into account the nature, scope, context and purposes of the processing.
Although this may appear to be a relatively minor development in Hong Kong, we see this as a step in a broader movement toward the regulation of AI and a sea change in the approach to data protection and privacy. The HKMA circular and the EAF are in line with the global data protection law developments, which are largely being led by the EU.
With fintech being a rapidly developing and increasingly regulated area, we have created a timeline of key UK and EU regulatory milestones to watch out for over the coming months and years.
Here is our latest timeline covering key UK and EU regulatory developments in the pipeline. Continue reading