Global Regulatory Brief: Digital finance, July edition | Insights | Bloomberg Professional Services

The European Parliament has voted to push forward draft legislation to establish the first comprehensive regulatory regime for Artificial Intelligence (AI) technology, known as the AI Act. The EU is set to take a risk-based approach that categorizes AI applications depending on their risk profile: 

• Unacceptable risk: The draft proposals include bans on applications deemed to be unacceptable such as real-time and remote biometric surveillance, such as facial recognition and social scoring systems which are considered unacceptable risks. 
• High risk: High-risk applications such as education, law enforcement, and access to essential private services, will be assessed before being available on the market and throughout their lifecycle. 
• Generative AI: The European Parliament proposes that Generative AI will have to disclose that the content is AI-generated, model design needs to prevent the generation of illegal content, and summaries of copyrighted data used for training are published.    
• Limited risk: AI systems judged to be limited risk will need to comply with minimal transparency requirements that allow users to make informed decisions. 

Negotiations will now begin between the European Parliament, member states and the EU Commission with a view to reaching a final agreement by the end of the year.

UK to host first global summit on Artificial Intelligence safety 

The UK Prime Minister has announced that the UK will host the first major global summit on AI safety as the world grapples with the challenges and opportunities presented by the rapid advancement of AI. The summit, which will be hosted in the UK this autumn, will consider the risks of AI, including frontier systems, and discuss how they can be mitigated through internationally coordinated action. It will also provide a platform for countries to work together on further developing a shared approach to mitigate these risks. In July the UK Foreign Secretary James Cleverly will convene the first ever briefing of the UN Security Council on the opportunities and risks of Artificial Intelligence for international peace and security.

US SEC to propose rules for brokerages using AI

The United States Securities and Exchange Commission (SEC) has indicated that it plans to propose rules to address conflicts of interest associated with artificial intelligence (AI) used by brokerages to interact with clients. Reports indicate the proposal would also apply to predictive data analytics and machine learning. The SEC has been looking into potential conflicts of interest associated with AI/ML and predictive data analytics since its 2021 request for information which posed dozens of questions to industry and the public on the use, development and deployment of AI/ML and predictive data analytics. Further, SEC Chair Gary Gensler has been writing about AI/ML since his days as a professor at MIT. In his 2020 working paper “Deep Learning and Financial Stability”, Gensler and his co-author explored the potential benefits, and risks, of AI/ML in financial services. 

This comes as Senate Majority Leader Chuck Schumer (D-NY), called for “humility” as he signaled a push to regulate artificial intelligence. Schumer noted that it is important to encourage innovation, but to do so in a way that is safe and responsible and should ensure national security, economic security, and address copyright and misinformation concerns. The New York Democrat signaled that regulating AI will be “exceedingly difficult” but that Congress will aim to have a comprehensive framework within “months”. 

ESAs consult on critical ICT third-party service provider criteria under DORA

The European Supervisory Authorities (ESAs) are consulting on the criteria for critical ICT third-party providers (CTPPs) and the oversight fees to be levied on them under Europe’s Digital Operational Resilience Act (DORA). The discussion paper is separated into two parts:

(i) proposed criteria for assessing the critical nature of ICT third-party service providers, including a number of relevant quantitative and qualitative indicators for each of the criticality criteria; and

(ii) proposed fees to be levied on CTPPs and the manner in which they are to be paid, including the types of expenditure that shall be covered by fees as well as the appropriate determination of the applicable CTPP turnover that will form the basis of fee calculation. The ESAs are also seeking feedback on the fee calculation method and other practical considerations regarding the payment of fees.

Comments are due by June 23, 2023. The feedback collected in response to this consultation will inform the technical advice that the ESAs will deliver to the Commission by September 30, 2023. DORA is set to apply in the EU from January 17, 2025. 

Relatedly, the ESAs have also released their first batch of policy products under DORA aiming to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.The consultation runs until September 11, 2023.

US bank regulatory agencies issue final guidance on third-party risk management

The Board of Governors of the Federal Reserve System, Federal Deposit Insurance, and the Office of the Comptroller of the Currency issued final joint guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies. The final guidance describes principles and considerations for banking organizations’ risk management of third-party relationships. The final guidance covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.

Malaysia incorporates cloud-specific risks into its regulatory framework 

BNM (Bank Negara Malaysia) has updated its policy document on risk management in information technology (RMiT) to provide additional guidance on strengthening firms’ cloud risk management capabilities. Specifically, the document sets out new requirements for financial institutions to consider common key risks and control measures when hosting critical systems on public cloud infrastructure. Financial institutions are required to implement robust risk management controls and robust cyber fortification to preserve public confidence in the financial system. The policy document is effective from June 1, 2023 for all licensed digital banks, including Islamic digital banks. For other types of financial institutions, the new requirements around cloud adoption will come into effect on June 1, 2024. Any modifications to existing contracts with cloud service providers must be made by this date.

IOSCO consults on crypto-asset regulation

The International Organization of Securities Commissions (IOSCO) – the global standard setter for securities markets – has issued for consultation detailed recommendations on the regulation of crypto-asset to jurisdictions across the globe. The proposals are aimed at the various activities performed by crypto-asset service providers (CASPs) such as offering, admission to trading, ongoing trading, settlement, market surveillance and custody. Designed to improve global regulatory standards for crypto-assets and end the regulatory uncertainty that characterizes the crypto-asset space, IOSCO has set out recommendations covering six areas: 

1. Conflicts of interest arising from vertical integration of activities and functions; 
2. Market manipulation, insider trading and fraud; 
3. Cross-border risks and regulatory cooperation; 
4. Custody and client asset protection; 
5. Operational and technological risk; and 
6. Retail access, suitability, and distribution.

Following feedback to the consultation, IOSCO plans to finalize its recommendations in early Q4 this year. A key goal of IOSCO is to promote greater consistency with respect to how IOSCO members approach the regulation and oversight of crypto-asset activities given the cross-border nature of these markets. The consultation period is open until July 31, 2023. 

EU publishes final rules on crypto regulation  

Landmark European rules to establish a regulatory regime for crypto-assets – the markets in crypto assets (MiCA) – has been published in the Official Journal of the EU and will introduce a harmonized regulatory framework in the EU to replace the current patchwork of national legislation across different member states. MiCA aims to increase transparency by introducing new rules for utility token issuers, asset referenced tokens, so-called stablecoins. It also covers service providers such as trading venues and the wallets where crypto-assets are held. Provisions on asset referenced tokens and e-money tokens will be phased in from June 30, 2024, with a majority of provisions kicking in six months after on December 30, 2024. Europe’s security market regulator ESMA is preparing to consult on three packages of technical rules to implement MiCA:

1. Consultation package 1 (July 2023): This will include rules on authorization application, complaint handling and conflicts of interest.
2. Consultation package 2 (October 2023): Specific mandates are still to be determined but will likely cover all those remaining mandates with a 12-month deadline such as investor disclosure, CASP governance, sustainability indicators, and trade transparency.
3. Consultation package 3 (Q1 2024): Specific mandates are still to be determined but will likely include investor protection and market abuse. 

MiCA has been published alongside the accompanying rules on transfers of funds in crypto assets.

SEC sues Coinbase and Binance 

The SEC has filed litigation against both Coinbase and Binance, the largest crypto exchange in the US, and globally, respectively. The Commission contends that Coinbase skirted regulations by allowing users to trade tokens that were actually unregistered securities. In particular, the Commission took aim at Coinbase’s staking-as-a-service program which allows users to earn a profit through proof of stake mechanisms. The complaint argues that this arrangement, in which customers earn a profit based on the efforts of Coinbase, violates securities laws. In a separate action, the SEC sued Binance and its US based affiliate BAM Trading Services, along with Changpeng Zhao (CZ) alleging multiple violations of securities laws. In particular, the Commission contends that CZ and Binance subverted their own internal controls to allow “high-value U.S. customers” to continue trading on Binance.com, despite publicly claiming that U.S. customers were prohibited from doing so. Additionally, the complaint alleges the Biniance and CZ allowed for the commingling of customer assets and diverted customer funds at will. One particularly troublesome piece of the complaint for Binance is the alleged admission by Binance’s COO in December 2018 that Binance operated as an unlicensed securities exchange.

On June 13, the SEC sent a letter in response to a June 6th order from the US Court of Appeals for the Third Circuit. The order directed the Commission to address whether the SEC has made a decision on Coinbase’s petition for rulemaking, which was originally filed in 2022, and if not, how much additional time the Commission needs. The Commission responded stating that staff expect to be able to make a recommendation within the next 120 days. 

New licensing regime for virtual asset trading platforms in Hong Kong takes effect

The Hong Kong Securities and Futures Commission (SFC) has published the regulatory requirements and transitional arrangements to implement the new licensing regime for virtual asset trading platforms (VATPs) under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO). Under the new regime, all VATPs continuing to operate a virtual asset exchange in Hong Kong or actively marketing their services to Hong Kong investors will need to be licensed by the SFC. The new licensing regime came into effect on June 1, 2023. 

Regarding the transitional arrangements of the new licensing regime, VATPs which are providing services with “meaningful and substantial presence” in Hong Kong before June 1, 2023 may continue to provide the service for 12 months until May 31, 2024, without being in breach of the new licensing requirements. The determination of a “meaningful and substantial presence” will involve consideration of physical office, key personnel and Hong Kong specific trading volumes. VATPs which were not operating in Hong Kong before 1 June 2023 are not eligible for the transitional arrangements, and thus may not commence any VATP business activities in the city or actively market to Hong Kong investors until they are licensed by the SFC  

Ahead of the licensing regime go-live of June 1, 2023 the SFC published its conclusions in response to the consultation feedback received from a wide variety of stakeholders. The SFC said that respondents generally welcomed the proposed requirements, while a number of them sought clarifications. The final requirements have been modified or clarified to reflect this. 

Crypto providers in South Africa now in-scope of the licensing net

Crypto companies looking to operate in South Africa will need to apply for a license from the country’s Financial Sector Conduct Authority (FSCA) as of June 1, 2023. The FSCA remains of the view that crypto asset related activities pose significant risks to financial customers and that recent developments highlight the need to urgently regulate crypto asset activities. As a result of this new licensing regime, those that provide financial services in relation to crypto assets without a license could be fined up to R10 million or face imprisonment, unless exempted. Companies have until November 30, 2023 to make this application. 

US CFTC issues staff advisory on the risks associated with expansion of Derivatives Clearing Organization clearing of digital assets

US Commodities Futures Trading Commission’s (CFTC) Division of Clearing and Risk (DCR) issued a staff advisory on the risks with expansion of Derivatives Clearing Organizations (DCO) clearing of digital assets. DCR noted it has observed increased interest in the last few years by DCO and DCO applicants in expanding the types of products cleared and business lines, clearing models, and services DCOs offer, including related to digital assets. The advisory issued “reminds registrants and applicants that when expanding lines of business, changing business models, or offering new and novel products, DCR will remain focused on the potentially heightened risks that may be associated with certain of those clearing activities, DCR expects DCOs and applicants to actively identify new, evolving, or unique risks and implement risk mitigation measures tailored to the risks that these products or clearing-structure changes may present.”

Hong Kong and Japan explore central bank digital currencies

Chief Executive of the Hong Kong Monetary Authority (HKMA) Eddie Yue has announced the start of the retail central bank digital currency (CBDC) Pilot Programme in Hong Kong, i.e. the e-HKD. Following positive feedback to two rounds of consultation, particularly in light of the potential greater efficiency in payments, Hong Kong has launched the e-HKD Pilot Programme to consider different use cases and design choices, and co-create new payment functionalities and infrastructures. Given the already vibrant retail payment landscape in Hong Kong, any decision to implement e-HKD would very much depend on whether it can make payment more efficient and convenient than the existing payment methods, and whether it can unlock new business opportunities. As such, the lessons from the Pilot Programme will be crucial in informing any final policy decision and these lessons are expected to be shared at the Hong Kong FinTech week in November this year.

Meanwhile, the Bank of Japan (BOJ) has issued a new report detailing findings from the second phase of its CBDC study, a project which ran from April 2022 to March 2023. The second phase of the project evaluated additional functions that built upon the basic CBDC ledger functions explored in the first phase. The decision whether to issue a CBDC will be decided by discussions among the Japanese public and the BOJ will continue to make preparations accordingly.