AMEIS RegFacts | February 2023

Payments

UKGovernmentLaunchesaCallforEvidenceonPaymentsRules

Launched on January 13, the call for evidence seeks market participants' input on the Electronic Money Regulations 2011 and the Cross Border Payments Regulation

CALL FOR EVIDENCE

Market participants would have to provide their feedback on the following areas:

Regulatory treatment of payment services and e-money

Information requirements for payment services

Rights and obligations in relation to the provision of payment services

Wider considerations in relation to the provision of payment services

Issuance and redeemability of electronic money

Responses are due by 7 April 2023.

Cryptoassets

CryptoassetAML/CTFRegime:FCA’sTipsforProperRegistration

PREPARATION OF APPLICATION

Before preparing the application:

Establish if they will be carrying out in-scope cryptoasset activity

Consider seeking independent legal/compliance advice as part of preparing an application

Review the relevant information on the FCA’ webpages as well as the registration form

Appoint a Money Laundering Reporting Officer (MLRO) / Nominated Officer with relevant knowledge, experience and training as well as a level of authority, independence and sufficient access to resources and information The FCA will assess the fitness and propriety of the MLRO/Nominated Officer

When preparing the application:

Include all required information in the business plan, this includes but is not limited to: details of the business model, roles and responsibilities of business partners (such as service providers, brokers, introducers, sub-custodians and outsourcing partners), sources of liquidity, detailed customer journey… Comprehensive and accurate description of products and services (e.g. a cryptoasset token vetting policy, detailed description of how dependent it is on external ecosystems for liquidity, custodian services and underlying smart contracts/DeFi implementations).

Demonstrate a thorough understanding of the risks from dealing in cryptoassets and design a business wide risk assessment (BWRA) that is tailored to their business model

Implement policies, systems and controls to appropriately manage and mitigate the risks identified in the BWRA

Have in place an effective framework for transaction monitoring and blockchain analysis

Provide complete information regarding its outsourcing arrangements within and outside the group, as well as within and outside the UK

Provide evidence staff training material tailored to its particular business model and associated AML/CTF risks along with its annual training plan

Ensure that the Suspicious Activity Reporting policy fully covers the company cryptoasset-related activities

DataProtection

GDPR:ICOIssuesTRATool

Released on 17 November 2022 by the Information Commissioner's Office (ICO) the updated version of the international transfers section of its Guide to GDPR, includes a new Transfer Risk Assessment (TRA) Guidance and a TRA tool.

The ICO’s TRA tool is one of transfer mechanisms that entities may use to comply with the requirements under article 46 of the UK The General Data Protection Regulation (GDPR).

REQUIREMENTS

In conducting its TRA, an organization must carry out a reasonable and proportionate analysis on the following:

Risks to people’s rights arising in the destination country from third parties accessing the information, in particular government and public bodies Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.

To make a restricted transfer of personal data using ICO’s approach, concerned entities shall carefully consider in what capacity they are acting.

Controllers relying on a processor to make the restricted transfer are not required to complete the TRA; only the processor is responsible for completing the TRA.

Receiving entities sending the data to third parties may be required, where applicable, to carry out a TRA. Entities making a series of connected, repeated or similar restricted transfers, shall carry out a TRA for each restricted transfer or one TRA that covers all of them

An alternative to the ICO TRA tool is the transfer impact assessment (TIA) methodologies based on the European Data Protection Board (EDPB) guidance

ReportingandTransparency

ESMAConsultsonPost-TradeTransparency

Published on January 19, the Consultation Paper - Manual Post-Trade Transparency (CP) comprises the European Securities and Markets Authority (ESMA) additional guidance on issues related to post-trade transparency as well as on the reporting to ESMA’s Financial Instruments Reference Data System (FITRS).

This CP is of particular interest for entities subject to the post-trade transparency requirements and/or reporting such information (e g investment firms)

CONSULTATION

The CP includes the requirements relating to post-trade transparency applicable to equity, equity-like and non-equity instruments. More specifically, ESMA seeks feedback on the following areas:

The scope of instruments and transactions subject to post-trade transparency

The relevant entities in charge of the reporting and publication of post-trade transparency information

Publication of post-trade transparency information: real-time vs. deferred publication

Which post-trade transparency information has to be made public (i e reporting fields and flags)

The common aspects as well as the differences between the post-trade transparency regime and the transparency calculations in relation to the scope of instruments and transactions

Interested stakeholders are invited to provide their comments by 31 March 2023

IndustryNews

IAPPReleasesNIS2DirectiveChart

Last month, the International Association of Privacy Professionals (IAPP) published a useful reference sheet on the European Union’s NIS2 Directive

This network and information systems directive provides measures to boost the overall level of cyber security, improving resilience and incident response capabilities of public and private sectors

For latest news on cyber security topics go to Ameis’ Insights page

ISDAPublishesDigitalAssetDerivativesDefinitions

On January 26, the International Swaps and Derivatives Association (ISDA) published standardized definitions relating to the trading of digital asset derivatives, thereby providing clarity for execution and settlement of digital asset derivatives in the ISDA Master Agreement framework

The initial documentation covers non-deliverable forward and options on Bitcoin and Ether

AMFReportsonAlternativeDistributionMethods

In June 2019, the Quebec Autorité de marchés financiers’ (AMF) Regulation respecting Alternative Distribution Methods (RADM) came into force. In December 2022, a Report was published regarding specific consultations on financial products and services offered via the Internet and RADM. The purpose was to gather experiences of stakeholders – consumers, intermediaries, insurers, and FinTechs – and identify issues affecting consumer protection or impacting the growth in the distribution of financial products and services via the internet.

The RADM covers the offering of insurance, financial planning, claims adjustment and mortgage brokerage products and services It applies to firms operating digital spaces, such as websites or mobile apps, that are fully transactional on a self-directed basis

Highlights of stakeholder comments:

1 Consumers are concerned about low levels of financial literacy Internet-provided services need to be regulated, ensuring protection of consumers choosing this distribution method In addition, an offered policy should be available at all times to the consumer.

2. Intermediaries expressed concerns over clients’ understanding of risk and representatives' understanding of scope of responsibility. Some expressed that a full needs analysis is sometimes necessary.

3. Insurers acknowledged greater facility to comply with the regulatory framework for simple products such as property and casualty insurance versus more complex life insurance products. However, the requirements preclude products and services from being offered on mobile apps which cannot accommodate all information requirements Other insurers raised concerns over the prescriptive rules-based regulation, certain grey areas of interpretation and the burdensome process that impacts consumer experience and product innovation

4 FinTechs viewed the regulation as an enabler of robust digital spaces, protecting consumers They also favoured investments in cyber security Comparing distribution through representatives versus digital spaces, FinTechs observed differences in sales pressure and expressed the view that needs analysis could be completed upon client request

Following this report, the AMF will conduct further consumer focus groups and form working groups to address comments raised.

NISTProposesGuidanceonAIRiskMitigation

On January 26, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released a new Guidance and a Companion Playbook on artificial intelligence (AI) risk management.

The Guidance further explains some foundational notions such as the risk, tolerance and prioritization of risk, which may include harm to people, organizations and the ecosystem.

It also outlines the challenges of managing these AI risks, notably:

Measuring the risks related to third-party software, hardware and data

Monitoring emergent risks

The lack of reliable metrics

Different risks according to the stage of the AI lifecycle

The opaque nature of AI

The difficulty to systematize a human baseline activity and

The difference of risks in the real-world versus test environments

The Guidance also outlines characteristics of trustworthiness in AI systems, including valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.

To manage AI risks and responsibly develop trustwork AI systems, the Guidance explains that organizations should rely on four functions: govern, map, measure and manage.

The Guidance may be used on a voluntary basis by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies.

UpcomingRegulatoryDeadlinestoWatch

Date

06/02/2023

10/02/2023

20/02/2023

Issues to Watch

End of consultation period for Quebec’s Autorité des Marchés Financiers Draft Regulation respecting complaint processing and dispute resolution in the financial sector

Deadline to submit feedback to the Bank of England on its discussion paper 5/22 on Artificial Intelligence and Machine Learning

Comment period closes for the European Securities and Markets Authority consultation paper on the use of ESG or sustainability-related terms in fund names

ProductCorner

TIAorTRA:Quésaco?

Under the EU GDPR, personal data may be transferred to a country outside the EU/EEA by meeting the requirements set out in article 46 of the regulations

Controllers or processors may transfer personal data to receivers outside the EU/EEA: “only if [they have] provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (art.46 (1)). Such safeguards are listed in article 46 (2) of the regulations and include the following:

Binding corporate rules

Standard data protection clauses adopted by the Commission of a supervisory authority

An approved code of conduct

An approved certification mechanism

In June 2021, the European Data Protection board (EDPB) published its final recommendations on the lawful transfer of personal data in third countries EDPB’s transfer impact assessment (TIA) contains a total of 6 steps organizations must take, namely:

Know/map their transfers

Verify the transfers tools

Assess the effectiveness of the transfer tools

Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.

Take procedural steps for the adoption of the supplementary measure identified

Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.

UK ICO’s TRA tool is an alternative to the approach taken by EDPB.

About us

We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.

Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.

Complex landscape & widening gaps

Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.

Current challenges

Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.

We provide practical and tailored solutions

Review and analysis of regulatory texts

Reporting

Response preparation

Compliance program development

Contact us

Déborah Koualé, Founder & Director

deborah kouale@ameiscorp com

Change management

Regulatory intelligence and training

Ongoing compliance support

Registrations

Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies