Time to Mobilise: EBA finalises Guidelines on Outsourcing Arrangements

Following consultation in the second half of 2018, the European Banking Authority (“EBA“) published its Final Report on Draft Guidelines on Outsourcing Arrangements (the “Guidelines“) on 25 February 2019.

Most provisions of the Guidelines will enter into force on 30 September 2019. At the same time, the Guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (“CEBS“), in 2006 and will also incorporate the EBA’s 2017 Recommendation on Outsourcing to Cloud Service Providers which came into effect on 1 July 2018.

The Guidelines are intended to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate. The Guidelines apply to credit institutions and investment firms which are subject to the Capital Requirements Directive (“CRD“) as well as payment and electronic money institutions.

The Guidelines are issued under Article 16 of Regulation (EU) No. 1093/2010, the Regulation establishing the EBA. Member States’ competent authorities and financial institutions “must make every effort to comply” with the Guidelines. However, the EBA has acknowledged the need for proportionality within the text of the Guidelines, so that a firm and its competent authority(ies) should have regard to the nature, scale and complexity of the firm’s activities when complying with (or in the case of competent authorities, monitoring compliance with) the Guidelines.

The Guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. Institutions should review and amend their existing outsourcing arrangements for compliance accordingly. Where an institution has not completed a review of an outsourcing arrangement which relates to critical or important functions by 31 December 2021, this should be notified to the relevant competent authority, along with an explanation of the measures which the institution proposes to take to either complete the review or exit the arrangement.

For many firms, the finalisation of the Guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Cross-functional working will be essential, as various control and business functions will have an interest in the use of third party suppliers. Programmes are likely to bring together legal, operational risk, regulatory, compliance, procurement, and audit expertise, while oversight within the three lines of defence approach will need to be allocated not only to business functions but also to appropriate senior management, risk committee and board level to provide good governance of the processes and to ensure that decisions are aligned with business strategy and risk appetite.

We are conducting a detailed review of the Guidelines and will publish a more comprehensive analysis shortly.


In this bulletin we cover the following key developments in the payments and fintech space:

  • Payment Services Bill: On 14 January 2019, the Payment Services Bill (Bill) was passed by the Singapore Parliament. When it comes into force, the Payment Services Act (as the enacted Bill will be known) will introduce two regulatory frameworks: a designation scheme which enables the Monetary Authority of Singapore (MAS) to designate significant payment systems for financial stability reasons, and a licensing regime which allows MAS to regulate a wider range of payment services, including cryptocurrency dealing and exchange services, in a proportionate manner depending on the scope and scale of the provider’s services.
  • Sandbox Express: On 14 November 2018, MAS released a consultation paper on Sandbox Express, which comprises of a set of to pre-defined sandboxes to complement the existing approach of customised sandboxes.
  • Digital Token Offerings: On 3 December 2018, MAS updated its Guide to Digital Token Offerings which provides general guidance on the application of the securities laws administered by MAS to offers or issues of digital tokens in Singapore.

For more information on the key developments in the payments and fintech space and the implications of the Payment Services Bill, Sandbox Express and Guide to Digital Token Offerings, please see our full bulletin here.

Bridging the FinTech gap: What dividend should we seek from regulatory cooperation across jurisdictions?

Technology-facilitated innovation in financial services, a diverse collection of topics which coalesces under the portmanteau term of “FinTech”, is increasingly in the sights of policy-makers, whether at global, regional and national or state levels.  Keen observers will have noted a proliferation of consultation documents, statements, warnings, speeches and more emanating from national regulators.  Some of these recent publications address specific FinTech applications. Indeed, there has been a veritable deluge of material on Initial Coin Offerings over just the past few months.

Meanwhile bodies such as the Financial Stability Board (FSB), the influential Basel Committee on Banking Supervision (BCBS), and others, both within and without the traditional regulatory cohort, are making some efforts towards setting out (or attempt to setting out) some universal principles or truths which may address an increasingly gaping hole in the global regulatory policy canon.

We are at an early stage in the development of policy responses to FinTech, and it is perhaps unsurprising that globally agreed standards have yet to emerge.

Continue reading

Feedback Statement: Distributed Ledger Technology

The FCA has today published the Feedback Statement (FS) to its April 2017 Discussion Paper (DP) DP17/03 on Distributed Ledger Technology (DLT).

  • In its introduction to the FS, the FCA articulates its position on DLT as follows: “Our aim is to be alive to current and potential developments involving DLT, to keep pace with them, and to strike a proportionate regulatory balance between the risks and opportunities they present. We see regulation as an enabler of positive innovation based on new technologies as well as a means of containing undue risk. Our regulatory philosophy (subject to any risks to our objectives) is to be ‘technology-neutral’.”
  • The FS covers the following areas (key points for each topic are summarised below):
  •  Operational risk, including outsourcing and network security;
  • Digital currency, including derivatives and Initial Coin Offerings (ICOs);
  •  Digital asset trading and smart contracts;
  • Regulatory reporting;
  •  Financial crime; and
  • The General Data Protection Regulation (GDPR).
  • The FCA says that the DP was positively received, with particular support expressed for the FCA’s ‘technology-neutral’ position.
  • Feedback received to the DP also supported the view that the FCA’s current rules are sufficiently flexible to accommodate various technology, including DLT. Rules were said to present ‘no substantial barriers’ to adopting DLT. Although, some respondents doubted the compatibility of permissionless networks with the regulatory regime.
  • Some 47 responses were received to the DP, ranging from regulated firms, trade associations, technology providers, law firms and consultancies.
  • As next steps, the FCA will continue to monitor DLT-related market developments and engage both internationally and nationally to help shape the regulatory response.

Operational Risk

  • Use of DLT may affect firms’ exposure to operational risk via changes to/potentially reduced control over people, processes and systems.
  • Permissioned and permissionless DLT does, however, have the potential to enhance operational soundness.
  • Specific operational risks will be dependent on the actual application of DLT.
  • Use of DLT might affect how individual responsibility and accountability is allocated; firms are reminded of the requirements under the SMCR.


  • FCA says that use of permissionless and public networks is not inherently incompatible with the regulatory regime.
  • Firms will need to assess each case to see whether using a DLT network amounts to ‘outsourcing’ in the context of FCA’s regulatory requirements. FCA states that it does not consider that using a permissionless network always necessarily amounts to outsourcing in that context

Network Security

  • Whatever technology is deployed, the FCA expects firms to actively manage their operational risks.
  • Where technology is core to the delivery of a regulated service, FCA expects firms to give their full attention to operational risk management.

Digital Currencies

  • FCA recognises a positive competitive potential in the context of value transmission.
  • With sound risk management, digital currencies may enhance the delivery of financial services, but volatility risk posed by the magnitude and mercurial nature of price fluctuations is one of the risks firms must adequately address.

ICOs and Derivatives

  • FCA says that it is unlikely for most ICOs that investors will have access to UK regulatory protections such as the FSCS or the FOS.
  • FCA comments on the high potential for ICO-related fraudulent activities and the inadequate documentation in so-called white papers that projects (often only in very early stages of development).
  • Whether an ICO falls within the regulatory perimeter needs to be considered on a case-by-case basis.
  • As the ICO market is evolving at a great speed, the FCA will continue to monitor it and engage with the industry, regulators nationally and internationally, and global standard setters to determine whether there is a need for regulatory action. The regulator points to:
  • Its recent consumer alert; and
  • The information it set out on designing an ICO-related business proposition to satisfy the ‘consumer benefit’ criterion for access to the FCA’s Innovation Hub.
  • An Annex to the FS provides detailed regulatory analysis of ICOs.

Digital asset trading and smart contracts

  • DLT could bring several benefits to securities markets, e.g., more efficient post-trade processes and enhanced reporting and data management capabilities. It has the potential to form the core of a central securities depository.
  • It might also help to improve straight-through processing, offer real-time settlement and the elimination of settlement risk, and lead to disintermediation such as the possible removal of the roles played by custodians and settlement agents.
  • A number of challenges need to be addressed before substantial benefits can materialise:

o   It is unclear whether DLT might be adopted broadly across securities markets or remain limited to niche uses.

  • Central banks deciding in future to issue or support a digital currency might spur market participants to invest more resources in DLT.
  • Since it is unlikely that DLT will replace existing market infrastructure for some time, a combination of multiple DLT systems and legacy systems would need to operate with one another.
  • Legal issues such as the legal status of digital assets and the enforceability of smart contracts, would have to be clarified.
  • DLT-based real-time settlement could eliminate the need for equity clearing, but market users might have a limited appetite for such a development because of the potential loss of opportunities for netting and the absence of the anonymity.
  • The continued existence of materialised securities may pose challenges to the adoption of DLT.
  • At this juncture, the FCA does not intend to propose DLT-driven rule changes in the context of asset management or securities markets. It will continue to monitor market developments.

Regulatory Reporting

  • The FCA agrees with the potential benefits of adopting DLT as a RegTech solution and also acknowledge the associated risks.
  • DLT is not the only technology that could improve regulatory reporting. So the FCA continues to explore other possibilities, such as model-driven machine-executable regulatory reporting.
  • Encouraged by the strong level of interest in RegTech by industry stakeholders, FCA will continue to prioritise our RegTech initiatives as part of FCA Innovate.

Financial Crime

  • DLT has the potential to provide a more robust, tamper-proof record of transactions and, as a result, improve data quality while reducing the likelihood of fraud.  Using DLT does not automatically introduce or increase fundamental financial crime risks.
  • The FCA has however observed the denial of banking services to a number of firms, particularly those who leveraged DLT to facilitate their services. Deploying DLT should not result in a wholesale denial of access to traditional banking services.
  • FCA is keen to explore how DLT can support firms and regulators in fighting financial crime.
  • FCA notes that in some instances, the current regime may need to evolve as more sophisticated tools become available. One of the challenges is the current reliance provisions in the Money Laundering Regulations (MLRs).  However, this is a longer-term reform which would require renegotiation of international standards, e.g., FATF recommendations.


  • The FCA underscores that the Information Commissioner’s Office regulates and enforces GDPR, and encourages firms to follow the Office’s available guidance.  It says it will continue to work with the Office as further use cases emerge.
  • The FCA has not identified any substantial incompatibilities between the Handbook and the GDPR’s requirements, and does not see a material need for further FCA guidance on this issue.


Cat Dankos
Cat Dankos
Consultant, London
+44 20 7466 7494

Singapore’s MAS issues Guide to Digital Token Offerings

On 14 November 2017, the Monetary Authority of Singapore (MAS) issued a guide during the first day of the Singapore FinTech Festival to provide general guidance on the application of the securities laws administered by the MAS, namely the Securities and Futures Act (SFA) and the Financial Advisers Act, to offers or issues of digital tokens in Singapore.

This follows the MAS’s clarification on 1 August 2017 that an offer or issue of digital tokens would be regulated if these tokens constitute products which are regulated under the SFA. Our e-bulletin in August 2017 regarding the clarification can be accessed here.

In our recent bulletin, we highlight the key points in the MAS guide and set out our observations. If you wish to discuss this further, please do not hesitate to reach out to our Asia team (the contact details of which are set out in the bulletin) or your usual Herbert Smith Freehills contact.

Herbert Smith Freehills LLP is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.


New regulatory trial grounds for FinTech firms in Hong Kong – Regulators announce additional FinTech sandboxes

Last Friday (29 September 2017), Hong Kong financial regulators announced new initiatives aimed at fintech firms, including several new regulatory sandboxes:

  • The Hong Kong Monetary Authority announced plans to launch Fintech Supervisory Sandbox 2.0, an enhanced sandbox that follows on the heels of its Fintech Supervisory Sandbox launched a year ago (further details of which are set out in our e-bulletin here);
  • The Securities and Futures Commission (SFC) announced the launch of a Fintech Regulatory Sandbox and issued further clarification on the meaning of “relevant experience” for responsible officers at fintech firms (see the SFC’s press release here); and
  • The Insurance Authority announced two pilot initiatives – the Insurtech Sandbox and Fast Track.

Continue reading

Singapore: consultation on regulations for the provision of digital advisory services

In line with its recognition of the rapid expansion of, and new products within, the FinTech sphere, the Monetary Authority of Singapore (MAS) issued a consultation paper on 7 June 2017 on the provision of digital advisory services (i.e. advice on investment products using automated, algorithm-based tools, also known as “robo-advisory services”). The consultation closed on 7 July 2017. Continue reading

Herbert Smith Freehills leads ASIFMA member working group to formulate Best Practices for Effective Development of Fintech

The Asia Securities Industry & Financial Markets Association (ASIFMA) released on Friday afternoon its guide, Best Practices for Effective Development of Fintech. Its press release can be accessed here

The guide was developed by a member working group at ASIFMA led by Herbert Smith Freehills. The working group has agreed 10 best practices for policymakers and regulators in Asia Pacific to consider as they support the development of fintech in the financial services industry. The best practices acknowledge the delicate balance required between encouraging fintech innovation, and ensuring customer protection and market integrity. 

The best practices are released at a time of rapid development in fintech and increased involvement by financial regulators. Our e-bulletin regarding the best practices and the recent initiatives taken by regulators in the region to support fintech development can be accessed here.

If you would like to discuss the above further, please do not hesitate to contact Will HallattHannah Cassidy, Mark Robinson, Grace Chong, or your usual Herbert Smith Freehills contact.


Indonesia: Regulatory developments on Fintech in Indonesia (1)

The Indonesian Financial Services Authority (OJK) is in the process of finalising a draft regulation regarding lending services based on information technology (Draft Fintech Lending Regulation). The preparation and finalisation of the Draft Fintech Lending Regulation, which is expected this year, is timely as it seeks to address an acknowledged gap in Indonesia’s current financial services regulatory framework, in an area (including peer-to-peer and other marketplace lending) where fast moving market developments, driven by new technologies and a surge in innovative online financial services, have currently overtaken the existing regulatory framework. 

The Draft Fintech Lending Regulation is the most developed articulation we have yet seen of a draft set of basic rules for the conduct of marketplace lending in Indonesia. The draft regulation seeks to balance the requirements of applying prudential principles (including risk management and consumer protection rules) to regulate marketplace lending, versus creating rules which are too restrictive such that they inhibit the proper development of a young industry. It remains to be seen whether the draft regulation will strike the optimal balance in practice, as much will depend on the details of the implementation policies.

To read more from David Dawborn, Vik Tang, Sakurayuki, Mark Robinson and Jy Millis, from Herbert Smith Freehills in association with Hiswara Bunjamin & Tandjung in Indonesia, click here.

Hong Kong launches regulatory sandbox in wake of developments in Australia, Malaysia, Singapore, and the UK

Since the UK proposed its regulatory sandbox regime in November 2015, APAC countries such as Australia, Malaysia and Singapore have been quick to follow pace with their own proposals for a similar regulatory "safe space". Hong Kong, although arguably late to the race, has caught up by having its sandbox regime come into effect from the day of announcement (6 September 2016) while other regulators in the APAC region are still going through the process of public consultation (Australia, Malaysia and Singapore). However, unlike other sandbox regimes which aim to cater to a range of firms, the Fintech Supervisory Sandbox (FSS) launched by the Hong Kong Monetary Authority (HKMA) is only open to institutions authorised under the Banking Ordinance and already under the supervision of the HKMA, ie, licensed banks, restricted licence banks and deposit-taking companies.

Continue reading