Japan’s Financial Services Agency sets out expectations on operational resilience
The Japanese Financial Services Agency (FSA) has published a discussion paper setting out the importance of operational resilience as financial institutions increasingly rely on cloud services and FinTech services. Firms are expected to develop a framework to ensure early recovery and impact mitigation when disruptions occur. The paper sets out expectations regarding the identification of critical operations, setting tolerances for disruption and understanding interconnection between management resources. Japan’s FSA will look to promote best practice, engage with stakeholders and contribute to international discussion on this topic.
SEC proposes rule on conflicts of interest and predictive data analytics
On July 26th, the SEC released a rule proposal aimed at addressing potential conflicts of interest arising from the use of predictive data analytics (PDA) by broker-dealers and investment advisers in investor interactions. The Commission refers to the use of what it defines as “PDA-like” technologies and includes artificial intelligence (AI) and machine learning in this category. Key considerations include what constitutes “covered technology”, which the proposal defines in fairly broad terms as: “an analytical, technological, or computational function, algorithm, model, correlation matrix, or similar method or process that optimizes for, predicts, guides, forecasts, or directs investment-related behaviors or outcomes in an investor interaction.” The rule would require a firm to mitigate the effects of conflicts of interest stemming from the use of “covered technologies” when interacting with investors which place the firm or an associated persons interest ahead of those of the investor. Additionally, the rule would require a firm using PDA in such a way to maintain written policies and procedures designed to prevent rule violations once the final version is implemented. Comments are due 60 days after publication in the Federal Register.
UK FCA chief sets out UK regulatory approach to AI in financial services
The head of the UK Financial Conduct Authority (FCA) Nikhil Rathi outlined in a speech the FCA’s regulatory approach to the rise of artificial intelligence (AI) in financial services. Rathi highlighted the competition implications of firms having access to unique and comprehensive data sets and stressed that the forthcoming UK Critical Third Parties regime will set standards for service providers, including AI service providers. He also underlined that the FCA will take a robust line on the need for fraud prevention and operational resilience and that the FCA is examining how financial services firms should be able to explain their AI models or prove that they behaved in a way as expected, particularly when things go wrong.
Rathi reflected on the FCA’s innovation efforts through its tech horizon scanning and synthetic data capabilities and the establishment of their Digital Sandbox. The FCA has also developed its supervision technology by using AI techniques for firm segmentation, portfolio monitoring and risky behavior identification. Looking ahead, the FCA will publish a feedback statement to its discussion paper on AI in financial services later this year.
Indian regulator consults on consolidated cyber resilience framework
The Securities and Exchange Board of India (SEBI) has issued proposals for consultation on a Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) to assist firms in mitigating cyber risks. SEBI notes that the use of information technology has grown rapidly in the financial markets industry and has become a critical component of business operations. As such, the protection of technological infrastructure and data through cyber security measures has become a key priority for SEBI and the firms it oversees. The proposed CSCRF is designed to enhance the scope of the existing framework for cyber resilience as well as address the need for uniformity in the cyber security guidelines and strengthen the mechanisms for dealing with cyber risks, threats and incidents.
US FTC opens investigation into OpenAI
The Federal Trade Commission (FTC) is investigating whether OpenAI’s ChatGPT has harmed people by publishing false information about them. The new FTC investigation under Chair Lina Khan marks a significant escalation of the federal government’s role in policing the emerging technology. In a civil subpoena to the company, the FTC says its investigation of ChatGPT focuses on whether OpenAI has “engaged in unfair or deceptive practices relating to risks of harm to consumers, including reputational harm.” The company is asked to describe in detail the extent to which they have taken steps to address or mitigate risks that their large language model products could generate statements about real individuals that are false, misleading or disparaging. Khan, who appeared before the House Judiciary Committee, said the agency is concerned that ChatGPT and other AI-driven apps have no checks on the data they can mine. The FTC also asked the company detailed questions about its data-security practices as well as its marketing efforts, practices for training AI models, and handling of users’ personal information.
European legislators strike agreement on Data Act and announce EU-US Data Privacy Framework
European legislators have reached a political agreement on the European Data Act that aims to establish harmonized rules on fair access to and use of industrial data. The EU considers machine- and device-generated data to be an untapped resource for European technological innovation efforts. The rules aim to boost the EU’s data economy by unlocking industrial data, optimizing data accessibility and use, and fostering a competitive and reliable European cloud market. The Data Act will specify who can access and use data generated across different economic sectors and is designed to ease the switching of data processing service providers. This provisional agreement now needs to be endorsed by the Council and the European Parliament and then adopted following the technical review.
In parallel, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the US ensures an adequate level of protection for personal data transferred from the EU to US companies. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. There is no time limitation, but the Commission will continuously monitor relevant developments in the US and regularly review the adequacy decision.
Singapore industry consortium releases toolkit for responsible use of AI in the financial sector
Singapore’s Monetary Authority (MAS) announced the release of an open-source toolkit to enable the responsible use of AI in the financial industry. The Veritas Toolkit version 2.0 is intended to help financial institutions embed the Fairness, Ethics, Accountability and Transparency (FEAT) principles that provide guidance to firms offering financial products and services on the responsible use of AI and data analytics. The Veritas Toolkit is the first responsible AI toolkit developed specifically for the financial industry. Lessons from the pilot integration of the Veritas methodology include the importance of having a consistent and robust responsible AI framework that spans geographies, a risk-based approach to AI governance, and responsible AI practices and training for the new generation of AI professionals in the financial sector.
In parallel, the MAS has also worked with some AI solution providers to integrate the Veritas Toolkit with their AI solutions so that they can better serve their financial sector customers.
Singapore regulator proposes framework for digital asset networks
The MAS has published proposals for an open, interoperable network for digital assets framework. These proposals have been jointly developed with the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructure (CPMI), with contributions from participating financial institutions. The report also considers how the CPMI-IOSCO principles for financial market infrastructures apply to evolving models of digital asset networks. The reports reference the industry pilots launched under Project Guardian, an initiative to test the feasibility of applications in asset tokenization and Decentralized Finance. MAS has announced an expansion of Project Guardian to test the potential of asset tokenization across more financial asset classes and that Japan’s FSA will become the first overseas financial regulator to join the initiative. The report is part of MAS’ effort to ensure that emerging digital asset networks are underpinned by international standards that promote safe and efficient financial market infrastructure.
US Judge issues landmark ruling on the Ripple Case
U.S. District Judge for the Southern District of New York Analisa Torres issued her decision in the SEC v. Ripple case, a decision that many have been anticipating as an inflection point for the digital asset industry. Judge Torres ruled that Ripple’s XRP token is a security when sold to institutional investors, but not when sold to the general public. Judge Torres wrote that the institutional sale of the XRP token met the test for an investment contract under federal securities laws because institutional buyers are more sophisticated and “would have understood that Ripple was pitching a speculative value proposition for XRP with potential profits.” The ruling did not apply that logic to the sale of XRP to programmatic investors, with the judge arguing that there was no evidence that programmatic investors could figure out the many statements made by Ripple about XRP to determine the risk.
Many in the crypto space have hailed this decision as a victory, while the SEC will likely appeal the decision, with Chair Gary Gensler saying he was “disappointed” by the ruling. One indication the Commission is likely to appeal is that the U.S. Second Circuit Court of Appeals is currently hearing a case centered on whether or not a leveraged loan that is sold to an investor should be considered a security and thereby subject to securities laws. The Court asked the SEC to weigh in and submit an amicus brief explaining their position on whether or not these types of loans are securities or not. After asking for an extension of time to respond, the SEC finally responded: with a one page letter which said in part “…the staff is unfortunately not in a position to file a brief on behalf of the Commission on this matter.”
South Korea passes legislation to regulate the crypto sector
The Korean National Assembly passed the Virtual Asset User Protection Bill, the country’s first standalone piece of legislation for the crypto sector. The law focuses on user protection and regulation of unfair trade practices. The legislation gives Korea’s Financial Services Commission the power to oversee crypto operators as well as asset custodians, and the Bank of Korea would also be able to probe these platforms. The new law requires insurance coverage, reserve funds and necessary record keeping.
Thai and Singapore regulators introduce consumer protection measures on crypto firms
Thailand’s Securities and Exchange Commission (SEC) has announced new guidelines that require crypto firms to disclose warnings about risks to investors. This includes a mandatory warning message about the high risks associated with trading cryptocurrencies. The new regulation also prohibits crypto firms from providing or supporting deposit-taking and lending services from August 30, 2023.
Relatedly, the MAS has announced new requirements for Digital Payment Token (DPT) service providers to hold customer assets under a statutory trust before the end of the year. This is designed to mitigate the risk of loss or misuse of customers’ assets, and facilitate the recovery of customers’ assets in the event of a DPT service provider’s insolvency. The MAS will also restrict DPT service providers from facilitating lending and staking of DPT tokens by their retail customers. Guidelines will be published in due course to support consistent implementation.
New Zealand increases monitoring but postpones regulation for crypto assets and stablecoins
The Reserve Bank of New Zealand (RBNZ) announced that it will not introduce a regulatory framework for crypto assets but will enhance its monitoring capabilities of the sector instead. While the RBNZ consider there to be both significant risks and opportunities associated with stablecoins and other private money innovations, the uncertainty about how the sector will develop has prompted the decision to ramp up monitoring. The RBNZ plans to work with other regulatory agencies to develop data and monitoring capabilities and address issues such as investor protection and barriers to entry. The RBNZ expects to reassess its regulatory response in eighteen months’ time.
New Zealand consults on operational resilience
New Zealand’s Financial Markets Authority (FMA) has published proposals to ensure that market service providers are prepared to respond to business continuity and cyber risks when they emerge. The proposed standard requires licensed firms to have and maintain a business continuity plan to ensure that critical technology systems are operationally resilient and to notify the FMA in the event of any disruptions. The proposals are open for consultation until September 1, 2023.
Australian prudential regulator finalizes standard on operational risk
The Australian Prudential Regulatory Authority (APRA) has released its final cross-industry prudential standard for operational risk management. The new standard is designed to strengthen the management of operational risk, respond to business disruptions and manage the risks from the use of service providers for all APRA-regulated entities. The new standard will commence from July 1, 2025.
SEC considers rules on public company cybersecurity disclosures and proposes rules on the use of predictive data analytics
US Securities and Exchange Commission (SEC) held an open meeting on July 26, 2023 to consider whether to: (1) adopt rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements; (2) propose new and amended rules relating to conflicts of interest associated with broker-dealers’ and investment advisers’ use of predictive data analytics in connection with certain investor interactions; and (3) propose amendments to the exemption for internet advisers from the prohibition against registration under the Investment Advisers Act of 1940.
EU publishes draft legislation to establish a digital euro
The European Commission has published a draft framework for a potential future digital euro that may be issued by the European Central Bank (ECB) as a complement to cash. In response to the growing digitization of European economies and the growing global interest in central bank digital currencies (CBDCs), the EU is exploring how to give individuals and businesses the choice to pay digitally with a widely accepted and secure form of public money in the euro area to complement the existing private solutions that exist today.
The EU intends for a digital euro to be available for both online and offline payments to ensure a high degree of privacy and data protection. Further, the proposal envisions a system whereby banks and other payment service providers distribute the digital euro and that basic digital euro services are provided free of charge to individuals. Individuals without a bank account would be able to open and hold an account with a post office or another public entity.
While the proposal once amended by the European Parliament and Council will establish the legal framework for the digital euro, it will ultimately be for the ECB to decide if and when to issue any such digital euro.
Bloomberg
Source link
