IOSCO proposes updated Outsourcing Principles as Covid-19 drives operational resilience to the top of the agenda

Having initially delayed its planned consultation exercise to allow the financial services sector to focus on responding to Covid-19, the International Organization of Securities Commissions (IOSCO) subsequently found the pandemic a catalyst to proceed. Therefore, at the end of May, IOSCO launched its consultation on proposed updates to the 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets; feedback on the proposed new Outsourcing Principles (OPs) is requested on or before 1 October 2020. The decision to proceed reflects the acknowledgement that outsourcing is a key element for consideration when assessing operational resilience across the sector.

This post gives a high level summary of the consultation, with a link to our briefing that focuses in more detail on: the scope of application; IOSCO’s definition of outsourcing; intragroup arrangements; concentration risk; and access and audit rights. To provide additional context to IOSCO’s proposals, the associated briefing also catalogues relevant proposals and initiatives which are running concurrent to the consultation exercise.

Continue reading

COVID-19 Governance: SFC extends deadline for data storage compliance (Hong Kong)

The Hong Kong Securities and Futures Commission (SFC) has extended its deadline for licensed corporations to confirm compliance with its new data storage regulations, due to the COVID-19 outbreak.

On 31 March 2020, the SFC granted a six-month extension to the implementation deadline for aspects of its 31 October 2019 circular on the use of external electronic data storage providers (EDSPs) by licensed corporations for the storage of regulatory records (EDSP Circular).

Continue reading

Guideline on Cybersecurity for Hong Kong authorised insurers will come into effect on 1 January 2020

Last Friday, the Hong Kong Insurance Authority published its Guideline on Cybersecurity (GL 20) for authorised insurers. GL 20 will take effect on 1 January 2020.

Cybersecurity is a global regulatory focus and a top priority area for the Insurance Authority, given the growing exposure to cyber risk as a result of increased digital connectivity.

Continue reading

Renewed focus on compensation to address misconduct risk

The Financial Stability Board (FSB) released on 23 November 2018 its recommendations on the types of data regulators should be collecting from financial institutions (FIs) regarding compensation tools, as part of its workplan to address misconduct risk in FIs. This data is intended to help regulators monitor the effectiveness of FIs’ compensation structures in addressing misconduct risk and assessing whether additional measures are required.

To read our full briefing on the matter, please click here.

Continue reading

Feedback Statement: Distributed Ledger Technology

The FCA has today published the Feedback Statement (FS) to its April 2017 Discussion Paper (DP) DP17/03 on Distributed Ledger Technology (DLT).

  • In its introduction to the FS, the FCA articulates its position on DLT as follows: “Our aim is to be alive to current and potential developments involving DLT, to keep pace with them, and to strike a proportionate regulatory balance between the risks and opportunities they present. We see regulation as an enabler of positive innovation based on new technologies as well as a means of containing undue risk. Our regulatory philosophy (subject to any risks to our objectives) is to be ‘technology-neutral’.”
  • The FS covers the following areas (key points for each topic are summarised below):
  •  Operational risk, including outsourcing and network security;
  • Digital currency, including derivatives and Initial Coin Offerings (ICOs);
  •   Digital asset trading and smart contracts;
  • Regulatory reporting;
  •    Financial crime; and
  • The General Data Protection Regulation (GDPR).
  • The FCA says that the DP was positively received, with particular support expressed for the FCA’s ‘technology-neutral’ position.
  • Feedback received to the DP also supported the view that the FCA’s current rules are sufficiently flexible to accommodate various technology, including DLT. Rules were said to present ‘no substantial barriers’ to adopting DLT. Although, some respondents doubted the compatibility of permissionless networks with the regulatory regime.
  • Some 47 responses were received to the DP, ranging from regulated firms, trade associations, technology providers, law firms and consultancies.
  • As next steps, the FCA will continue to monitor DLT-related market developments and engage both internationally and nationally to help shape the regulatory response.

Operational Risk

  • Use of DLT may affect firms’ exposure to operational risk via changes to/potentially reduced control over people, processes and systems.
  • Permissioned and permissionless DLT does, however, have the potential to enhance operational soundness.
  • Specific operational risks will be dependent on the actual application of DLT.
  • Use of DLT might affect how individual responsibility and accountability is allocated; firms are reminded of the requirements under the SMCR.


  • FCA says that use of permissionless and public networks is not inherently incompatible with the regulatory regime.
  • Firms will need to assess each case to see whether using a DLT network amounts to ‘outsourcing’ in the context of FCA’s regulatory requirements. FCA states that it does not consider that using a permissionless network always necessarily amounts to outsourcing in that context

Network Security

  • Whatever technology is deployed, the FCA expects firms to actively manage their operational risks.
  • Where technology is core to the delivery of a regulated service, FCA expects firms to give their full attention to operational risk management.

Digital Currencies

  • FCA recognises a positive competitive potential in the context of value transmission.
  • With sound risk management, digital currencies may enhance the delivery of financial services, but volatility risk posed by the magnitude and mercurial nature of price fluctuations is one of the risks firms must adequately address.

ICOs and Derivatives

  • FCA says that it is unlikely for most ICOs that investors will have access to UK regulatory protections such as the FSCS or the FOS.
  • FCA comments on the high potential for ICO-related fraudulent activities and the inadequate documentation in so-called white papers that projects (often only in very early stages of development).
  • Whether an ICO falls within the regulatory perimeter needs to be considered on a case-by-case basis.
  • As the ICO market is evolving at a great speed, the FCA will continue to monitor it and engage with the industry, regulators nationally and internationally, and global standard setters to determine whether there is a need for regulatory action. The regulator points to:
  • Its recent consumer alert; and
  • The information it set out on designing an ICO-related business proposition to satisfy the ‘consumer benefit’ criterion for access to the FCA’s Innovation Hub.
  • An Annex to the FS provides detailed regulatory analysis of ICOs.

Digital asset trading and smart contracts

  • DLT could bring several benefits to securities markets, e.g., more efficient post-trade processes and enhanced reporting and data management capabilities. It has the potential to form the core of a central securities depository.
  • It might also help to improve straight-through processing, offer real-time settlement and the elimination of settlement risk, and lead to disintermediation such as the possible removal of the roles played by custodians and settlement agents.
  • A number of challenges need to be addressed before substantial benefits can materialise:

o   It is unclear whether DLT might be adopted broadly across securities markets or remain limited to niche uses.

  • Central banks deciding in future to issue or support a digital currency might spur market participants to invest more resources in DLT.
  • Since it is unlikely that DLT will replace existing market infrastructure for some time, a combination of multiple DLT systems and legacy systems would need to operate with one another.
  • Legal issues such as the legal status of digital assets and the enforceability of smart contracts, would have to be clarified.
  • DLT-based real-time settlement could eliminate the need for equity clearing, but market users might have a limited appetite for such a development because of the potential loss of opportunities for netting and the absence of the anonymity.
  • The continued existence of materialised securities may pose challenges to the adoption of DLT.
  • At this juncture, the FCA does not intend to propose DLT-driven rule changes in the context of asset management or securities markets. It will continue to monitor market developments.

Regulatory Reporting

  • The FCA agrees with the potential benefits of adopting DLT as a RegTech solution and also acknowledge the associated risks.
  • DLT is not the only technology that could improve regulatory reporting. So the FCA continues to explore other possibilities, such as model-driven machine-executable regulatory reporting.
  • Encouraged by the strong level of interest in RegTech by industry stakeholders, FCA will continue to prioritise our RegTech initiatives as part of FCA Innovate.

Financial Crime

  • DLT has the potential to provide a more robust, tamper-proof record of transactions and, as a result, improve data quality while reducing the likelihood of fraud.  Using DLT does not automatically introduce or increase fundamental financial crime risks.
  • The FCA has however observed the denial of banking services to a number of firms, particularly those who leveraged DLT to facilitate their services. Deploying DLT should not result in a wholesale denial of access to traditional banking services.
  • FCA is keen to explore how DLT can support firms and regulators in fighting financial crime.
  • FCA notes that in some instances, the current regime may need to evolve as more sophisticated tools become available. One of the challenges is the current reliance provisions in the Money Laundering Regulations (MLRs).  However, this is a longer-term reform which would require renegotiation of international standards, e.g., FATF recommendations.


  • The FCA underscores that the Information Commissioner’s Office regulates and enforces GDPR, and encourages firms to follow the Office’s available guidance.  It says it will continue to work with the Office as further use cases emerge.
  • The FCA has not identified any substantial incompatibilities between the Handbook and the GDPR’s requirements, and does not see a material need for further FCA guidance on this issue.


Cat Dankos
Cat Dankos
Consultant, London
+44 20 7466 7494